Comment by zaarn
7 years ago
The IP necessary for the connection itself is covered under necessary data, you can process it for the purpose of a request without needing consent at all. Same applies to shopping cart cookies or anything else that is essential to running a website and isn't being used for secondary purposes like data mining.
The key is to determine under which lawful basis you are processing that data. "Necessary data" is not a get out of jail free card. Because the analytics are not necessary to perform the contract (in any way that I can imagine), you can't claim contract lawful basis. Probably you are stuck with legitimate interest.
So I think you would have to notify the user that you are sending their IP address to the processor under legitimate interest and have a way for them to "object" to that use (i.e. turn off analytics). For legitimate interest, the objection can be after the fact, so having a configuration screen that stores a cookie that allows them to turn off analytics when they are on the site would probably do it.
Since in my case, the processor is me, there is no data being sent elsewhere. I don't have a notification since all data collected is either heavily anonymized in client if possible or on the server side or simply not identifying. Since the data I collect is used to optimize the website experience, I think it's a good enough legitimate interest with no privacy impact.