Can My Business Rely on “Legitimate Interests” for Analytics Cookies?

No, in most circumstances, a business cannot rely on “legitimate interests” to use analytics cookies. Under the EU ePrivacy Directive, any cookie or similar technology that stores or accesses information on a user’s device requires prior, informed consent unless it is strictly necessary for the operation of the site. Analytics cookies, including tools such as Google Analytics, are not considered essential and therefore fall outside this exemption. Under Article 5(3) of the ePrivacy Directive, non-essential cookies, such as analytics cookies that track user interactions, may only be used with prior consent. This obligation overrides any attempt to rely on the GDPR’s legitimate interests basis.

Supervisory authorities across the EU have consistently confirmed that “legitimate interests” under the GDPR do not provide an alternative legal basis for analytics cookies, as the ePrivacy rules take precedence. Notably, the CNIL has taken firm enforcement action in this area, issuing significant fines, including a high-profile penalty against Google, for the use of analytics cookies without valid consent.

Only cookies that are genuinely required for core functionality may rely on legitimate interests. All analytics and measurement tools must operate on an opt-in consent model to remain compliant.