[mnw21cam]

If you're doing 1st-party tracking, and you are collecting personal data for that purpose (which is almost by definition going to be true), and the user hasn't explicitly asked for that tracking to take place (for instance by creating an account and logging in, or by putting items in a shopping basket and expecting them to be retained) then yes you will need to ask for consent to do that tracking.

The test isn't whether collecting that data is required to do your business - it is whether collecting that data is required to do what the user is asking you to do. So if (for example) you are tracking your users to see where they click in your web site in order to improve your web site, then that is only required for your business - your user has no interest in that, didn't ask for it, and therefore must be asked for consent for you to do it.

[starbugs]

I was referring to the grey area of legitimate interest in the law and how I was briefed to interpret it ca. 2021. Things may have moved on and I am not a lawyer. You might be right and what the lawyers told me back then isn't true or was true and is no longer considered true.

What I was basically saying is that 1st-party cookies are considered more likely to reflect a legitimate interest than 3rd-party cookies. And I think that is what the interpretation of the law was (or maybe still is).

You can do 1st-party tracking without collecting personally identifiable information if it's just about retention without a user ID, which I was referring to. And I in fact think that there is a case to be made that this could be part of the legitimate interests of improving the user experience on a web property of a given business, hence not requiring consent.

[mnw21cam]

IANAL too.

I'll certainly agree that this is an area where different opinions abound, and also you are much less likely to be prosecuted for this, so it's likely that advice would be that it's probably alright and you'll get away with it. But a strict interpretation of the law says that you can't use information gathered for a purpose for which the user didn't consent (or deliberately ask for, etc), even if you have it lying around because you collected it for a separate reason that is valid.

Regarding arguing that improving the user experience is a legitimate interest - I'm not aware of that having been argued and decided in court, but my opinion is that it is a hopeful misinterpretation of the law, and a slippery slope towards quite egregious data collection.

Yes, you can collect web site metrics without identifying information, for instance how many times are the different links on a particular page clicked on, but if you're linking one page request to another by the identity of the browser that is requesting them, then that is crossing the line.

[starbugs]

> [...] but if you're linking one page request to another by the identity of the browser that is requesting them, then that is crossing the line.

Just out of curiosity: That would be crossing a line, because it might be potentially possible to reconstruct an identity from the linked navigation pattern?

If so, I guess I would consider that beyond the realm of what any normal internet lawyer would include in their advice.

[BrandoElFollito]

One of the problems is that it is hardly possible to differentiate connections without gathering PII.

Even an IP address is PII, your may be lucky with some fingerprinting, but this won't be unique.

[starbugs]

A cookie used solely for counting anonymous visits without storing individual identifiers generally wouldn't be considered personally identifiable information under GDPR.

At least that's what I was told. Having said that, this is obviously a complicated and nuanced topic with a lot of grey areas. I guess it's a good idea to talk to a lawyer in any case.

[BrandoElFollito]

You are right that if this is just a unique identifier that gets into the cookie and you cannot link it to the actual user then it's fine.

My point was rather for non-cookie based kind of identification, but it was no clear enough.