Do Analytics Cookies Require Consent? The 2026 Answer by Region

"It's just analytics" is the most expensive sentence in cookie compliance.

Every team asks the same question eventually: we're not running ads, we just want to know which pages people visit — do we really need a consent banner for that? The honest answer changed shape twice in the past year: the EU's planned cookie-law overhaul was withdrawn, and the UK quietly created a real, legal analytics exception.

Here is the current state of play — Google Analytics, Matomo, Plausible, the French exemption, the new UK rules, and what US visitors change about the math.

Do analytics cookies require consent?

In most of the EU/EEA, yes — analytics cookies need prior opt-in consent, because the ePrivacy Directive's consent rule covers any non-essential storage or access on a user's device, and analytics is not "strictly necessary." There are two big carve-outs: a few EU countries (France, Italy, Spain, the Netherlands) exempt tightly configured, aggregate-only audience measurement, and since 5 February 2026 the UK has a statutory "statistical purposes" exception with an opt-out. In the US, analytics cookies generally don't need opt-in consent at all — state laws work on notice and opt-out instead.

The catch in every exemption is the same: it covers measuring how your site is used, not tracking who is using it. The moment analytics data feeds advertising, profiling, or cross-site tracking, you're back to consent.

Why "analytics" is not one legal category

Regulators don't care what your tag manager calls the category; they care what the tool does. Two setups can both be labelled "analytics" and sit on opposite sides of the law:

1. Aggregate service measurement — page views, load times, broad traffic sources, used only by you to improve the site. This is what exemptions are written for.
2. User-level tracking — persistent identifiers, audience building, ad attribution, data shared with the vendor's ecosystem. This is consent territory everywhere opt-in rules exist.

Most popular analytics products ship somewhere between the two, and one vendor-dashboard toggle (say, enabling Google Signals) can move you from the first bucket to the second without anyone telling legal.

EU/EEA: consent by default, exemptions by country

Article 5(3) of the ePrivacy Directive requires consent before storing or reading anything on a user's device unless it's strictly necessary for the service the user asked for. Analytics doesn't qualify as strictly necessary, so the default across the EU is: no analytics cookies before consent.

Two things did not change that in 2025–2026:

• The ePrivacy Regulation is dead. The Commission formally withdrew the 2017 proposal in its February 2025 work programme ("no foreseeable agreement"). The 2002 Directive and its national implementations still govern cookies.
• Legitimate interest doesn't rescue you. GDPR legal bases apply to downstream processing, but the device storage/access step is governed by ePrivacy, which demands consent or a narrow exemption.

What is genuinely in motion: the Commission's Digital Omnibus proposal (November 2025) would move cookie rules into the GDPR and add an EU-wide exemption for first-party aggregated audience measurement. As of June 2026 it's still working through Parliament and Council — a proposal, not law. Plan on today's rules; we track it in cookie consent laws to watch before 2027.

The member-state exemption map

A few national regulators read an audience-measurement exemption into their cookie rules — each with strict, slightly different conditions:

The CNIL's regime is the template, and it got an update worth knowing about: in July 2025 the CNIL revised its audience-measurement criteria and replaced its old list of approved tools with a self-assessment framework (effective 1 January 2026). Exempt solutions may collect only three event types — page views, interactions with site features, and performance/loading data — with pseudonymized IPs and the lifetime/retention caps above. The vendor must act as a pure processor and never pool your data with anyone else's.

Notice what that excludes: Google Analytics. GA4 fails the French test by design — data goes to Google, identifiers persist, and the product is built to connect with Google's ads stack. The CNIL points teams toward self-hosted or configurable tools instead, and publishes a configuration guide for Matomo's exemption mode.

And if you serve all of Europe, the exemption only helps where it's recognized: a German visitor still needs a consent prompt for the same Matomo setup that runs exemption-mode in France — which is why one banner rarely covers every country without geo-targeting.

UK: a real analytics exception, live since February 2026

This is the biggest practical change in years. The Data (Use and Access) Act 2025 (Royal Assent June 2025) amended PECR with new consent exceptions, and the Commencement No. 6 Regulations brought them into force on 5 February 2026. The ICO published final guidance on storage and access technologies on 29 April 2026.

The headline is the statistical purposes exception: no consent needed for analytics cookies if all of the following hold —

1. The sole purpose is collecting statistical information about how your service or website is used, in order to improve it. The ICO's framing: the analytics should be about how, not who.
2. You give users clear and comprehensive information about what you're doing.
3. You offer a simple, free way to object — a visible toggle, not a buried email address — and you actually stop if someone objects.
4. Any third-party provider works only for your improvement purpose. If your vendor repurposes or pools the data (hello again, default GA4), the exception is off the table.

DUAA also added exceptions for appearance/functionality preferences and emergency assistance — and, less cheerfully, raised maximum PECR fines from £500,000 to UK GDPR levels: £17.5m or 4% of global turnover. The ICO has flagged cookie compliance as an enforcement priority, specifically including sites that lean on "statistical purposes" without meeting the conditions.

Supportive: the UK finally lets low-risk measurement run without a consent wall. Cynical: it converted a £500k mistake into a 4%-of-turnover mistake for getting the word "sole" wrong.

For UK traffic, then, a genuinely measurement-only stack can drop the consent gate and run notice-plus-opt-out. Anything touching ads, audiences, or cross-context tracking still needs consent.

US: opt-out, not opt-in

No US state requires opt-in consent for ordinary analytics cookies. State privacy laws (California, Colorado, Connecticut, Texas, plus Indiana, Kentucky and Rhode Island as of 1 January 2026) regulate what you do with personal data: clear notice, opt-outs for sale/sharing and targeted advertising, and — in a growing list of states — honoring universal opt-out signals like Global Privacy Control.

Analytics crosses into regulated territory when it stops being analytics: when the same pixel or SDK powers ad targeting or shares data in ways that count as a "sale." That's a classification exercise, not a banner exercise; the full picture is in our US state cookie banner guide.

Tool by tool: GA4, Matomo, Plausible and friends

Google Analytics 4. Needs consent in the EU/EEA, and realistically in the UK too — its default config fails the "sole purpose" test and no national exemption accepts it. If you run GA4 alongside Google ads products for European users, you also need Google Consent Mode v2: since March 2024 Google requires the ad_storage, ad_user_data, ad_personalization and analytics_storage consent signals from your CMP. With consent denied, Google tags can send cookieless pings and model the gaps — useful for salvaging measurement, but Consent Mode is consent plumbing, not a consent exemption. You still need a compliant banner in front of it.

Matomo (self-hosted or EU cloud). The reference implementation for exemption mode. Matomo ships a CNIL-compliance setting that enforces IP anonymization, disables visitor profiles and visit logs, and restricts events to the permitted categories. Configured this way (plus your own opt-out link), it can run consent-free in France, and the same architecture maps well onto the Italian, Spanish, Dutch and UK exemptions. With full visitor profiles enabled, it's just another consent-requiring analytics tool.

Plausible, Fathom and other cookieless analytics. These tools store nothing on the device, which takes them outside the cookie-consent rule of ePrivacy Article 5(3) in most readings — no storage, no access, no consent trigger. Two caveats. First, the EDPB's Guidelines 2/2023 (final, October 2024) read Article 5(3) broadly — pixels, URL identifiers and device-information access can all be caught — so "no cookies" is not automatically "no ePrivacy." Second, GDPR still applies to whatever personal data (like IP addresses) the tool touches server-side; you need a legal basis and a privacy-policy entry, just not a banner. For most sites, cookieless analytics is the cleanest way to keep baseline traffic numbers from the people who reject everything else.

One lane marker: marketing pixels, SDKs and fingerprinting are a different fight with stricter answers — see do pixels and fingerprinting require consent. And no, you can't dodge any of this by blocking access until people accept; that's the cookie wall problem.

What to actually do

1. Inventory your measurement stack. Every analytics cookie, SDK and server-side endpoint. CookieChimp's automatic cookie scanning will surface the tags you forgot about.
2. Classify honestly: "how" vs "who." Aggregate service improvement on one list; anything touching ads, audiences, profiling or cross-site identifiers on the other. The second list needs consent in opt-in countries, no exceptions.
3. Pick your EU posture. Either consent-gate analytics everywhere in the EU (simplest), or run an exemption-eligible configuration (CNIL-mode Matomo, or cookieless tools) in the countries that allow it — and keep the consent gate for Germany and the rest.
4. Decide on the UK exception. If your UK analytics is genuinely statistics-only: document the "sole purpose" analysis, update your cookie notice, add a visible objection toggle, and wire it to actually stop the tags. If you can't confidently write "sole purpose" in a memo, keep asking for consent.
5. Implement Consent Mode v2 if you run any Google tags for EEA/UK users, with consent state flowing from your banner.
6. Honor GPC and targeted-advertising opt-outs for US visitors.
7. Log everything. Banner version shown, choices offered, what the user picked, and proof your tags obeyed. "The vendor handles it" is not an answer regulators accept.

Where CookieChimp fits

This whole topic is really one engineering problem: different consent logic per jurisdiction, enforced reliably. CookieChimp is built for exactly that — geo-targeted banner behavior (opt-in for the EU, notice-and-objection for UK statistical analytics, opt-out and GPC support for US states), automatic cookie scanning to keep classifications honest, built-in Google Consent Mode v2 signaling, and consent logs that prove your tags did what your banner promised. Simple to ship, and you're not rebuilding banner logic every time a regulator updates a PDF.

FAQ

References

1. ICO, "Guidance on the use of storage and access technologies": ico.org.uk
2. ICO, "What are the exceptions?" (statistical purposes exception): ico.org.uk
3. UK Government, "Data (Use and Access) Act factsheet: PEC Regulations": gov.uk
4. DLA Piper, "UK: Commencement of the data protection provisions in the Data (Use and Access) Act" (5 February 2026): privacymatters.dlapiper.com
5. CNIL, "Sheet n°16: Use analytics on your websites and applications": cnil.fr
6. PPC Land, "French data regulator updates cookie exemption rules for websites" (July 2025 criteria and self-assessment): ppc.land
7. Matomo, "Configure Matomo Analytics to comply with CNIL consent exemption": matomo.org
8. EDPB, "Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive" (final, October 2024): edpb.europa.eu
9. Google, "Updates to consent mode for traffic in the European Economic Area": support.google.com
10. TechCrunch, "EU abandons ePrivacy reform" (12 February 2025): techcrunch.com
11. IAPP, "New year, new rules: US state privacy requirements coming online as 2026 begins": iapp.org

Ready to run region-aware analytics consent without the guesswork? Get started with CookieChimp and ship a banner that matches the law where each visitor actually is.