You've read that GDPR affects your website analytics. You've seen the horror stories about fines. But when you try to find out what you actually need to do, you get 4,000-word legal articles that leave you more confused than when you started.
Here's the short version: GDPR doesn't ban analytics. It just has rules about how you collect and process visitor data. Depending on which analytics tool you use, compliance is either a significant burden or essentially automatic.
What the GDPR Actually Says About Analytics
The GDPR (General Data Protection Regulation) applies when you process personal data of people in the EU. Personal data means any information that can identify a person — directly or indirectly.
For website analytics, the relevant personal data typically includes:
IP addresses. Yes, IP addresses are personal data under GDPR. The Court of Justice of the EU confirmed this in 2016 (Breyer v. Germany).
Cookies and device identifiers. Any unique identifier stored on a visitor's device.
Location data derived from IP addresses.
Behavioral data that could be combined with other data to identify someone (browsing patterns, visit history across pages).
If your analytics tool collects any of these, GDPR applies to that processing.
The Six Requirements That Matter
GDPR has 99 articles and 173 recitals. For analytics, only a handful of requirements actually matter in practice:
- You Need a Legal Basis You can't just collect data because you want to. You need one of six legal bases defined in Article 6. For analytics, only two are realistic:
Consent (Article 6(1)(a)): The visitor explicitly agrees to being tracked. This is what cookie consent banners do. It's legally bulletproof but practically painful — most visitors reject cookies, so you lose 30-70% of your data.
Legitimate interest (Article 6(1)(f)): You argue that basic website analytics is a reasonable business need that doesn't override visitors' privacy rights. This can work for basic, aggregated analytics — but not for tools that build individual visitor profiles or track across sites.
Most privacy-focused analytics tools rely on either legitimate interest or argue that they don't process personal data at all (making GDPR requirements not applicable).
- You Need a Privacy Policy Article 13 requires you to tell visitors:
What data you collect
Why you collect it (purpose)
What legal basis you rely on
Who processes the data (you, your analytics provider)
How long you keep it
What rights visitors have (access, deletion, etc.)
Whether data is transferred outside the EU
This applies regardless of which analytics tool you use. Even if your analytics is fully GDPR-compliant, you still need to mention it in your privacy policy.
- You May Need Consent (The Cookie Rule) This is where people get confused. The cookie consent requirement actually comes from the ePrivacy Directive (2002/58/EC), not GDPR directly. But they work together.
The rule: If you store or access information on a user's device, you need consent — unless it's "strictly necessary" for the service the user requested.
Google Analytics uses cookies → consent required
Matomo uses cookies by default → consent required (unless you enable cookieless mode)
Plausible, Fathom, Fairlytics use no cookies → no consent required under ePrivacy
Several EU data protection authorities, including the French CNIL, have explicitly stated that cookieless audience measurement tools can operate without consent if they meet specific criteria: no cross-site tracking, no individual profiling, data used only for aggregate statistics.
- You Need a Data Processing Agreement If you use a third-party analytics service (any cloud-hosted tool), that provider is your data processor under Article 28. You need a Data Processing Agreement (DPA) that covers:
What data they process and why
Security measures they implement
What happens to data when you stop using the service
Their obligations regarding sub-processors
Data breach notification procedures
Most reputable analytics tools provide a DPA. If yours doesn't, that's a red flag.
This requirement doesn't apply if you self-host (since there's no third-party processor).
- International Data Transfers Need a Mechanism If your analytics provider stores data outside the EU, you need a legal mechanism for that transfer (Chapter V of GDPR):
EU-US Data Privacy Framework: If the provider is certified, transfers to the US are permitted.
Standard Contractual Clauses (SCCs): Contractual safeguards approved by the European Commission.
Adequacy decisions: Some countries (UK, Japan, South Korea, etc.) are deemed to have adequate data protection.
This is exactly why Google Analytics got into trouble. After the Schrems II ruling invalidated the Privacy Shield in 2020, there was no valid transfer mechanism for GA data going to US servers. The EU-US Data Privacy Framework (adopted July 2023) fixed this for certified companies, but the legal landscape remains uncertain.
Easiest solution: Use an analytics tool that stores data in the EU. This eliminates the transfer question entirely.
- Data Minimization and Storage Limitation Article 5 requires that you:
Collect only the data you actually need (data minimization)
Keep it only as long as necessary (storage limitation)
Google Analytics collects 40+ data points per visitor. If all you need is pageview counts and traffic sources, collecting fingerprinting data, demographics, interests, and cross-site behavior violates the minimization principle.
Define a retention period and stick to it. 24 months is a common choice for analytics data — long enough to see year-over-year trends, short enough to be defensible.
What This Means in Practice
Here's a decision tree:
If you use Google Analytics:
You need a cookie consent banner (ePrivacy Directive)
You need consent as your legal basis (GDPR Article 6(1)(a))
You need a privacy policy mentioning GA's data collection
You need to verify Google's DPF certification covers GA
You'll lose 30-70% of your traffic data from consent rejection
You need to configure data retention settings
You need to document this in a Record of Processing Activities
If you use Matomo (self-hosted, cookieless mode):
No consent banner needed (if configured correctly)
You can use legitimate interest as your legal basis
You need a privacy policy mentioning your Matomo setup
No DPA needed (you control the data)
You need to maintain the server and keep it secure
You need to configure IP anonymization manually
If you use a cookieless cloud tool (Plausible, Fathom, Fairlytics):
No consent banner needed
Legitimate interest as legal basis (or no personal data processed at all)
You need a privacy policy mentioning the tool
You need a DPA with the provider (they should provide one)
Verify data is stored in the EU (or that a valid transfer mechanism exists)
That's it
Common Misconceptions
"GDPR means I need a cookie banner." No. GDPR doesn't mention cookies. The ePrivacy Directive requires consent for non-essential cookies. If your analytics tool doesn't use cookies, no banner needed.
"GDPR only applies to EU-based businesses." No. It applies to anyone processing personal data of people who are in the EU. If your website is accessible in Europe (it is), GDPR applies to your analytics.
"I'm too small for anyone to care." Fines are proportional to company size, but enforcement isn't limited to large companies. Austrian, French, and Italian DPAs have all issued decisions against small websites using Google Analytics. More importantly, GDPR compliance is a legal obligation, not a risk calculation.
"Anonymizing IP addresses makes GA compliant." Google's IP anonymization truncates the last octet (e.g., 192.168.1.xxx). The remaining portion is still personal data according to several EU DPAs. Additionally, GA still sets cookies, which requires consent regardless of IP handling.
"I can just block EU visitors." Technically possible, but impractical. You'd need reliable geolocation, you'd lose EU traffic, and it's a poor user experience. Fixing your analytics setup is simpler than geo-blocking an entire continent.
The Simplest Path to Compliance
If GDPR analytics compliance feels overwhelming, here's the minimal path:
Switch to a cookieless, privacy-first analytics tool. This eliminates the consent banner requirement, the cookie management complexity, and most data protection concerns.
Add a section to your privacy policy. Mention what analytics tool you use, what data it collects, your legal basis, and where data is stored. This takes 15 minutes.
Sign the provider's DPA. Download it, sign it, keep it on file. Five minutes.
Set a data retention period. Most privacy-first tools handle this automatically.
That's genuinely it. Four steps, under an hour, and you can stop worrying about analytics compliance.
What About the ePrivacy Regulation?
The ePrivacy Directive is being replaced by the ePrivacy Regulation, which has been in draft since 2017. It keeps getting delayed. When it eventually passes, it will likely:
Maintain the consent requirement for tracking cookies
Potentially create a clearer exemption for audience measurement
Apply directly as a regulation (like GDPR) instead of requiring national implementation
For now, follow the current ePrivacy Directive rules. If you're using cookieless analytics, the regulation change is unlikely to affect you negatively — if anything, it may make things easier by standardizing the audience measurement exemption across all EU member states.
Bottom Line
GDPR analytics compliance is not as complicated as the legal industry makes it seem. The complexity comes from using tools that weren't designed with privacy in mind. If your analytics tool collects personal data, sets cookies, and transfers data internationally, you need consent banners, DPAs, transfer impact assessments, and detailed privacy notices.
If your analytics tool collects no personal data, uses no cookies, and stores data in the EU — compliance is a privacy policy paragraph and a signed DPA.
Fairlytics is built for this second scenario. A 510-byte script, no cookies, no personal data, EU-hosted, with a free tier for sites under 10K monthly views. You can be fully GDPR-compliant in 30 seconds.
Top comments (0)