Quick summary
What it is: Data anonymization removes direct and indirect identifiers so data can no longer be linked to a person, which takes it outside the scope of the GDPR.
Why it matters: Anonymous data needs no consent, can be kept indefinitely, and can be shared or exported freely.
The catch: True anonymization is hard. Data must resist singling out, linkage and inference, and the EDPB’s 2026 guidelines raised the bar for proving it.
In analytics: Tools like Piwik PRO can collect anonymous data from the start, giving you insights from non-consenting visitors without processing personal data.
In the face of the General Data Protection Regulation (GDPR), many companies are looking for ways to process and utilize personal data without violating the regulation’s rules.
This is all quite difficult, as GDPR significantly limits the ways in which personal data can be collected and processed. One of the biggest challenges is the high bar the regulation sets for acquiring a visitor’s consent.
The two main obstacles are:
1) under GDPR, consent has to be freely given, specific, informed and an unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her to serve as a valid basis for processing user data.
If you want to dig deeper into the details of GDPR consent, we advise you to read this blog post:
How Consent Manager Can Help You Obtain GDPR-Compliant Consents From Your Users
2) GDPR has no grandfather provision allowing for the continued use of data collected using non-compliant methods prior to the date of GDPR’s entry into force. In practice, this means that all data collected before GDPR should be removed from databases if it doesn’t meet all the requirements (and most probably it doesn’t).
What’s more, the definition of personal data has broadened drastically, and now includes cookies and many other online identifiers used in web analytics. You can read more about it here:
What Is PII, non-PII, and Personal Data?
Every company wanting to process analytics data has to adjust their approach to meet the demands of the new law. We tackle this topic on our blog here:
How Will GDPR Affect Your Web Analytics Tracking?
Another option is seeking other legal bases allowing us to process data and use historical analytics databases without going into a gray area.
One of the most favorable methods seems to be data anonymization. It may prove a good strategy for retaining the benefits while mitigating the risks involved in dealing with user data.
Update (July 2026): In July 2026 the EDPB adopted new Guidelines 02/2026 on anonymization, which update and replace the thinking in the 2014 Article 29 Working Party opinion referenced throughout this guide. The core risks below, singling out, linkability and inference, carry over, but the assessment approach has changed. For the current framework, see our breakdown: The EDPB’s new data anonymization guidelines: what they mean for your analytics data.
The key benefits of data anonymization
Companies that use this technique can benefit from one very important fact – anonymous data is not personal data for the purposes of GDPR.
According to Recital 26 of GDPR: The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
Under the provision cited above, anonymous data doesn’t require any additional safeguards to ensure its security. Among other things, this means that:
- you don’t need to get consent to process it
- you can use it for other purposes than the ones it was originally collected for (you can even sell it!)
- it can be stored for an indefinite period of time
- it can be exported internationally
In other words, you can use it freely for virtually every purpose you want to.
PII vs personal data
Learn how to recognize PII and personal data to stay away from privacy issues
What’s more, data anonymization is a great way to prove that you’re making all possible efforts to ensure the security of your users’ data. According to data privacy experts, this technique can be treated as:
- part of a privacy by design strategy
- part of a risk minimization strategy
- a way to prevent personal data security breaches
- part of a data minimization strategy
These advantages, however, result from one fact – anonymisation is a very complicated and demanding process. It requires a lot of preparation and the use of specialized techniques. The benefits you receive are more like reward for your hard work than a low-hanging fruit.
What exactly is data anonymization?
Data anonymization is the use of one or more techniques designed to make it impossible – or at least more difficult – to identify a particular individual from stored data related to them.
According to London’s Global University, Anonymisation is the process of removing personal identifiers, both direct and indirect, that may lead to an individual being identified.
An individual may be directly identified from their name, address, postcode, telephone number, photograph or image, or some other unique personal characteristic.
An individual may be indirectly identifiable when certain information is linked together with other sources of information, including, their place of work, job title, salary, their postcode or even the fact that they have a particular diagnosis or condition.
Which kinds of data should be anonymized
In the case of anonymization performed to align with the demands of GDPR, that would mean anonymizing every piece of information that can be classified as personal data.
Since, as we’ve already mentioned, the definition of personal data in GDPR is very broad, that will include such information as:
- login details
- device IDs
- IP addresses
- cookies
- browser type
- device type
- plug-in details
- language preference
- time zones
- screen size, screen color depth, system fonts
- … and much more
That’s quite a long list, isn’t it?
What are the main data anonymization techniques?
What’s particularly important in the case of anonymization is that, according to the Article 29 Working Party’s Opinion 05/2014 on Anonymisation Techniques, it shouldn’t be treated as a single unified approach to data protection.
It’s rather a set of different techniques and methods used to permanently mask the original content of the dataset.
There’s also a very limited list of techniques that could be considered as providing sufficient level of security. Among the approved anonymization techniques, the Article 29 Working Party lists two types of procedures: randomization and generalization.
Here you can find a short description of techniques encompassed by their scope.
Randomization:
Noise Addition: where personal identifiers are expressed imprecisely, for instance:
height: 180 cm → height: 320 cm
Substitution/Permutation: where personal identifiers are shuffled within a table or replaced with random values, for instance:
ZIP: 10120 → ZIP: postcode
Differential Privacy: where personal identifiers of one data set are compared against an anonymized data set held by a third party with instructions to employ a noise function and an acceptable amount of data leakage is defined.
Generalization:
Aggregation/K-Anonymity: where personal identifiers are generalized into a range or group, for instance:
Age: 30 → Age: 20-35
L-Diversity: where personal identifiers are first generalized, then each attribute within an equivalence class is made to occur at least n times, for instance: properties are assigned to personal identifiers, and each property is made to occur with a dataset, or partition, a minimum number of times.
What are the most common risks in data anonymization?
However, each of the techniques described above has its own pitfalls, especially when tested against the three most common risks involved in anonymizing data. Those risks are:
Singling out
The possibility to isolate some or all records which identify an individual in the dataset
Linkability
The ability to link at least two records concerning the same data subject or a group of data subjects (either in the same database or in two different databases)
Inference
The possibility to deduce, with significant probability, the value of an attribute from the values of a set of other attributes.
As you can see in the table below, every technique has its own set of strengths and weaknesses:
| Is Singling Out still a risk? | Is Linkability still a risk? | Is Inference still a risk? | |
|---|---|---|---|
| Noise Audition | Yes | May not | May not |
| Substitution | Yes | Yes | May not |
| Aggregation or K-anonymity | No | Yes | Yes |
| L-diversity | No | Yes | May not |
| Differnetial privacy | May not | May not | May not |
Source: Article 29 Working Party, Opinion 05/2014 on Anonymisation Techniques
These three risks, singling out, linkability and inference, remain the backbone of anonymization assessment. The EDPB’s 2026 guidelines restate them as three criteria: No Record Isolation, No Linkage and No Inference. For how to test data against each under the current framework, see our guide to the EDPB’s 2026 anonymization guidelines.
For these reasons, it’s highly advisable to use not one but a combination of several anonymization in concert to prevent your data set from being re-identified. However, even that approach doesn’t necessarily translate into total data security.
Because there are now so many different public datasets available to cross-reference, any set of records with a decent amount of information on someone’s actions has a good chance of matching identifiable public records.
87% of the US population can be uniquely identified from just a combination of their ZIP code, gender and date of birth!
Source: Latanya Sweeney, Simple Demographics Often Identify People Uniquely (Carnegie Mellon, 2000)
The figure is decades old, but the principle has only strengthened as more public datasets have become available to cross-reference, exactly the linkage risk the EDPB’s 2026 guidelines emphasize.
That’s why, even when applying anonymization processes, it’s important to limit the amount of anonymized data disclosed to the public and to stick to the data minimization approach. In this way you minimize the risk of this data set being matched with any kind of public records.
PII vs personal data
Learn how to recognize PII and personal data to stay away from privacy issues.
We’re aware that anonymization techniques and the threats involved in applying them to your data is a much broader topic, impossible to tackle in a single blog post. That’s why we’ve put together a list of valuable guides shedding some more light on the technical aspects of data anonymization:
- Information Commissioner’s Office: Anonymisation: managing data, protection risk, code of practice
- Article 29 Working Party: Opinion 05/2014 on Anonymisation Techniques
- Personal Data Protection Commission of Singapore: Guide to Basic Data Anonymization Techniques
We hope they’ll prove useful!
What other options you have
The techniques above are typically applied to datasets that already contain personal data, which means you still need consent to collect it in the first place.
There’s also another route: collecting data that is anonymous from the very start. This way, you avoid the obligation to gather consent before you begin processing, because there’s no personal data involved. For that, you need analytics software built to collect anonymous data by design, which Google Analytics can’t do (here’s why).
How Piwik PRO approaches data anonymization
Piwik PRO lets you collect analytics data anonymously from the start, so you can gather insights from visitors who don’t consent without processing personal data. You choose how strict to be, with three anonymous collection methods:
- Cookies and session data: a first-party session cookie that expires after 30 minutes, giving the most reliable anonymous data. If a visitor consents mid-session, it converts into a standard tracking cookie.
- Session hash, no cookies: a salted session hash kept only for 30 minutes after the last action, then discarded. No cookies are stored, which suits strict cookie laws like Germany’s TTDSG.
- No cookies, no session hash: the strictest option. Every event is treated as a new session, so you keep event counts like page views and downloads without recognizing visitors at all.
Across all three, IP addresses are masked, geolocation is limited to country or continent level, and no data is stored that could identify a visitor across sessions without consent. You can also align your configuration with CNIL‘s guidance for consent-exempt analytics.
To see which method fits your needs, read our guide to anonymous website visitor tracking.
Disadvantages of data anonymization
Although data anonymization has some very strong advantages, don’t forget about its drawbacks.
It’s important to remember that if you want to anonymize new data collected from your website, then you’ll either need to obtain consent to collect personal data (like cookies, IP addresses, and device ID) and then apply anonymization techniques, or only collect anonymous data from the start.
In the latter case, this data would be limited to pageviews, as most other analytics metrics and reports requires personal data like unique pageviews, unique visitors, user location, etc.
However safe this approach may sound, it also deprives you of all the valuable insights you can gain with more detailed information about your customers.
Stripping every common identifier from your data makes it impossible to cultivate a more personalized approach towards your clients and visitors – for instance, by serving them with tailored messaging and dedicated offers or recommendations.
Statistics prove that personalization is an increasingly successful marketing tactic. What’s more, consumers are keen to share their personal data with companies if the data will be used for their own benefit:
96%
of consumers say they are likely to engage with an offer if it has been personalized to reflect their preferences and previous interactions with the brand. (2025 Consumer Trends Report)
9 out of 10
consumers are willing to share some type of personal information (on a website) as long as it’s for their benefit and is being used in responsible ways. (PwC)
That’s why it’s worth sacrificing your historical data set in some cases and going the extra mile to provide your users with enhanced levels of security and transparency.
This will help them be relaxed about sharing their personal details with you. Then you can use this data to provide them with level of personalization and customer experience they desire.
First-party data is one of the biggest assets in every marketer’s arsenal. We’ve written a lot about it in these blog posts:
You can do it by asking your users for consent to process their data and storing all the information received in alignment with the new EU data privacy law – something we’ve written a lot about on our blog in the GDPR section. Be sure to check it out!
Anonymous analytics – final thoughts
Anonymization is definitely one of the greatest ways to ensure the safety of data you collect. This extra measure of security lets you freely exploit your data collection in ways that wouldn’t be legally allowed when it comes to non-anonymized data.
However, there are also some considerable benefits of using personal data in its pure (original) form. That’s why you really need to think through the pros and cons of each option before making a final decision.
But no matter what method you choose, remember that storing your data in a safe environment is also of paramount importance.
For instance, Piwik PRO Analytics allows you to store your data at a location of your choice – using your own infrastructure, in a third-party database, or in our own secure private cloud with servers located in EU and the USA.
What’s more, our software enables you to apply additional security measures to your data, like SAML Authentication or Audit Log, and you can take advantage of professional data security advice and support.
If you’d like to learn more, feel free to contact us anytime!
Frequently asked questions
No. Once data is genuinely anonymized, so that no one can reasonably identify a person from it, it falls outside the GDPR. The bar is high: if re-identification stays realistically possible, the data is still personal and the GDPR still applies.
Anonymization permanently removes the ability to identify someone, and the result isn’t personal data. Pseudonymization only replaces identifiers with a key or token; because that link can be reversed, pseudonymized data is still personal data under the GDPR.
Generally no. If your analytics collects only anonymous data, there’s no personal data to consent to. In several EU countries, privacy-friendly analytics are explicitly exempt from consent requirements, subject to specific configuration.
Three: singling out (isolating one person’s records), linkability (matching records to another dataset), and inference (deducing something specific about a person). A dataset is only anonymous if all three risks are reduced to an insignificant level.
They replaced the 2014 framework with a likelihood-based test, judged from the perspective of each party who might access the data. The three risks became three criteria: No Record Isolation, No Linkage and No Inference. Read our full breakdown.

