If you run a website and collect any data from EU visitors, you've probably wrestled with Google Analytics and GDPR. The core problem isn't that GA4 is illegal — it's that making it compliant requires a non-trivial configuration effort, ongoing consent management, and a dependency on Google's Consent Mode. For many businesses, that overhead isn't worth it when genuinely privacy-friendly alternatives exist.
This guide covers why GA4 creates GDPR friction, what actually makes an analytics tool GDPR-friendly, and a detailed comparison of seven alternatives — so you can pick the right tool for your compliance posture and traffic needs.
Before diving in: if you're not sure what trackers your website is currently running, scan your site free at Custodia — you'll get a full report in 60 seconds.
Why Google Analytics 4 Creates GDPR Friction
Google Analytics isn't banned under GDPR — but several EU data protection authorities have ruled that using it without proper safeguards violates the regulation. The core issues:
1. US Data Transfers
GA4 sends data to Google's servers in the United States. Under GDPR's Chapter V, this requires either an adequacy decision, Standard Contractual Clauses (SCCs), or other approved transfer mechanisms.
The EU-US Data Privacy Framework (adopted in 2023) provides a legal basis for these transfers — Google is certified under it. But the framework has faced legal challenges, and some EU DPAs have remained skeptical. Austrian, French, and Italian DPAs previously found that GA violated GDPR due to US transfers (under the old Privacy Shield and before the DPF). The legal risk, while reduced, hasn't fully disappeared.
2. IP Address Processing
GA4 collects IP addresses by default. IP addresses are personal data under GDPR. Google anonymises IPs, but this happens after the data reaches Google's servers — meaning personal data was still transferred. You can enable IP anonymisation in GA4's settings, but it requires deliberate configuration.
3. Consent Requirements
Because GA4 uses cookies and processes personal data, it triggers GDPR's consent requirements. You need:
- A compliant cookie banner that obtains prior, informed, freely given, specific consent before loading GA4
- Google Consent Mode v2 properly implemented (mandatory for EU advertisers using Google Ads)
- Documentation of consent records
Getting this right is non-trivial. "Legitimate interest" is not a valid lawful basis for analytics cookies under GDPR in most EU jurisdictions — the ePrivacy Directive requires consent for non-essential cookies regardless.
4. Data Retention and DPA Requirements
GA4 stores user and event data on Google's infrastructure. You need a Data Processing Agreement with Google (this is available in GA4 settings but must be actively accepted). You also need to configure data retention settings appropriately.
What Makes an Analytics Tool Genuinely GDPR-Friendly?
Not all "privacy-friendly" claims are equal. Here's what to look for:
EU-hosted data: Data stays in the European Economic Area, avoiding the need to rely on transfer mechanisms for the analytics data itself.
No personal data collection: If the tool doesn't collect IP addresses, User-IDs, or other identifiers, there's less to worry about under GDPR.
Cookieless by default: No cookies means no ePrivacy Directive consent requirement for analytics specifically (though you may still need consent for other tools on your site).
No consent required: Some tools are explicitly designed so that no cookie consent banner is needed for the analytics itself — a meaningful UX and compliance win.
Data ownership: You control where data lives and how long it's retained, rather than ceding control to a third party.
GDPR-ready DPA and documentation: The vendor provides a DPA, processes data as a processor under Article 28, and is transparent about sub-processors.
7 Privacy-Friendly Analytics Alternatives
1. Plausible Analytics
Privacy position: Cookieless, no personal data collected, EU-hosted, no consent required.
Plausible is the most commonly recommended GA alternative for GDPR-conscious sites. It collects no cookies, no IP addresses, no persistent identifiers. Page views are counted using a privacy-preserving hash that resets daily and can't be used to track individuals across sessions or sites. Data is hosted in the EU (Germany, via Hetzner).
Because no personal data is processed and no cookies are set, Plausible argues — correctly for most interpretations — that GDPR consent banners are not required for Plausible itself.
Pricing: From $9/month for up to 10k monthly pageviews. Scales to $19/month for 100k, $49/month for 1M. Annual discounts available.
What you give up vs GA4: No audience segmentation by demographics, no user-level analysis, no conversion funnels beyond simple goal tracking, no advertising integrations, limited custom event depth. Aggregate-only data.
Best for: Content sites, blogs, SaaS marketing sites, anyone who wants simple traffic insights without the compliance overhead. The sweet spot is teams that want to know "where are visitors coming from and what pages are popular" without building an analytics empire.
2. Fathom Analytics
Privacy position: Cookieless, no personal data, EU-isolated data routing option, no consent required.
Fathom is Plausible's closest competitor in terms of positioning and feature set. It's been privacy-first since its founding and GDPR-compliant from the start. Fathom offers "EU isolation" — a feature that routes all visitor data through EU infrastructure before any processing, further reducing transfer concerns.
Fathom also has a strong track record of responding quickly to regulatory changes and publishing detailed privacy documentation that privacy-conscious buyers appreciate.
Pricing: From $14/month for up to 100k monthly pageviews. Slightly pricier than Plausible for lower-traffic sites.
What you give up vs GA4: Similar to Plausible — aggregate data only, no user-level tracking, no ad integrations.
Best for: Teams that want Plausible-style simplicity but prefer Fathom's EU isolation guarantee and slightly more mature dashboard. Also good if you want excellent customer support — Fathom is known for it.
3. Matomo
Privacy position: Full control — self-hosted means data never leaves your infrastructure; cloud version offers EU hosting and strong GDPR features.
Matomo (formerly Piwik) is the most feature-complete open-source analytics platform. It's the only alternative here that genuinely competes with GA4 on feature depth: funnel analysis, heatmaps, session recording, e-commerce tracking, multi-channel attribution, A/B testing. If you need GA4-level analytics without Google, Matomo is the answer.
Self-hosted Matomo puts data entirely under your control — on your own servers, in whatever jurisdiction you choose. The cloud version (Matomo Cloud) is hosted in Germany and comes with a DPA.
Matomo also supports cookieless tracking mode, which reduces the consent requirement. With proper configuration (anonymised IPs, short data retention, cookieless mode), Matomo argues that consent is not required — though legal opinions vary by jurisdiction.
Pricing: Self-hosted is free (open-source). Matomo Cloud starts at €19/month for up to 50k pageviews. Plugin features (heatmaps, funnels) add cost on the cloud plan.
What you give up vs GA4: Self-hosting requires server maintenance and technical setup. The UI is denser and less polished than GA4. Some advanced features cost extra. Advertising integrations are limited.
Best for: Teams that need feature-rich analytics with full data control. Developers who can self-host. Regulated industries where data sovereignty is non-negotiable. E-commerce businesses that need conversion and funnel data.
4. Simple Analytics
Privacy position: No cookies, no personal data, EU-hosted (Netherlands), no consent required.
Simple Analytics is exactly what the name implies. It's a lightweight, cookieless analytics tool that collects only aggregate data. The dashboard is clean and minimal — pageviews, referrers, top pages, top countries, and basic event tracking.
Simple Analytics is built and hosted in the Netherlands (EU), is fully GDPR compliant, and doesn't require cookie consent for its analytics script. It offers a "Goals" feature for tracking conversions and a basic API for pulling data into other tools.
Pricing: From $9/month for basic (up to 100k pageviews). Business plan at $19/month adds more features and higher limits.
What you give up vs GA4: More limited than even Plausible in some areas. Very basic event tracking. No funnel analysis, no session recording, no demographic data.
Best for: Simple sites that want the most minimal possible analytics setup. Teams who want a tool with a very clear privacy story and minimal complexity. Good value for smaller sites.
5. Umami
Privacy position: Open-source, self-hosted, cookieless, no personal data — full data ownership.
Umami is an open-source, self-hosted analytics platform. Like Plausible and Simple Analytics, it's cookieless and collects no personal data. The difference is that you host it yourself — giving you complete control over data location and retention.
Umami Cloud is also available if you don't want to manage your own infrastructure, hosted in the US (which reintroduces transfer considerations).
The self-hosted version supports multiple websites from a single installation, has a clean modern UI, supports custom events, and is free. It runs on Node.js and supports PostgreSQL and MySQL.
Pricing: Self-hosted is completely free. Umami Cloud starts at $9/month.
What you give up vs GA4: Analytics depth similar to Plausible — aggregate data, no user-level analysis, no ad integrations. Self-hosting requires setup and maintenance.
Best for: Developers who want a free, self-hosted Plausible alternative. Teams with existing server infrastructure who want to add analytics without a subscription. Open-source advocates.
6. PostHog
Privacy position: Product analytics with EU cloud option, comprehensive privacy controls, cookieless mode available.
PostHog is different from the others on this list — it's a full product analytics platform, not just web analytics. It covers session recording, feature flags, A/B testing, funnels, cohort analysis, and event tracking alongside traditional web analytics.
PostHog Cloud is available with an EU region (hosted in Frankfurt). Self-hosted is available. GDPR features include person data deletion, property masking in session recordings, cookieless tracking mode, and configurable data retention.
PostHog processes more personal data than the cookieless tools above — especially if you use session recording or identify users — so consent management may still be required depending on your configuration. But it gives you the tools to comply.
Pricing: Generous free tier (1M events/month free). Paid plans scale by usage. EU Cloud available on all plans.
What you give up vs GA4: More complex setup and configuration. Session recordings and user identification trigger consent requirements if used. Not truly "no consent needed" in full configuration.
Best for: SaaS products and apps that need product analytics (funnels, retention, feature flags) in addition to web analytics. Teams migrating off Mixpanel or Amplitude who want EU hosting and better privacy controls.
7. Cloudflare Web Analytics
Privacy position: No cookies, no personal data, no consent required — built into Cloudflare's network.
If you use Cloudflare for DNS or CDN (and many sites do), Cloudflare Web Analytics is free and requires zero additional setup. It collects no cookies, no IP addresses, no fingerprinting — pageviews are measured at the network level. There's genuinely no personal data involved.
The trade-off is depth: you get pageviews, referrers, top pages, top countries, and browser/device breakdowns. That's it. No custom events, no goals, no funnels.
Pricing: Free for all Cloudflare users.
What you give up vs GA4: Almost all analytical depth. No custom events, no conversion tracking, no audience analysis. Basic traffic intelligence only.
Best for: Sites that want the absolute minimum analytics footprint — developers, privacy advocates, sites where traffic volume matters but not much else. Also good as a secondary validation layer alongside another tool.
How to Choose: A Decision Framework
Use Plausible or Fathom if: You need simple, reliable web analytics — traffic sources, page popularity, referrers — without any compliance overhead. You want a dashboard you can share with non-technical stakeholders. You'd rather pay $9-$19/month than manage infrastructure.
Use Matomo if: You need GA4-level feature depth. You need complete data sovereignty. You're in a regulated industry where data must stay on your own infrastructure. You have the technical capacity to self-host.
Use Umami if: You want Plausible-style simplicity but prefer open-source and self-hosting. You already run servers. You want zero subscription cost.
Use PostHog if: You're building a SaaS product and need product analytics (not just web analytics) — funnels, retention, feature flags, session replay — alongside basic web tracking.
Use Simple Analytics if: You want the simplest possible interface and the clearest privacy story. Fewer features than Plausible but comparable compliance position.
Use Cloudflare Web Analytics if: You're already on Cloudflare and want basic traffic intelligence for free with zero additional privacy risk.
Stick with GA4 if: You depend on Google Ads and need Conversion Tracking or Smart Bidding. You need deep audience segmentation and demographic data. You're willing to invest in proper consent management, Consent Mode v2, and the associated configuration. The advertising integration value outweighs the compliance overhead.
The Compliance Posture Question
Before choosing, ask yourself: what's your actual compliance risk, and what's your tolerance for configuration?
If you have EU visitors but no advertising dependencies, the privacy-first alternatives are almost always the better choice. You eliminate consent banner complexity for analytics, reduce your data footprint, and avoid the ongoing regulatory uncertainty around US data transfers.
If you run Google Ads, the calculus changes. GA4 with Consent Mode v2 properly implemented is a legitimate approach — but it requires getting the consent management right, which most sites don't. Scan your site to see what's actually running and whether your consent implementation is picking up all the right signals.
Switching from GA4: Practical Notes
Moving from GA4 to a privacy-first alternative is straightforward for most sites:
- Add the new analytics script (usually a single
<script>tag or npm package) - Set up any custom events or goals you need
- Run both tools in parallel for 2-4 weeks to validate data quality
- Remove the GA4 tag (and update your cookie banner to remove Google Analytics from the declared cookies)
- Update your privacy policy to reflect the change
The biggest practical challenge is the data gap — you lose historical GA4 data when you switch. Export what you need from GA4 before removing it.
Bottom Line
GDPR-compliant analytics isn't complicated in 2026 — the tooling has matured significantly. For most small businesses and SaaS companies without deep Google Ads dependencies, a cookieless, EU-hosted tool like Plausible, Fathom, or Simple Analytics is the pragmatic choice: less configuration, less compliance risk, simpler UX.
The consent management complexity and US transfer uncertainty that comes with GA4 is avoidable. The alternatives are good enough that the tradeoff is worth making for the majority of sites.
Not sure what your site is currently running? Run a free privacy scan at Custodia — get a full report on trackers, cookies, and compliance gaps in under 60 seconds. No signup required.
This guide provides general information about GDPR and analytics tools. It does not constitute legal advice. Privacy requirements vary by jurisdiction and the specific nature of your data processing. Consult a qualified privacy professional for advice specific to your situation.
Top comments (0)