Home › GDPR & ePrivacy Compliance

GDPR & ePrivacy Compliance
for Link Tracking

Q: Does link tracking require GDPR consent?

It depends on the architecture. Under the ePrivacy Directive Art. 5(3), consent is required when you store or access information on the user's terminal equipment (e.g. cookies). An architecture that processes only server-side HTTP metadata — without writing to the user's device — falls under the 'strictly necessary' exemption and does not require consent. trckl.eu uses this architecture: no cookies, no device access, no consent required.

Q: Is a link shortener a data processor under GDPR?

Yes. When a link shortener processes click data (IP addresses, device info, timestamps) on behalf of the company that created the link, it acts as a data processor under GDPR Art. 4(8). This means a Data Processing Agreement (DPA) should be in place. trckl.eu provides a signable DPA on paid plans.

Q: Does a link shortener need a cookie banner?

Only if it sets cookies on the user's browser. Most link shorteners set tracking cookies, which triggers the ePrivacy Directive Art. 5(3) consent requirement — meaning yes, a cookie banner is needed. trckl.eu sets zero cookies. No cookie banner is required for companies using trckl.eu links.

Q: What is CLOUD Act exposure and why does it affect link shorteners?

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) allows US authorities to compel any US-based company to produce data, regardless of where that data is physically stored. Most major link shorteners are US companies — meaning click data processed through them is potentially accessible to US authorities even if stored on EU servers. trckl.eu runs on infrastructure owned by a non-US company — and is not subject to CLOUD Act requests.

Q: Can I include trckl.eu in my GDPR Records of Processing Activities (RoPA)?

Yes. trckl.eu processes only anonymous click events (country, device type, referrer, and a daily-salted hash). No IP addresses are stored. No personal identifiers. The legal basis under ePrivacy is the 'strictly necessary' exemption (Art. 5(3)). Under GDPR, processing is based on legitimate interest (Art. 6(1)(f)) with no personal data involved. All processing occurs on EU infrastructure. No third-country transfers.

Q: Does IP hashing make link analytics GDPR compliant?

IP hashing with a rotating daily salt means the raw IP address is never stored — only a one-way hash that changes every 24 hours. This makes it impossible to reconstruct individual user journeys over time. Combined with zero cookie usage and server-side-only processing, this architecture eliminates the personal data processing that would otherwise require a GDPR legal basis.

Does link tracking require consent? Does a link shortener need a cookie banner? Every technical decision in trckl.eu was made against the actual legal test — not against marketing assumptions. Here's exactly what we built and why it holds up.

The foundation

The legal test isn't "do you use cookies?"

Most conversations about tracking compliance focus on cookies. But the actual legal test under Art. 5(3) of the ePrivacy Directive is broader:

Art. 5(3) ePrivacy Directive — the test "Are you storing or accessing information on the user's terminal equipment?"

The EDPB Guidelines 2/2023 confirm this covers not just cookies, but also URL tracking identifiers, IP-based tracking, and any access to information on the user's device.

trckl.eu's answer to this test: no. We never write to, read from, or instruct the user's device to send us anything beyond the standard HTTP request their browser makes when following a link — which is the explicit, user-initiated action that triggered the redirect.

Reference: EDPB Guidelines 2/2023 on Technical Scope of Art. 5(3) ePrivacy Directive, adopted 7 October 2024. Read the guidelines →

Core mechanism

What actually happens during a redirect

When someone clicks a trckl.eu link, this is the complete sequence:

1User clicks the link — an explicit, user-initiated HTTP request
2Browser sends a standard HTTP GET to our EU servers
3Server receives: IP address, User-Agent, Referrer — standard HTTP protocol headers
4Analytics worker runs asynchronously: computes SHA256(IP + User-Agent + daily_salt)
5Raw IP is discarded — never written to disk, never in any log
6Anonymous event written: country, device type, referrer, hash — no PII
7HTTP 301/302 response sent — user arrives at destination

Nothing is written to the user's device. No cookie, no local storage, no cache instruction. The HTTP request headers we receive are standard protocol — not data we solicited.

Our public claim IP received, hashed, never written to disk. Nothing stored, nothing accessed from the device.

Legal basis

Why no consent is required

Art. 5(3) ePrivacy Directive includes an explicit exemption for processing "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

A redirect is the archetypal case: the user explicitly clicks a link, explicitly requesting the redirect service. Receiving the IP address to route the HTTP 301 response back is not optional — it is technically impossible to respond without it. There is no alternative implementation that achieves the same result with less data.

✅ Strictly necessary exemption applies. No consent required.

The EDPB Guidelines §56 confirm: "the applicability of that article does not systematically imply that consent must be collected. In each case it should be assessed whether consent is necessary or whether an exemption under Art. 5(3) may apply."

We assessed it. The exemption applies. That assessment is this document.

Technical guarantee

IP hashing — the promise in numbers

Even under the strictly necessary exemption, we go further. We do not store the IP address even transiently. Here is the exact mechanism:

Hash function SHA256(IP + User-Agent + daily_salt)

The daily salt rotates every 24 hours. This means the same user generates a different hash on different days — making it mathematically impossible to reconstruct a user's navigation history over time, even if you had access to all hashes ever computed.

The raw IP address is processed in memory and immediately discarded. It is never written to disk, never passed to a database query, never included in any log file.

Architecture rule: No feature may write a raw IP address to disk — not even temporarily, not even in debug logs. System logging is configured to exclude IP addresses at the infrastructure level. This rule cannot be overridden for individual features.

Design decision

Why zero cookies is non-negotiable

Cookies are not a convenience — they are a legal trigger. Setting even a single cookie during a redirect means:

1Art. 5(3) ePrivacy Directive is activated without any exemption available
2Consent is required — meaning every company using our links must update their cookie banner
3Cross-session user tracking becomes possible — creating a personal data processing obligation under GDPR Art. 6

Our zero-cookie architecture means companies using trckl.eu links do not need to update their cookie consent infrastructure. The link just works — legally, for their users.

Architecture rule: No feature may set a cookie on the end user's browser. Ever. If a feature requires client-side state, it must be implemented server-side. This applies to session cookies, analytics cookies, and any other cookie type.

Sovereignty guarantee

Why EU infrastructure is the guarantee, not the GDPR

The GDPR does not prohibit transferring data outside the EU — it requires a legal mechanism (SCCs, adequacy decisions). A US company with servers in Germany can be technically GDPR-compliant with the right contractual framework.

The CLOUD Act is a different problem. It compels any US-based company to produce data to US authorities on request — regardless of where the servers are physically located. Standard Contractual Clauses do not protect against CLOUD Act requests.

The only real protection is infrastructure owned and operated by a company outside US jurisdiction.

Our infrastructure EU infrastructure — no US parent company. No CLOUD Act obligation. Contractual EU data residency guarantee.

Architecture rule: No third-party service with a US parent company may process end-user data. This includes CDNs, transactional email providers, error tracking, monitoring, and logging services. Every external dependency must be evaluated for jurisdiction before integration.

For DPOs and legal teams

What you can document in your RoPA

When adding trckl.eu to your Records of Processing Activities, here is what you can record:

✓Data processor: trckl.eu — EU-incorporated entity, EU infrastructure
✓Data processed: Anonymous click events (country, device type, referrer, daily-salted hash). No IP addresses. No personal identifiers.
✓Legal basis (ePrivacy): Art. 5(3) strictly necessary exemption — redirect service explicitly requested by user
✓Legal basis (GDPR): Legitimate interest (Art. 6(1)(f)) — anonymous analytics for service improvement. No personal data processed.
✓Third-country transfers: None. All processing on EU infrastructure.
✓Data retention: Configurable — 90 days / 1 year / unlimited (plan-dependent)
✓DPA: Available and signable (Business plan and above)

Questions about this architecture? We're happy to discuss technical details with your legal team. Contact us at [email protected].

Frequently asked questions

Questions DPOs and legal teams ask

Does link tracking require GDPR consent?

It depends on the architecture. Under ePrivacy Directive Art. 5(3), consent is required when you store or access information on the user's terminal equipment (e.g. cookies). An architecture that processes only server-side HTTP metadata — without writing to the user's device — falls under the "strictly necessary" exemption. trckl.eu uses this architecture: no cookies, no device access, no consent required.

Is a link shortener a data processor under GDPR?

Yes. When a link shortener processes click data on behalf of the company that created the link, it acts as a data processor under GDPR Art. 4(8). A Data Processing Agreement should be in place. trckl.eu provides a signable DPA on paid plans.

Does a link shortener need a cookie banner?

Only if it sets cookies. Most link shorteners set tracking cookies — triggering Art. 5(3) consent requirements. trckl.eu sets zero cookies. Companies using our links do not need to update their cookie consent infrastructure.

What is CLOUD Act exposure and why does it affect link shorteners?

The US CLOUD Act allows US authorities to compel any US-based company to produce data — regardless of where servers are physically located. Most major link shorteners are US companies. trckl.eu runs on infrastructure owned by a non-US company — not subject to CLOUD Act requests.

Can I include trckl.eu in my GDPR Records of Processing Activities?

Yes. We process only anonymous click events: country, device type, referrer, and a daily-salted hash. No IP addresses stored. No personal identifiers. Legal basis under ePrivacy: strictly necessary exemption (Art. 5(3)). Legal basis under GDPR: legitimate interest (Art. 6(1)(f)). All processing on EU infrastructure. No third-country transfers.

Does IP hashing make link analytics GDPR compliant?

IP hashing with a rotating daily salt means the raw IP is never stored — only a one-way hash that changes every 24 hours. Combined with zero cookies and server-side-only processing, this architecture eliminates personal data processing entirely.

Questions we haven't answered? We're happy to talk to your legal team.

Contact [email protected] Join the waitlist →

GDPR & ePrivacy Compliancefor Link Tracking