The GDPR has been in force since 2018, yet most website owners still don't understand which parts of their analytics stack are compliant. This guide cuts through the legal jargon.
What GDPR says about analytics
GDPR Article 5 requires that personal data be collected for a specific, explicit, and legitimate purpose, and only to the extent necessary. The key question: does your tool process personal data? IP addresses, user IDs, and device fingerprints are all personal data. Google Analytics 4 processes all of these.
The three paths to compliant analytics
Path 1: Consent-based (GA4, Mixpanel, etc.)
Collect personal data, but only after explicit opt-in. Requires a cookie consent banner, a DPA with your vendor, and a mechanism to delete data on request.
Path 2: Aggregated analytics (no personal data)
If your analytics tool never processes personal data — no IP storage, no cookies, no fingerprinting — consent is not required. This is the cookie-free analytics approach.
Path 3: Opt-out model
Some tools offer an opt-out mechanism. This has weaker legal footing under GDPR because the default is still processing personal data.
What "cookie-free" actually means
- Sets no cookies in the visitor's browser
- Hashes IP addresses with a server-side salt before storage (daily rotation recommended)
- Does not use canvas, font, or device fingerprinting
- Does not track visitors across multiple websites
Your GDPR analytics checklist
- ☑ No personal data collected → no consent required
- ☑ Privacy Policy mentions analytics tool and data collected
- ☑ Data retention period defined and enforced automatically
- ☑ Process for data subject access/deletion requests documented
The simplest path to GDPR compliance for analytics is switching to a cookie-free tool. You eliminate the consent banner, the DPA, retention complexity, and DSR workflow in one step.