GDPR compliance for analytics isn’t optional anymore, and it isn’t theoretical. Multiple EU data protection authorities have specifically ruled against Google Analytics use. If you’re serving EU visitors and running GA4 with default settings, you’re taking a real legal risk.
This guide covers what GDPR-compliant analytics actually requires technically, which tools meet that standard, and how to set up compliant tracking today.
The GDPR Rulings Against Google Analytics
The first ruling came in January 2022. Austria’s data protection authority (DSB) found that a specific website’s use of Google Analytics violated GDPR because the data was transferred to Google servers in the United States, without adequate protections, making it theoretically accessible to US intelligence agencies under US surveillance law.
France’s CNIL reached the same conclusion in February 2022 and ordered websites to stop using GA or take corrective action. Italy’s Garante followed in June 2022, gave websites 90 days to comply, and opened investigations into several specific sites. Denmark’s Datatilsynet ruled against GA use in September 2022. The Netherlands’ Autoriteit Persoonsgegevens began enforcement actions in March 2023.
These are not advisory opinions. They’re regulatory enforcement actions from national data protection authorities within the EU. Companies operating in those jurisdictions received formal notices. Some were fined.
The core legal issue is Schrems II. The 2020 European Court of Justice ruling invalidated the EU-US Privacy Shield data transfer mechanism, leaving a gap in legal cover for transfers of personal data to US-based companies. Google Analytics sends data to Google servers in the US. That transfer, under EU law, requires either explicit user consent or an adequate alternative legal basis. The EU-US Data Privacy Framework (DPF), adopted in 2023, provides a new mechanism, but its legal durability remains uncertain and it has already been challenged.
The bottom line for practical purposes: using Google Analytics with default settings on a site with EU visitors carries real legal exposure. The configuration options GA provides (consent mode, IP anonymization, restricted data processing) reduce but don’t eliminate the risk.
For a full picture of the compliance situation, consult your legal team. This guide covers the technical side.
What Makes an Analytics Tool GDPR Compliant
The regulation is about personal data. GDPR applies when you collect, process, or store information that can identify an individual. For analytics, the relevant categories are:
IP addresses. An IP address can identify an individual in some circumstances, so GDPR treats it as personal data. If your analytics tool stores IP addresses, GDPR applies.
Cookies. Cookies that track individual users across sessions (not purely functional cookies) require explicit consent under GDPR and the related ePrivacy Directive.
Device fingerprinting. Combining device characteristics to create a persistent identifier is treated the same as cookies for consent purposes.
Cross-site tracking data. Any data that builds profiles of individuals across different websites triggers the most stringent GDPR protections.
The shortcut: if your analytics tool doesn’t collect personal data and doesn’t set tracking cookies, most GDPR consent requirements for analytics don’t apply. This is the technical argument for privacy-first analytics tools. Not “we comply with GDPR” as a policy statement. “Our system structurally doesn’t collect the data GDPR is concerned with.”
Additional requirements that apply regardless of the tool:
Data Processing Agreement. You need a signed DPA with your analytics provider. Most reputable tools have a standard DPA available in their terms or on request.
Privacy policy disclosure. Your privacy policy needs to disclose what analytics you use and what data it collects.
Data hosting location. Where your analytics data is physically stored matters. EU hosting is simplest. US hosting under the Data Privacy Framework can work but has more regulatory uncertainty.
Analytics Tools That Are GDPR Compliant
The practical division is between tools that are compliant by architecture and tools that require configuration to reach compliance.
Tier 1: Compliant by Architecture
These tools are designed so that GDPR consent requirements for analytics don’t apply in the first place. They don’t set cookies, don’t collect personal data, and don’t require a consent banner to run.
Clicky is our top recommendation overall. Privacy-respecting tracking, no cookies set by default, no personal data collection, lightweight script. The free tier covers small sites. Setup in under five minutes. See the full comparison for detail on how it stacks up.
Plausible Analytics is open source, EU-hosted, and fully cookieless. Strong privacy credentials. The cleanest GDPR story of any major analytics tool, though the feature set is simpler than Clicky.
Fathom Analytics uses EU isolation, meaning EU visitor traffic is routed through EU servers. Cookieless tracking. Canadian company. Well-regarded in the privacy-focused community.
Simple Analytics is EU-based, collects truly minimal data, and takes the most conservative possible approach to privacy. Feature-light, but the compliance story is clean.
Tier 2: Compliant With Configuration
Matomo can be made GDPR compliant, particularly when self-hosted in the EU with proper configuration: IP anonymization enabled, cookies disabled, data retention policies set. The self-hosted version gives you full control. The cloud version is hosted in the EU. More setup work required compared to Tier 1 tools.
Umami is self-hosted, so compliance depends on where you host it and how you configure it. On an EU server with appropriate settings, it’s compliant.
Tier 3: Requires Significant Configuration
Google Analytics 4 can be configured toward compliance through consent mode v2, IP anonymization, and restricted data processing settings. But the default configuration is not GDPR compliant, the EU-US data transfer question remains unresolved, and the regulators who have ruled against GA have generally done so even when some of these configurations were in place. If you’re using GA4 on a site with EU visitors, you need a proper consent mechanism, a signed DPA with Google, and legal review of your specific setup.
How to Set Up GDPR-Compliant Analytics (Step by Step)
Using Clicky as the primary example. This same general process applies to other Tier 1 tools.
Step 1: Create your Clicky account
Go to clicky.com and sign up. The free tier (up to 3,000 daily pageviews) requires no credit card. For larger sites, paid plans start at $9.99/month.
Step 2: Add your website
Enter your domain name. Clicky generates your unique tracking code and Site ID.
Step 3: Install the tracking code
For WordPress: Install the official Clicky plugin from the WordPress plugin directory, enter your Site ID and Site Key, save.
For any other platform: Copy the tracking snippet from your Clicky dashboard and paste it into your site’s <head> section before the closing </head> tag.
Step 4: Verify no cookies are being set
Open your site in Chrome, press F12 to open Developer Tools, go to the Application tab, and look at Cookies in the left sidebar. You should see no analytics cookies being set by Clicky.
Step 5: Update your privacy policy
Add a section disclosing that you use Clicky for analytics, what data it collects (anonymized visitor data, pageviews, referrers, geographic region), and that it doesn’t use cookies or collect personal data.
Step 6: Sign the DPA
Clicky offers a Data Processing Agreement. Review and sign it to formalize the data processing relationship.
Step 7: Optional: run both tools in parallel
If you’re migrating from GA4, keep GA4 running alongside Clicky for 2–4 weeks. Compare the data. This lets you build confidence in Clicky’s numbers before removing GA4. See the full migration guide for detail.
Step 8: Remove GA4 and potentially your consent banner
Once you’re satisfied with Clicky’s data, remove GA4’s tracking code. If Clicky is now your only tracking tool and you’ve confirmed it doesn’t require consent, you may be able to remove your cookie consent banner.
Important: Removing a consent banner entirely is a legal decision that depends on your full technology stack. If you’re running advertising pixels, chat tools, or other third-party scripts that set cookies, you still need consent management for those. Consult your legal team before making this change.
Common GDPR Analytics Mistakes
Assuming consent mode makes GA4 compliant. Consent mode in GA4 reduces data collection when users decline consent, but it doesn’t resolve the EU-US data transfer question. The DPAs cited in the legal rulings above were generally looking at the transfer issue, not just the consent mechanism.
Firing GA4 before consent is given. A common technical misconfiguration: the consent banner appears, but GA4 fires immediately on page load regardless of what the visitor chooses. This is not compliant operation of consent mode. Verify in your browser’s network tab that GA4 requests don’t fire until after consent is recorded.
Self-hosting Matomo on a US server. Matomo self-hosted is only GDPR-clean if it’s actually hosted in the EU. Hosting location matters. Running your analytics database on a US server still creates EU-US transfer issues even with Matomo’s privacy-first architecture.
Forgetting the DPA. Using an analytics tool without a signed Data Processing Agreement is a GDPR violation. Get the DPA signed.
Thinking GDPR only applies to EU companies. It applies to any website that processes data from EU residents, regardless of where the site or company is based. If EU visitors can access your site, GDPR applies to how you process their data.
Frequently Asked Questions
Is Google Analytics 4 GDPR compliant?
Not with default settings. GA4 requires significant configuration (consent mode, IP anonymization, restricted data processing) and a signed DPA with Google to approach compliance. The EU-US data transfer question remains unresolved even with proper configuration. Multiple EU data protection authorities have issued enforcement actions against GA use specifically.
Do I need a cookie consent banner for analytics?
If your analytics tool doesn’t set cookies or process personal data, generally no. Tools like Clicky, Plausible, and Fathom typically allow you to run analytics without a consent banner. The important caveat: if you’re running other tools that set cookies, you still need consent management for those. Make the determination based on your complete technology stack, not just your analytics tool.
What happens if I’m not GDPR compliant?
Fines up to 4% of annual global revenue or €20 million, whichever is higher. Plus potential reputational damage and the operational cost of responding to regulatory inquiries. The enforcement pattern in analytics has moved from warnings to actual fines.
Can I use Google Analytics alongside a privacy-first tool?
Yes. Running both simultaneously is a reasonable migration strategy. The privacy-first tool can run without consent. GA4 still needs its consent mechanism if you keep it.
Where should my analytics data be hosted for GDPR compliance?
EU hosting is the cleanest option. It eliminates the data transfer questions under Schrems II. US hosting under the Data Privacy Framework can work but carries more regulatory uncertainty given the framework’s challenged legal status.
Related reading: