Guides/GDPR

GDPR-Compliant Website Analytics

What the GDPR actually requires from website analytics, why consent became the default answer, and how to measure traffic lawfully without a cookie banner.

Last reviewed July 2026

The GDPR does not ban analytics. It regulates personal data, and most analytics tools happen to be built on personal data: persistent cookie IDs, raw IP addresses, and profiles that follow a person across visits. Remove those, and most of the GDPR's machinery no longer bites.

This guide walks through what the regulation actually asks of website measurement and the two realistic ways to satisfy it. It is general information, not legal advice.

What the GDPR regulates

The GDPR applies to processing of personal data: any information relating to an identified or identifiable person. For analytics the relevant examples are:

  • Cookie and device IDs. Recital 30 names online identifiers explicitly. A unique ID that singles out one visitor is personal data even without a name attached.
  • IP addresses. Treated as personal data by EU case law, since the operator of a site plus an ISP can link them to a person.
  • Behavioral profiles. A browsing history tied to any of the above.

Two more pieces sit alongside the GDPR. The ePrivacy Directive (implemented across EU member states, and in the UK as PECR) requires consent before storing or reading anything non-essential on a device, cookies included, regardless of whether the contents are personal data. And since the Schrems II ruling, sending personal data to US-based processors needs extra safeguards, which is what tripped up Google Analytics in decisions by the Austrian, French, and Italian regulators.

The default answer is to ask. A consent management platform shows a banner, and analytics only fires for visitors who agree. This is legally sound and it is the only lawful route if your measurement genuinely needs personal data, such as cross-device journeys or remarketing audiences.

The costs are real, though. Consent must be freely given, specific, informed, and as easy to refuse as to accept, so the pre-ticked-box tricks are gone. Rejection rates commonly run from 30 to 60 percent, and every rejection is a visitor your dashboard never sees. You are paying for compliance with data quality.

Route two: do not collect personal data

The second route is to measure without personal data at all. If the analytics tool stores nothing on the device, never keeps a raw IP address, and holds no identifier that singles out a person, then there is no personal data processing to legitimize and no device storage to consent to. The banner disappears because the thing it was asking permission for is gone.

This is how cookieless analytics works, and it is the model Analyse is built on. You keep complete traffic numbers, conversion funnels, and source attribution for every visitor, and the GDPR obligations that remain are the ordinary ones: a truthful privacy policy and a processor agreement with your vendor.

The honest limitation: without identifiers you cannot follow one anonymous person across devices or over long periods. If you need that, you are back on route one, asking for consent.

A practical checklist

  1. Inventory what your current analytics stores on devices and which identifiers it keeps. Your browser's developer tools show the cookies in a minute.
  2. Decide which questions you actually need answered. Most teams need traffic, sources, and funnels, not cross-device ad profiles.
  3. Pick the matching route: a consent platform if you truly need personal data, a cookieless tool if you do not.
  4. Update your privacy policy, sign a data processing agreement with your vendor, and check where the vendor stores its data.
  5. Re-verify yearly. Tools change their behavior, and so does guidance from regulators.

For the tool decision itself, the GA4 comparison and the privacy-first alternatives roundup put the options side by side.

Frequently asked questions

Is Google Analytics GDPR-compliant?

GA4 can be configured toward compliance, but it requires consent for its cookies, careful data-sharing settings, and attention to data transfers. Several EU regulators found older Google Analytics setups unlawful over US data transfers. Most sites using GA4 in the EU need a consent banner.

Do I need a cookie banner for analytics under the GDPR?

You need consent when analytics stores identifiers on the device or processes personal data. If your analytics stores nothing on the device and keeps no personal data, there is nothing to consent to, which is how cookieless tools operate without a banner.

Is an IP address personal data?

Yes, EU case law treats IP addresses as personal data because they can identify a person when combined with other information. Compliant analytics either never stores raw IPs or discards them immediately after use.

Does the GDPR apply to my site if I am not in the EU?

It applies whenever you offer goods or services to people in the EU or monitor their behavior, regardless of where your company sits. A US SaaS with EU visitors is in scope.

Analytics without the banner

Analyse measures every visitor, funnel, and traffic source without cookies, so there is nothing for a consent banner to ask about. Try every feature free for 3 days.

Start free