Hi John, that’s a really good question. Unfortunately, I’m not a lawyer so I can’t say either way for sure. GDPR is complex in that manner: certain data types might not be able to identify a user on their own, but in the broader context of your user data may end up being considered PII. Cookies, for example, that only signify what variation of a split-test a user saw might not be considered personal data in isolation, but in some settings that extra piece can be enough to turn anonymous data into something that points to a specific individual. That’s an extreme example (and kind of improbable) but the point is that it can happen.
Even though you’re not combining your anonymous funnel tracking data with anything like user ID’s, email addresses, etc, you’re still collecting data on your users. Again, I can’t say what’s legally permissible, but based on my understanding of GDPR I really can’t advocate for any type of data collection that’s not disclosed. Keep in mind, this is my personal opinion.
If you’re concerned about needing certain types of data for your business to function, and that people will opt out if given the option to consent, it will probably help to become familiar with the lawful bases for data processing (I wrote about that a bit in this post). Most web-based businesses will probably collect and process data under the auspices of #1, data collected with consent of the users, or #6, data collected for legitimate interest.
Your two examples (which are both awesome, by the way!) sound like they would fall under #6, that you’re collecting data for legitimate interests. While this is the most flexible lawful basis for processing, it also requires the most work from your end to ensure that you’re being compliant.
From the Information Commissioner’s Office in the UK:
If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests
In short, GDPR is complicated and understanding consent is hard.