GDPR-compliant Link Tracking

The complete guide: How to track clicks without cookies, without IP storage, and without legal risk.

The Problem: Most link shorteners like Bitly or Short.io set cookies and store IP addresses - without you even noticing. This can get expensive: Up to 20 million euros or 4% of annual revenue.

What is Link Tracking?

Link tracking means capturing data with every click on a link: Where did the click come from? What device was used? When was it clicked? This data is gold for marketing teams - but it must be captured in a GDPR-compliant way.

Why Are Most Link Shorteners Not GDPR-Compliant?

1. Cookies Without Consent

Many link shorteners set tracking cookies as soon as someone clicks a link. The problem: The user lands on a third-party domain (e.g., bit.ly) and gets a cookie set - without a cookie banner, without consent.

According to the ePrivacy Directive, setting non-essential cookies without prior consent is prohibited.

2. IP Addresses Are Stored

IP addresses are personal data under Art. 4(1) GDPR. Most link shorteners store the complete IP address for their analytics - often without legal basis and without appropriate retention periods.

3. US Hosting (Schrems II Problem)

Bitly, Short.io, and many others host their servers in the USA. Following the Schrems II ruling by the ECJ, transferring personal data to the US is problematic as adequate data protection cannot be guaranteed.

Schrems II Explained

In 2020, the ECJ invalidated the Privacy Shield agreement. Since then, data transfers to the US are only possible under strict conditions. Many supervisory authorities view the use of US services critically.

What Data Can I Track GDPR-Compliantly?

The good news: You can still capture valuable analytics - if you do it right.

Allowed (Without Consent)

Data Point How to Capture? Legal Basis
Country Derive from IP, discard IP Art. 6(1)(f) GDPR
Device Type From User-Agent, don't store Art. 6(1)(f) GDPR
Browser/OS From User-Agent, don't store Art. 6(1)(f) GDPR
Referrer Domain Domain only, not full URL Art. 6(1)(f) GDPR
Timestamp When was it clicked Art. 6(1)(f) GDPR

Not Allowed (Without Consent)

Data Point Problem
Storing IP addresses Personal data
Setting cookies Consent required (ePrivacy)
Browser Fingerprinting Consent required
Cross-Site Tracking Consent required
Creating User IDs Profiling without legal basis

How GDPR-Compliant Link Tracking Works

The key lies in data minimization (Art. 5(1)(c) GDPR):

Best Practice: Server-Side Tracking

  1. Click arrives - Server receives HTTP request
  2. IP → Country - GeoIP lookup (local!), discard IP immediately
  3. User-Agent → Device/Browser/OS - Parse, discard User-Agent
  4. Referrer → Domain - Extract domain only
  5. Store - Only the derived, non-personal data
  6. Redirect - Send user to target URL

Checklist: Is My Link Shortener GDPR-Compliant?

Does it set no cookies?

Does it not store IP addresses?

Is the User-Agent not stored (only parsed)?

Is the server hosted in the EU?

Is there a DPA (Data Processing Agreement)?

Is the data processing documented?

Comparison: Popular Link Shorteners and GDPR

Provider Cookies IP Storage Hosting GDPR?
Bitly Yes Yes USA
Short.io Yes (GTM) Unclear USA
URLR Yes (Matomo) Unclear France
Smoio No No Germany

Conclusion

GDPR-compliant link tracking is possible - you just need to pay attention to the right things:

  • No cookies - Server-side tracking instead of client-side
  • No IP storage - Only derive the country
  • EU hosting - No Schrems II risk
  • Documentation - DPA and privacy policy

Smoio: The GDPR-Compliant Link Shortener

No cookies, no IP storage, hosted in Frankfurt, Germany. With DPA and complete documentation for your data protection officer.

Get Started Learn More