Web analytics with consent
At the same time, the user must be given the opportunity to revoke his or her consent at any time. If the user makes use of this option, all relevant tracking measures (which collect, process or store personal data) must be omitted.
However, deletion of previously recorded data is not necessary – unless the user explicitly requests it.
As soon as personal data is collected or processed, the GDPR grants the data subject (in the case of web analytics, the site visitor) a right of access. Upon request, the data subject must be informed which individual data was collected or disseminated and why this was done.
From the perspective of the site operator, supplementary documentation is therefore necessary. In view of the time limit on consent, this should even be combined with time stamps
Anonymised web analysis
In view of these numerous requirements, which are not so easy to fulfil in practice, the majority of website operators rely on anonymised web analysis. This means that the tracking data collected cannot be linked to the data subject.
In view of the GDPR, anonymised web analysis can be realised by means of so-called IP masking. A part of the IP address is already shortened during the collection. But beware, many analysis tools, such as Google Analytics or Matomo, must first be configured accordingly.