A landmark ruling from the EU Court of Justice (CJEU) in the Bundeskartellamt case has established that web analytics cookies can, and frequently do, collect sensitive personal data under the GDPR. This decision has profound implications for every organization using cookie-based analytics or marketing tools.

Background of the Case

The case originated from a 2019 finding by the German competition authority that a major social media company was abusing its dominant market position. The authority ordered changes to the company's terms of service, specifically ruling that off-platform data collection through cookies and trackers required user consent. When the case reached the CJEU, the court issued rulings that went far beyond the original scope.

The Sensitive Data Finding

The court determined that tracking technologies collect sensitive data when users visit certain categories of websites or use specific applications. Crucially, the court specified that an entire dataset must be treated as sensitive data if it contains any sensitive information. If even one visitor out of thousands is browsing health-related content or visiting sites related to sexual orientation, political beliefs, or religious affiliations, all collected browsing data must receive the heightened protections required for sensitive data under the GDPR.

This reasoning applies not just to social media tracking but to any cookie-based analytics service, since the underlying tracking mechanisms operate identically.

Sensitive data can only be processed under very specific legal bases, and for web analytics the only realistic option is explicit consent -- a higher standard than ordinary consent. The current advertising ecosystem already struggles to obtain basic valid consent through cookie banners. Meeting the bar for explicit consent is functionally impossible for most implementations.

Additionally, large-scale processing of sensitive data triggers mandatory data protection impact assessments (DPIAs) under Article 35 of the GDPR. Many websites using cookie-based analytics would need to formally assess and justify the privacy risks of feeding visitor browsing data into advertising networks.

The Broader Implications

This ruling makes the compliance position of cookie-based analytics tools significantly more precarious. Organizations operating websites related to health, politics, religion, or other sensitive topics face the most immediate risk. However, because virtually any website can be visited by users whose browsing patterns reveal sensitive information, the ruling effectively applies across the board. The Norwegian data protection authority has already issued guidance reflecting this interpretation.

Cookieless analytics approaches that avoid collecting personal data entirely sidestep this issue by not creating datasets that could contain sensitive information.