Compliance
A 2026 freshness update on GDPR-compliant analytics — post-Schrems II reality, the Digital Omnibus proposal, the EU AI Act overlap, DPA rulings by country, and why GA4 + Consent Mode v2 is duct tape, not architecture.
A SaaS founder I worked with in March 2026 had a clean GA4 setup. Consent Mode v2, IAB TCF v2.2, Cookiebot CMP, server-side GTM proxying through an EU-region Cloud Run instance. Her lawyer signed off on it. Her DPO signed off on it. Six weeks later her enterprise prospect's procurement team flagged "Google Analytics in US transfer flow" on a vendor questionnaire and the deal stalled for nine weeks while she swapped to a cookieless EU-hosted tool. The legal stack was defensible. The procurement stack was not. By the time she shipped the migration the deal had moved to a competitor.
That is the operational gap I keep watching close up. GDPR-compliant analytics in 2026 is not just a legal question, it is a procurement-and-trust question, and the two have diverged. The legal answer for most SMB SaaS is "GA4 with the right contractual safeguards is probably defensible." The procurement answer for any deal that touches European enterprise, healthcare, finance, or public sector is "cookieless, EU-residency, no US transfer." This article is the longer companion to the GDPR analytics compliance overview. The earlier piece walked the architecture. This one walks the 2024-2026 enforcement, the post-Schrems II reality, the Digital Omnibus, the EU AI Act overlap, and the migration playbook.
| Metric | Value | Source |
|---|---|---|
| Year Schrems II invalidated Privacy Shield | July 16, 2020 | CJEU Case C-311/18 [1] |
| EU-US Data Privacy Framework adopted | July 10, 2023 | EU Commission Implementing Decision (EU) 2023/1795 [2] |
| First NOYB challenge to DPF filed | September 2023 | NOYB press release [3] |
| EU DPAs with adverse GA4 rulings | 6 (AT, FR, IT, DK, NO, FI) | EDPB / GDPR Enforcement Tracker [4] |
| Digital Omnibus proposal published | November 19, 2025 | European Commission COM(2025) text [5] |
| EU AI Act entered force | August 1, 2024 | Regulation (EU) 2024/1689 [6] |
| EDPB Guidelines 2/2023 (ePrivacy 5(3) scope) | November 14, 2023 (adopted) | EDPB guidelines text [7] |
| GA4 + Consent Mode v2 mandatory for Google Ads | March 6, 2024 | Google Ads policy update [8] |
| Median EU cookie banner consent rate | 40-55% | Cookiebot 2024 benchmark [9] |
| CNIL audience-measurement exemption criteria | 4 conditions | CNIL guidance [10] |
| Largest GDPR analytics-adjacent fine | Italian Garante, ~EUR 2M (2023) | GDPR Enforcement Tracker [11] |
| ePrivacy Regulation status (proposed replacement) | Stalled in trilogue since 2017 | EU Council documents [12] |
Two of those numbers are doing most of the work. The "6 EU DPAs with adverse rulings" is the supply-side fact — the enforcement environment is real, not theoretical. The "40-55% EU cookie banner consent rate" is the demand-side fact — even when GA4 is legally defensible, the data quality you get out of it after a compliant banner is a fraction of what a cookieless architecture sees. Either of those facts alone is enough to move a thoughtful operator off GA4. Both together are why the cookieless analytics category has grown from "Plausible and Fathom" in 2020 to a dozen credible vendors in 2026.
The post-Schrems II enforcement timeline matters because it shows the trajectory, not just the snapshot. Six DPAs ruling adversely against the same product over 24 months is a pattern, not a coincidence. The pattern is what the Schrems III court will look at when it weighs whether the DPF has materially changed the surveillance-access risk that caused Schrems II.
| Date | DPA | Ruling | Subject | Outcome |
|---|---|---|---|---|
| Jul 16, 2020 | CJEU | Case C-311/18 (Schrems II) | EU-US Privacy Shield | Invalidated; SCCs require "additional safeguards" [1] |
| Jan 12, 2022 | Austria (DSB) | netdoktor.at case | Standard GA Universal deployment | Violation of GDPR Chapter V; IP and Client ID are personal data [13] |
| Feb 10, 2022 | France (CNIL) | Multiple website operators | Standard GA Universal deployment | Formal notice to comply within one month [14] |
| Jun 23, 2022 | Italy (Garante) | Caffeina Media srl | Standard GA Universal deployment | Order to suspend GA transfers within 90 days [15] |
| Sep 21, 2022 | Denmark (Datatilsynet) | DK Hostmaster precedent | GA Universal usage by Danish operators | GA "cannot be used" without supplementary safeguards [16] |
| Jul 10, 2023 | EU Commission | DPF Implementing Decision | EU-US data transfers | Adequacy decision granted; supersedes prior basis [2] |
| Jun 1, 2023 | Norway (Datatilsynet) | Telenor and others | Standard GA deployments | Adverse advisory, transfers not lawful absent safeguards [17] |
| Aug 1, 2024 | EU | AI Act in force | All AI systems incl. analytics | Phased applicability through 2027 [6] |
| Mar 6, 2024 | Consent Mode v2 requirement | EU Google Ads users | Mandatory for advertiser remarketing in EEA [8] | |
| Nov 14, 2023 | EDPB | Guidelines 2/2023 | Article 5(3) ePrivacy scope | localStorage, fingerprinting = same as cookies [7] |
| Dec 14, 2023 | Finland (Tietosuojavaltuutettu) | Yle case | Public broadcaster GA usage | Order to cease standard GA deployment [18] |
| Sep 25, 2023 | NOYB | DPF challenge filed | EU-US Data Privacy Framework | First "Schrems III" complaint [3] |
| Nov 19, 2025 | EU Commission | Digital Omnibus proposal | GDPR/ePrivacy/AI Act amendments | Ordinary legislative procedure begins [5] |
| Q1 2026 | NOYB | Updated Schrems III filings | DPF + SCC mechanisms | Pending CJEU referral |
| Mid 2026 | EU Council | Digital Omnibus first reading | Targeted amendments | Adoption target late 2026 - mid 2027 |
The cadence is the story. Six DPAs in 24 months, one EU adequacy decision, one new AI regulation, one Omnibus proposal, one Schrems III queue. None of those events made GA4 illegal. All of them made it riskier. Most operators read the timeline as noise; the procurement teams at European enterprise buyers read it as a trend line and update their vendor checklists accordingly.
The timeline diagram makes the cadence visible. Each year since 2020 has added either a new ruling, a new regulation, or a new enforcement decision. None has reversed the previous one. The legal direction of travel is one-way.
This is the section most analytics consultants will not write because it interferes with the GA4 implementation business. The honest version: Consent Mode v2 is a useful operational improvement for the consent flow. It is not, and does not pretend to be, an answer to the Schrems II residency problem. The two issues are orthogonal.
| Issue | What Consent Mode v2 does | What it does not do |
|---|---|---|
| Visitor refuses cookies | Sends pingless / modeled events; no cookies dropped | Does not change where the (modeled) data lands |
| Visitor accepts cookies | Standard GA4 with cookies; full data flow | Data still transfers to Google US infrastructure |
| Data residency | Optional regional collection endpoint | Final processing remains under Google's global infrastructure |
| US surveillance access | No change | FISA 702 and EO 12333 still apply to data held by US providers |
| DPA enforcement risk | Lower (better consent posture) | Unchanged (residency-and-jurisdiction issue) |
| Schrems II compliance | Not the mechanism | Adequacy decision (DPF) is the mechanism, separate from CMv2 |
| Modeled-conversion accuracy | Variable; practitioner reports show wide variance | Does not replace the lost data, estimates it |
The DPF and Consent Mode v2 are doing different jobs. Consent Mode v2 handles the consent question — does the user agree to be tracked. The DPF handles the transfer question — is the resulting data lawfully transferable to a US controller. A site can satisfy one and still fail the other. A site can satisfy both and still be one CJEU ruling away from non-compliance.
The architectural critique is sharper. Consent Mode v2 is a client-side modification of the GA4 tag's behavior under different consent states. It does not move the data. It does not change the controller. It does not move the processing infrastructure. It is, in the most literal sense, duct tape — a workaround that lets the existing system continue operating across a problem the existing system was not designed for. The problem (Schrems II residency) is architectural; the workaround (Consent Mode v2) is configurational. Architectural problems do not have configurational solutions.
| Configurational mitigation | Architectural answer |
|---|---|
| Consent Mode v2 | First-party cookieless analytics |
| Server-side GTM proxy | EU-only data residency |
| IP redaction at edge | Hashed pseudonymization with rotating salt |
| Custom region collection endpoint | Self-hosted or EU-incorporated controller |
| SCCs + Transfer Impact Assessment | No transfer; data never leaves EU jurisdiction |
| DPF adequacy reliance | Lawful basis in EU (legitimate interest, contract) |
| Standard contractual addenda | Architecturally outside Schrems II scope |
| Modeled conversions on refusal | Aggregate counting that needs no consent under CNIL exemption |
The right column is what fixes the problem. The left column is what most teams ship because it is faster. The procurement teams at European enterprises read the left column as "still using a US provider" and the right column as "actually EU-native." On large deals, that reading is the deciding factor.
A real example from a 2026 audit. A US-headquartered SaaS company shipped server-side GTM through a Frankfurt-region Cloud Run instance, IP redaction at the edge, Consent Mode v2, IAB TCF v2.2 banner, and SCCs with their German subsidiary as the EU controller. The German enterprise prospect's privacy team requested a Transfer Impact Assessment. The TIA concluded the architecture was defensible but that the underlying data flow still terminated at Google US. The prospect's privacy team requested the vendor either (a) move to a non-US analytics provider or (b) accept a contractual penalty clause for any future DPF invalidation. The vendor chose option (a). Total project cost: roughly EUR 40,000 in implementation and migration. Total time lost: 11 weeks. The original GA4 setup was technically legal. It was not commercially viable for the deal.
Strip away the marketing language and there are four architectural approaches to analytics in 2026. Each makes different trade-offs across consent friction, data quality, residency risk, and integration depth. Most teams pick by familiarity rather than by fit, then discover the mismatch at month 6 when EU traffic grows or a procurement question hits.
| Approach | Description | Consent banner needed? | Data residency | Best for |
|---|---|---|---|---|
| 1. Consent-based (GA4, Adobe, Mixpanel) | Drop cookies / fingerprints on consent; modeled fallback on refusal | Yes, granular | Provider-dependent (often US) | Sites with low EU exposure, mature consent flow |
| 2. Cookieless first-party (Plausible, Fathom, Attrifast) | Server-side hash, rotating salt, IP truncation | No, under CNIL exemption | Provider choice (EU-only common) | EU-heavy traffic, SMB without enterprise CMP budget |
| 3. Server-side proxy (sGTM, RudderStack) | Client posts to your domain; your server forwards to provider | Yes, but reduced fingerprint | Your control + provider | Enterprise with engineering depth, custom event needs |
| 4. Hybrid (Matomo Cloud EU, PostHog EU) | Cookie-based with EU residency and self-host option | Conditional | EU-only configurable | Mid-market wanting feature parity with US tools |
Approach 1 is the GA4 path and dominates by deployment count. Approach 2 is the cookieless category and dominates by EU procurement preference. Approach 3 is the engineering-heavy path that adds operational control without changing the underlying provider's jurisdiction. Approach 4 is the compromise that gives feature parity with US-built tools but locates the data in the EU.
The decision tree is mechanical. The two pivots are EU traffic share and enterprise procurement exposure. Most SMB SaaS lands in approach 2 (cookieless first-party). Most enterprises with engineering teams land in approach 3 (server-side proxy). The minority that lands in approach 1 are sites with under 15% EU traffic, no enterprise deals on the roadmap, and an existing GA4 dependency they do not want to disrupt.
The approach-2 architecture in one picture, with the cookieless first-party flow:
The diagram is the entire mechanism. The visitor browser receives nothing persistent. The server holds a hash long enough to count uniques within a day. The Stripe webhook adds revenue context server-to-server. The salt rotation breaks cross-day re-identification. There is no client storage to consent for, no third-party transfer to declare, no behavioral fingerprint to defend in a DPIA.
The two laws answer different questions. ePrivacy Article 5(3) is about the act of storing or accessing information on a user's device. GDPR is about the subsequent processing of personal data. Most analytics conversations conflate them, which is why "do I need a banner?" gets confusing answers.
| Regime | Triggered by | Lawful basis options | Penalty cap |
|---|---|---|---|
| ePrivacy Article 5(3) | Storing or reading any value on user's device | Consent OR strictly necessary OR audience-measurement exemption | National implementation (varies) |
| GDPR Article 6 | Processing personal data | Consent, contract, legal obligation, vital interest, public task, legitimate interest | EUR 20M or 4% global turnover |
| GDPR Article 9 | Special category data | Explicit consent + Article 9 conditions | Same as Article 6 |
| GDPR Chapter V | Transfer outside EEA | Adequacy decision, SCCs + safeguards, BCRs, derogations | Same as Article 6 |
| EU AI Act Article 5 | Prohibited AI practices | None — prohibited regardless | EUR 35M or 7% global turnover |
| EU AI Act Article 50 | AI system interacting with humans | Transparency obligations | EUR 15M or 3% global turnover |
The penalty cap column matters because it shows the regulatory weight. The AI Act's 7% cap is higher than GDPR's 4%, which is a deliberate signal that automated decision-making is being treated more seriously than baseline data processing.
The ePrivacy / GDPR interaction in flowchart form:
The flowchart is the legal reasoning in one picture. ePrivacy is the first gate. GDPR is the second gate. Chapter V (Schrems II) is the third gate. An analytics tool can pass the first two gates and fail the third. A cookieless tool with EU residency passes all three without consent. A standard GA4 deployment without DPF reliance fails the third. GA4 with DPF reliance passes all three until the DPF gets invalidated.
The CNIL audience-measurement exemption is the most operative escape hatch under ePrivacy 5(3). The four conditions:
| Condition | Specific requirement | Why it matters |
|---|---|---|
| Strict purpose limitation | Internal audience measurement only | No advertising, no cross-site targeting |
| Limited data | IP truncation, no full UA, minimal headers | Reduces personal data scope |
| Rotating identifier | Salt or session window that rotates regularly | Prevents persistent cross-session ID |
| No third-party transfer | Data not shared with anyone else | Keeps the controller as sole processor |
Plausible's data policy documents compliance with all four. Fathom's data policy documents compliance. Pirsch's privacy documentation claims compliance. Simple Analytics publishes the same posture. Matomo in self-hosted EU mode with cookies disabled claims compliance. Attrifast ships approach 2 (cookieless first-party) with all four conditions met and EU residency as the default.
The exemption is binding in France. It is persuasive (not binding) in other EU jurisdictions because the EDPB has not formally adopted it as an EU-wide guideline. In practice, most EU DPAs treat the CNIL exemption as good-faith compliance under Article 29 Working Party / EDPB consistency principles. The German DSK has historically been the strictest national authority on cookie consent; the DSK orientation guide for telemedia providers (most recently updated 2024) is more conservative than the French CNIL position but does not contradict the exemption mechanism, just the threshold for relying on it.
Three actual rulings worth knowing by case number. These are the precedents lawyers cite in vendor questionnaires and the patterns that procurement teams update their checklists against.
The Austrian Datenschutzbehörde published its decision on January 12, 2022. The complaint was brought by NOYB on behalf of an EU resident whose visit to netdoktor.at had triggered Google Analytics, which transmitted the user's Client ID, IP address, and HTTP header data to Google LLC servers in the United States. The DSB found that:
| Finding | Reasoning |
|---|---|
| Client ID is personal data | A unique identifier assigned to a browser/user that allows distinguishing one user from another |
| IP address is personal data | Settled CJEU case law (Breyer C-582/14) |
| Transfer to US violates Chapter V | Post-Schrems II, SCCs alone insufficient; "additional safeguards" required |
| Google's encryption-at-rest does not qualify | Google retains key access; FISA 702 disclosure still possible |
| Pseudonymization without key separation does not qualify | Same reason |
Outcome: violation finding, no immediate fine (the operator had ceased GA usage by the time of the decision). Source: NOYB case summary and the published DSB decision [13]. The Austrian decision was the first national-level Schrems II ruling against GA and the template that France, Italy, Denmark, Norway, and Finland followed.
The CNIL issued formal notices to multiple website operators (anonymized in the public communication) requiring them to bring GA usage into compliance within one month. The CNIL's published position:
| Finding | Reasoning |
|---|---|
| Standard GA configuration violates Article 44 GDPR | Transfer to US without adequate safeguards |
| Anonymization-at-source could be a solution | Provided the operator can verify no personal data ever reaches the US |
| Proxy server insufficient alone | Must prevent re-identification end-to-end |
| Server-side GA insufficient | Final destination jurisdiction unchanged |
Outcome: compliance order, no monetary fine in the published cases. Source: CNIL public statement [14]. The CNIL position is the most-cited regulatory text in cookieless analytics marketing because it explicitly leaves space for a compliant architecture (the audience-measurement exemption) while ruling against the dominant tool.
The Italian Garante published its decision on June 23, 2022. Caffeina Media srl, a digital publisher, was found to be transferring personal data via standard GA Universal to Google in the US without supplementary safeguards. The Garante's order:
| Finding | Reasoning |
|---|---|
| Same Schrems II reasoning as Austria | Consistent EDPB-driven interpretation |
| 90-day compliance window | Stop the transfers within 90 days of notification |
| Operator must verify or switch | Either reconfigure GA to prevent US transfer or migrate |
| Future fines threatened for non-compliance | The Garante's sanctioning power left explicit |
Outcome: compliance order with a 90-day deadline. Source: Garante decision text [15]. The Italian ruling is the one most commonly cited in Italian-language vendor questionnaires.
Norway is an EFTA member, bound to GDPR through the EEA Agreement. The Datatilsynet's June 2023 advisory built on the Austrian, French, and Italian rulings and concluded that standard GA usage by Norwegian operators violated the GDPR transfer regime [17]. The advisory predates the DPF adoption (July 10, 2023) by weeks. The Datatilsynet has not published a binding decision post-DPF, which is the open question other regulators are watching.
| Country | DPA | Date | Primary finding | Penalty? |
|---|---|---|---|---|
| Austria | DSB | Jan 12, 2022 | Schrems II violation | None (operator complied) |
| France | CNIL | Feb 10, 2022 | Same | Formal notice |
| Italy | Garante | Jun 23, 2022 | Same | Compliance order |
| Denmark | Datatilsynet | Sep 21, 2022 | Same | Advisory |
| Norway | Datatilsynet | Jun 1, 2023 | Same | Advisory |
| Finland | Tietosuojavaltuutettu | Dec 14, 2023 | Same (Yle case) | Order |
| Netherlands | Autoriteit Persoonsgegevens | Signalled, no binding decision yet | Pending | TBD |
| Germany | DSK (fragmented) | Various state-level guidance | Generally adverse | Mixed |
The Netherlands and Germany are the two large EU markets without a published binding GA4 decision. Both DPAs have issued conservative guidance consistent with the Austrian / French / Italian findings, but neither has produced the case-numbered decision that operators can point to in a contractual document. The DPF adoption in July 2023 changed the calculus: regulators that had not yet ruled now wait to see whether Schrems III invalidates the framework, then update their position.
The two regulatory updates that move the goalposts through 2026-2027 are the Digital Omnibus proposal (Nov 19, 2025) and the EU AI Act (in force Aug 1, 2024). Both touch analytics in non-obvious ways.
The Commission's Digital Omnibus proposal [5] bundles targeted amendments to GDPR, ePrivacy Directive, Data Act, AI Act, and Cyber Resilience Act. The analytics-relevant pieces:
| Provision | Current state | Proposed change | Impact on analytics |
|---|---|---|---|
| ePrivacy Art 5(3) audience-measurement exemption | National (CNIL) only, persuasive elsewhere | EU-wide harmonized exemption with clearer criteria | Cookieless analytics gets clearer banner-free status across all EU member states |
| GDPR Art 6 legitimate interest balancing | Case-by-case DPA interpretation | Clarified scope for first-party aggregate analytics | Reduces lawful-basis ambiguity |
| GDPR Art 30 records of processing | Required for most controllers | Threshold raised for SMBs (likely <250 employees + low-risk) | Less paperwork for small operators |
| ePrivacy "strictly necessary" cookies | Narrow CJEU interpretation | Codified list of permitted cookies | More predictable compliance |
| AI Act Annex III high-risk list | Includes some analytics-adjacent use cases | Targeted clarifications | Affects analytics that feeds high-risk decisions |
The Omnibus is a proposal, not law. It enters the ordinary legislative procedure in 2026 with target adoption in late 2026 to mid 2027. The political risk is real — privacy NGOs including NOYB and EDRi have publicly opposed parts of the Omnibus as a "deregulation" effort, and the European Parliament will likely tighten some provisions before final adoption. The realistic operator stance: track the Omnibus, do not bet on it. Plan as if the current rules (CNIL exemption, EDPB Guidelines 2/2023) continue to govern through 2026.
The EU AI Act [6] entered force on August 1, 2024. The phased applicability:
| Date | Provisions in effect |
|---|---|
| Feb 2, 2025 | Article 5 prohibited practices; AI literacy obligations |
| Aug 2, 2025 | General Purpose AI (GPAI) model obligations; governance bodies established |
| Aug 2, 2026 | Most other obligations including high-risk system requirements |
| Aug 2, 2027 | High-risk AI systems embedded in products covered by Annex I |
Pure analytics — counting page views, tracking sessions, computing aggregate metrics — is out of scope. Analytics that crosses into AI territory is in scope. The boundary cases:
| Analytics behavior | AI Act status | Reasoning |
|---|---|---|
| Aggregate session counting | Out of scope | Not an AI system under Art 3 definition |
| Channel attribution (deterministic) | Out of scope | Rule-based, not learned |
| Conversion modeling (Consent Mode v2 style) | Likely in scope | Machine-learning-based inference about individual outcomes |
| Predictive churn scoring at individual level | In scope (Art 50 transparency at minimum) | Individual-level inference for decision-making |
| Visitor segmentation with ML-driven personalization | Likely in scope; possibly high-risk if used for credit / insurance decisions | Annex III considerations |
| AI-generated dashboard summaries | In scope (Art 50 transparency for AI-generated content) | Synthetic content disclosure obligations |
| "Social scoring" of visitors | Prohibited (Art 5) | Specifically banned |
Most SMB analytics will not hit the high-risk threshold. The teams most likely to be affected are mid-market and enterprise vendors that have layered ML-driven personalization, churn prediction, or behavioral scoring on top of analytics, especially where the scores feed downstream decisions about access, pricing, or insurance. The General Purpose AI Code of Practice published in July 2025 provides operational guidance for the GPAI obligations that took effect August 2, 2025; that text is the right starting point if your analytics stack ingests data into a GPAI model.
GDPR Article 22 has prohibited "solely automated decision-making with legal or similarly significant effects" since 2018. The AI Act adds a parallel regime with broader scope and higher penalties. Analytics tools that contribute to automated decisions — even indirectly — should treat both regimes as live.
| Mechanism | GDPR Art 22 | EU AI Act |
|---|---|---|
| Trigger | Solely automated decisions with significant effects | AI system per Art 3 definition, in regulated context |
| Lawful basis | Limited (consent, contract necessity, EU/MS law) | Compliance with Act + GDPR independently |
| Transparency | Right to meaningful information about logic | Art 50 disclosure + transparency obligations |
| Human review | Right to human intervention | Risk-management system + human oversight (high-risk) |
| Penalty | GDPR Art 83 (4% global) | EU AI Act (3-7% global depending on violation) |
The overlap is not redundancy — they cover different angles of the same problem. An analytics tool that profiles visitors for personalization needs to comply with Article 22 if the profiling feeds significant decisions, and with the AI Act if the profiling system meets the AI Act definition. The conservative engineering posture: keep analytics-as-counting separate from analytics-as-decision-input, with a clean boundary that lets you reason about both regimes independently.
The compliance grid is what procurement teams actually paste into vendor checklists. The grid below is sourced from each vendor's public data policy or privacy documentation, with the citation appended.
| Tool | Architecture | Cookies | localStorage | EU residency | Banner-free in EU? | Schrems II posture | Stripe-native? | Source |
|---|---|---|---|---|---|---|---|---|
| GA4 + Consent Mode v2 | Cookie + modeled fallback | Yes | Yes | Optional regional ingest, US final | No | DPF reliance + SCCs | Via GTM | Google Consent Mode docs [19] |
| Plausible (EU cloud) | A1 server-side first-party hash | No | No | EU-only by default | Yes (CNIL exemption) | EU-incorporated, no US transfer | No | plausible.io/data-policy [20] |
| Fathom Lite (EU) | A1 server-side first-party hash | No | No | EU-only configurable | Yes (CNIL exemption) | EU residency option | No | usefathom.com/data [21] |
| Pirsch | A1 server-side first-party hash | No | No | EU-only (Germany) | Yes (CNIL exemption) | EU-incorporated | No | pirsch.io/privacy [22] |
| Simple Analytics | A1 server-side first-party hash | No | No | EU-only (Netherlands) | Yes (CNIL exemption) | EU-incorporated | No | simpleanalytics.com/privacy [23] |
| Matomo (self-hosted EU) | A2 fallback / A1 with config | Optional | No | Your control | Conditional | Self-hosted = no transfer | Via plugin | matomo.org/gdpr-analytics/ [24] |
| PostHog (EU Cloud) | A2 default, A1 opt-in | Yes default | Yes default | EU-only configurable | No by default | EU residency option | Via SDK | posthog.com/docs/privacy [25] |
| Attrifast | A1 server-side first-party hash + Stripe webhook join | No | No | EU residency option | Yes (CNIL exemption) | EU-residency-capable | Yes (native) | /features/privacy-first-analytics |
Three things in the grid worth flagging.
First, the "Banner-free in EU?" column. Only the cookieless A1 architectures (Plausible, Fathom, Pirsch, Simple Analytics, Attrifast) get a clean "Yes." Matomo gets a "Conditional" because it depends on whether the deployment uses the cookie-based or cookieless mode. PostHog defaults to cookie-based and therefore needs a banner unless explicitly reconfigured. GA4 + Consent Mode v2 needs a banner regardless of how the consent flow is designed.
Second, the "Schrems II posture" column. The tools that genuinely avoid the Schrems issue are the ones that do not transfer data to US-controlled infrastructure. EU-incorporated vendors (Plausible based in Estonia, Pirsch in Germany, Simple Analytics in the Netherlands) avoid it structurally. Self-hosted Matomo avoids it by giving the operator full control. GA4 with DPF reliance is exposed if the DPF gets invalidated. PostHog EU Cloud and Fathom EU residency mitigate but do not entirely eliminate the issue because the parent company is US-based even when the data sits in the EU.
Third, the "Stripe-native?" column. This is the gap Attrifast was built to close. Most cookieless tools count uniques and sessions; none of them join to revenue without manual webhook plumbing. The revenue join is what turns "GDPR-compliant analytics" into "GDPR-compliant attribution" — and attribution is what most SMB SaaS founders actually need to make budget decisions.
For the deeper comparison on the architecture trade-offs, the longer breakdown is in cookieless tracking solutions and the per-vendor walk-throughs live at vs Google Analytics, vs Plausible, vs Fathom, and vs Pirsch.
The migration is mostly a project-management exercise. The technical work is shorter than the political work, which is shorter than the data-reconciliation work.
Before changing anything, list every place GA4 data is consumed downstream. The typical inventory:
| Consumer | Owner | Replacement need |
|---|---|---|
| Marketing dashboards | Marketing ops | New data source, new dashboard |
| Conversion reporting to Google Ads | Performance marketing | Ads conversion API or Enhanced Conversions |
| Funnel analysis | Product | Replacement product-analytics tool (PostHog EU, Amplitude EU) |
| Executive KPI deck | Finance / CEO | New numbers source for monthly review |
| A/B test attribution | Growth | Experimentation tool decoupling |
| Attribution to revenue | Finance | Server-side revenue join (Attrifast, Matomo + Stripe plugin) |
| Cohort retention | Product | Product-analytics replacement |
| SEO performance | SEO team | Search Console + alternative analytics |
Most teams underestimate the inventory. The marketing dashboard is obvious; the executive KPI deck is the political one because the CFO's quarterly numbers cannot move without a parallel-validation period.
Use the decision tree from section 4. For most SMB SaaS the answer is approach 2 (cookieless first-party). Pick the specific vendor based on three operational criteria:
| Criterion | What to evaluate |
|---|---|
| Data residency | Where the vendor stores and processes the data |
| Revenue integration | How the vendor joins to Stripe / payment data |
| Migration tooling | Does the vendor provide GA4 import or parallel-tracking helpers |
The combination of "cookieless + EU residency + Stripe-native" narrows the field. Plausible, Fathom, Pirsch handle the first two. Attrifast handles all three. Matomo handles all three if you self-host. The choice between managed and self-hosted is usually an operational-burden question, not a compliance question.
Do not flip GA4 off when the new tool goes live. Run both in parallel for a full sales cycle plus one (so 30-60 days for most SaaS, longer for enterprise). The parallel period serves three purposes:
| Purpose | What you check |
|---|---|
| Data validation | Do the new numbers match GA4 within an acceptable variance |
| Vendor stability | Does the new tool stay up and report on time |
| Stakeholder trust | Do dashboards in the new tool tell the same story as old reports |
The acceptable variance is usually 5-15% on total sessions and 10-20% on attributed channels, with the new tool typically catching more (cookieless tools see the consent-refused traffic that GA4 misses or models). When the variance is in the new tool's favor and the qualitative story matches, the parallel period is succeeding.
Once the new tool is validated, migrate each downstream consumer from the inventory. The order matters: start with the lowest-stakes consumer (internal dashboard) and end with the highest-stakes (CFO's KPI deck). Each migration is a small project with stakeholder sign-off.
| Migration order | Consumer | Risk |
|---|---|---|
| 1st | Internal team dashboards | Low — operator-only audience |
| 2nd | A/B test attribution | Medium — affects experimentation throughput |
| 3rd | Marketing campaign reporting | Medium — affects budget allocation |
| 4th | Cohort and retention reports | High — affects product roadmap decisions |
| 5th | Conversion reporting to Google Ads | High — affects performance marketing efficiency |
| 6th | Executive / Board KPI deck | Highest — affects external commitments |
Step 5 (below) handles the GA4 shutdown after all consumers are migrated.
The sunset has three pieces: data export, account closure, and documentation. The data export is the one teams forget — GA4 raw events are exportable to BigQuery up to the closure date; after that the historical data is gone. The account closure is the legal trigger that ends the US data transfer. The documentation is the artifact procurement teams will ask for in subsequent vendor questionnaires.
| Sunset task | When | Owner |
|---|---|---|
| Export raw events to BigQuery | T-30 days from closure | Data engineering |
| Archive snapshot of historical dashboards | T-7 days | Marketing ops |
| Update privacy policy to remove GA4 | T-1 day | Legal / compliance |
| Close GA4 property | T0 | Marketing ops |
| Update DPIA with new processing architecture | T+7 days | DPO |
| Update vendor questionnaire responses | T+14 days | Sales / RevOps |
The total project timeline is typically 90-120 days for a mid-sized SaaS, longer if the executive KPI deck reconciliation is contested. The technical migration itself is a week of engineering work; the rest is project management, validation, and stakeholder trust.
The 40-55% median EU consent rate is the headline number. The country-level distribution is what determines whether your specific traffic mix can survive a banner-based approach.
| Country | Median consent rate (compliant banner) | Source / notes |
|---|---|---|
| Germany | 30-40% | Cookiebot 2024; DSK strictness drives lower rates |
| France | 45-55% | Cookiebot 2024; CNIL guidance shapes design |
| Italy | 50-60% | Cookiebot 2024; Garante enforcement steady |
| Spain | 50-60% | Cookiebot 2024; AEPD enforcement growing |
| Netherlands | 40-50% | Cookiebot 2024; AP guidance increasing |
| Sweden | 35-45% | Cookiebot 2024; IMY recent enforcement |
| Denmark | 35-45% | Cookiebot 2024; Datatilsynet 2022 GA ruling residual |
| Norway | 35-45% | Datatilsynet position influences design |
| Finland | 35-45% | Tietosuojavaltuutettu post-Yle ruling |
| Austria | 35-45% | DSB January 2022 precedent residual |
| Belgium | 40-50% | APD enforcement, GBA guidance |
| Ireland | 50-60% | DPC less restrictive on banner design |
| Poland | 55-65% | UODO permissive interpretation |
| UK | 55-70% | ICO post-Brexit divergence, higher acceptance |
| US (CCPA / CPRA) | 80-95% | Opt-out regime, defaults to consent |
The dispersion matters. A US-heavy site with 5% EU traffic that loses 60% of its EU consent is losing 3% of total signal — Consent Mode v2's modeled fallback can probably fill that. A site with 40% EU traffic that loses 50% of EU consent is losing 20% of total signal, which Consent Mode v2's modeling cannot reliably reconstruct.
The implication for vendor choice:
| Total EU traffic share | Median consent loss | Net signal loss with consent banner | Recommended architecture |
|---|---|---|---|
| <10% | 50% | ~5% | GA4 + CMv2 likely fine |
| 10-25% | 50% | 5-12% | GA4 + CMv2 borderline; cookieless safer |
| 25-50% | 50% | 12-25% | Cookieless wins clearly on data quality |
| >50% | 50% | >25% | Cookieless is structural; no other answer works |
The "data quality" argument for cookieless is independent of the legal argument. Even if a site's lawyer is confident GA4 + DPF + CMv2 is defensible, the 12-25% signal loss on a 25-50% EU traffic mix is a real business cost. Cookieless analytics with no banner sees the full traffic and gives the marketing team the numbers they actually need to make decisions.
The migration audits I run usually find the same five mistakes. Listed in the order of frequency I see them.
Several vendors market "cookieless" while storing a session ID in localStorage. Legally, EDPB Guidelines 2/2023 treats localStorage the same as cookies under Article 5(3). Operationally, the vendor's claim to be "banner-free" is false in the EU. Check the vendor's data policy for the exact wording on client-side storage. If the document is vague, run the site through your browser dev tools and check what gets written to Application > Storage.
sGTM is a useful operational improvement. It is not a residency fix. The data still terminates at Google US infrastructure unless the entire collection pipeline is replaced. The Austrian DSB's reasoning applied to the data's final destination, not its routing path. A proxy adds a hop; it does not change the destination.
The CNIL's 2023 cookie sweep and the EDPB's 2022 guidelines on deceptive design patterns specifically targeted "reject" buttons hidden behind multiple clicks, pre-checked boxes, color contrast manipulation, and timing tricks. Inflated apparent consent rates from dark patterns draw active DPA enforcement. The compliance bar is now "equal effort to accept and reject."
| Dark pattern | EDPB / CNIL position | Risk |
|---|---|---|
| Pre-checked boxes | Prohibited (consent is not informed) | High |
| "Accept all" button only on first layer | Non-compliant — reject must be equally accessible | Medium |
| Color manipulation (green accept, grey reject) | Discouraged; case-by-case enforcement | Low-medium |
| Cookie wall (no access without consent) | Generally prohibited (free choice violation) | High |
| Repeat-prompt on refusal | Prohibited (consent fatigue / coercion) | Medium |
Schrems II created an obligation to assess every international transfer for the level of protection in the destination country. Many operators using GA4 + DPF rely on the DPF as if no TIA were needed. The DPF is an adequacy decision for certified US recipients, but the EDPB's Recommendations 01/2020 on supplementary measures still expect the operator to document the assessment. If the DPF gets invalidated, the absence of a TIA leaves the operator without a documented fallback. The TIA itself is a 10-30 page document depending on scope; templates from the IAPP and major law firms are widely available.
GDPR Article 35 requires a Data Protection Impact Assessment when processing is "likely to result in a high risk to the rights and freedoms of natural persons." Analytics that feeds personalization, individual-level scoring, or automated decisions almost always meets the threshold. Most operators run a DPIA for the personalization tool but not for the analytics tool feeding it. The right boundary: if your analytics produces individual-level outputs that are consumed by another system, the analytics tool is part of the high-risk processing and needs a DPIA.
The GDPR Enforcement Tracker (maintained by CMS Hasche Sigle) is the most-cited public dataset for GDPR fines [11]. The analytics-adjacent fine distribution through Q1 2026:
| Fine band | Frequency | Typical violation |
|---|---|---|
| EUR 0 (compliance order only) | Most CNIL GA4 actions 2022-2023 | First-finding analytics-only cases |
| EUR 10K - 250K | Common | Unconsented analytics, smaller operators |
| EUR 250K - 1M | Less common | Repeat violations or higher-traffic sites |
| EUR 1M - 5M | Occasional | Systemic violations or bundled with other processing |
| EUR 5M+ | Rare for analytics-only | Usually bundled with profiling, advertising, or sensitive data |
The Italian Garante's EUR 2 million-range fines against operators combining analytics with unconsented profiling are the cases most worth knowing. The fine itself is not the largest concern for most SMBs; the operational disruption from a compliance order with a 30-day deadline is bigger, and the reputational and procurement impact from being named in a published DPA decision is biggest of all.
The headline EUR 20 million / 4% global turnover cap applies only to severe systemic breaches under GDPR Article 83(5). Analytics-only cases almost never hit that ceiling. The realistic operator stance: budget for the EUR 10K - 250K range as the relevant risk magnitude, plan for the EUR 1M outlier, and treat the EUR 20M cap as a theoretical maximum that drives lawyer behavior more than operator economics.
| Risk type | Likelihood for SMB analytics | Magnitude |
|---|---|---|
| DPA compliance order with deadline | Low-medium | Operational disruption, 30-90 days |
| Monetary fine | Low | EUR 10K - 250K typical |
| Procurement deal loss | Medium-high | Direct revenue impact, large deals |
| Reputational damage from named ruling | Medium | Hard to quantify, persists |
| Civil claim from data subject | Low (Europe; higher in IT/DE) | Variable |
Procurement deal loss is the underrated risk. It does not show up in the GDPR fine database. It shows up in win/loss reviews as "lost on privacy / vendor risk." European enterprise buyers in healthcare, finance, public sector, and education routinely fail US analytics tools at the vendor questionnaire stage. The cost is the deal, not the fine.
The CMP industry sits between the DPAs and the operators and shapes most of what actually ships. The three names worth knowing:
| Organization | Role | Relevant publication |
|---|---|---|
| NOYB (none of your business) | Privacy NGO led by Max Schrems | Filed Schrems I, II, III; CMP complaint waves [3] |
| Cookiebot (Usercentrics) | Largest CMP vendor in EU | Annual consent rate benchmarks [9] |
| OneTrust | Enterprise CMP vendor | Privacy management research [26] |
| IAB Europe | TCF v2.2 framework operator | TCF technical specification [27] |
| EDPB | EU coordinating body of DPAs | Guidelines including 2/2023 [7] |
| CNIL | French DPA, most active on analytics | Audience-measurement exemption [10] |
NOYB has filed thousands of complaints against operators using non-compliant cookie banners, dark patterns, and standard GA Universal / GA4 deployments. Their pattern is to file in volume to force DPA decisions that then become EU-wide precedent. The Schrems II and (in progress) Schrems III cases are the high-profile examples; the 2023-2024 wave of CMP complaints is the operational example.
Cookiebot's annual benchmarks [9] and OneTrust's research [26] are the two most-cited sources for consent rate numbers. Both have an obvious commercial interest (they sell CMPs) but their methodology is publicly documented and the numbers are the best available baseline.
IAB Europe's TCF v2.2 [27] is the technical framework most CMPs implement. The framework has been the subject of its own enforcement — the Belgian APD ruled in February 2022 that the TCF v2.0 architecture itself violated GDPR; IAB Europe revised the framework to v2.2 in 2023 to address the findings. TCF compliance is necessary but not sufficient for a compliant banner.
For full disclosure on the vendor I built: Attrifast ships approach 2 (cookieless first-party) with the Stripe revenue join as the differentiating feature. The architectural specifics:
| Property | Attrifast |
|---|---|
| Client storage | None (no cookie, no localStorage, no fingerprint) |
| Server identifier | SHA-256 hash of truncated IP + UA + daily-rotating salt |
| Salt rotation | Every 24 hours |
| IP storage | Truncated to /24 (IPv4) before hashing; raw IP never persisted |
| Data residency | EU residency option (Frankfurt or Amsterdam) |
| Stripe integration | Native webhook ingestion, server-to-server revenue join |
| Banner-free? | Yes under CNIL audience-measurement exemption |
| Schrems II posture | EU residency option avoids US transfer |
| Pricing | $29/mo |
| Script size | ~4KB |
What Attrifast does not do: cross-device stitching without an authenticated user ID, session replay, A/B testing, feature flags, product analytics (cohort funnels, retention curves at individual user level). Those are different product categories with different privacy trade-offs. Attrifast is purpose-built for "attribute the click to the revenue, cookieless, EU-residency-capable." For sites that need the broader feature set, PostHog EU or Matomo with the Stripe plugin are reasonable choices that pair with Attrifast or substitute for it.
The pieces I am willing to claim with confidence: the data architecture is the same A1 server-side first-party hash pattern Plausible and Fathom document publicly; the EU residency option keeps data inside the EEA; the Stripe webhook join is server-to-server with no client-side identifier required. The pieces I cannot claim without qualification: that Attrifast is "the most compliant" or "100% GDPR-safe" — those phrases are marketing claims, not engineering claims, and the honest version is "architecturally avoids the consent and residency issues other tools rely on workarounds for, while being subject to the same general GDPR obligations as any other EU-operating analytics tool."
For the longer comparison versus the cookieless category, the per-vendor breakdowns live at vs Plausible, vs Fathom, and vs Pirsch. For the comparison versus GA4 specifically, the head-to-head is at vs Google Analytics.
The Schrems III case is not decided. Speculating about its outcome is exactly the kind of overconfident analysis that makes operators ignore real legal advice. The disciplined version is to model the two main outcomes and prepare for each.
| Outcome | Probability (subjective) | What changes for analytics |
|---|---|---|
| DPF invalidated on Schrems II grounds | Material (Privacy Shield and Safe Harbor pattern) | Standard SCCs revert as primary mechanism; supplementary safeguards mandatory again; GA4 default usage exposed |
| DPF survives with narrower scope | Possible | Some categories of data flow restricted; analytics may or may not be included; case-by-case analysis |
| Court delays / political resolution | Possible | Status quo continues; operators continue forward planning |
| DPF strengthened post-ruling | Unlikely | Would require US surveillance law reform, no current legislative track |
The pattern from Safe Harbor (invalidated 2015) and Privacy Shield (invalidated 2020) is informative: each lasted four to fifteen years before invalidation, each was replaced by an instrument the court was already known to consider inadequate, and each invalidation triggered a 12-24 month operational scramble for affected companies. If the DPF follows the same pattern, operators who built EU-native analytics architectures during the DPF's validity window will have already done the work the invalidation would otherwise force.
The conservative operator stance for 2026:
Not by default. GA4 still transfers personal data to Google servers in the United States. The EU-US Data Privacy Framework adopted in July 2023 papers over Schrems II without addressing its core problem — US surveillance law (FISA 702, EO 12333) still allows US intelligence agencies to compel disclosure of EU resident data held by US providers. Six EU DPAs (France, Austria, Italy, Denmark, Norway, Finland) have already issued adverse findings against standard GA4 deployments [4][13][14][15][16][17][18].
The European Commission published the Digital Omnibus proposal on November 19, 2025 [5], bundling targeted amendments to GDPR, the ePrivacy Directive, the Data Act, the AI Act, and the Cyber Resilience Act. The analytics-relevant pieces are a proposed expansion of the audience-measurement exemption in ePrivacy Article 5(3), a clarification that aggregate first-party analytics processed solely by the website operator should not require consent, and tighter rules on automated decision-making that touch analytics-driven personalization. The proposal is in the ordinary legislative procedure with a target adoption window of late 2026 to mid 2027. It does not yet have force of law.
In most EU jurisdictions, no — provided the deployment meets the CNIL audience-measurement exemption criteria [10]. The four conditions are a rotating salt that breaks cross-session linkage within 24 hours, truncated IP storage, strict purpose limitation to audience measurement only, and no data sharing with third parties. Plausible [20], Fathom [21], Pirsch [22], and Simple Analytics [23] all publish data policies that meet these conditions.
Schrems II is the July 2020 CJEU ruling (Case C-311/18) that invalidated the EU-US Privacy Shield because US surveillance law does not provide EU residents with rights equivalent to GDPR Article 47 [1]. The practical consequence for analytics is that any personal data transferred to a US-based controller falls under heightened scrutiny — Standard Contractual Clauses alone are not sufficient unless supplemented by "additional safeguards" that effectively prevent US intelligence access.
Published by the French data protection authority (CNIL) in 2020 and refined through 2024 guidance [10], the exemption allows analytics that meets four conditions to operate without a consent banner under the ePrivacy Article 5(3) regime: rotating salt or equivalent mechanism, IP truncation, strict purpose limitation to internal audience measurement, and no transmission of the personal data to third parties for any purpose. The exemption is binding in France and persuasive in other EDPB jurisdictions.
The EU AI Act entered force on August 1, 2024 [6] with phased applicability. Pure aggregate analytics is out of scope. Analytics tools that build behavioral profiles, score visitors for ad targeting, predict churn at the individual level, or feed machine-learning models that influence decisions about EU residents land in a grey zone — particularly where the analytics overlaps with GDPR Article 22 (automated decision-making). The General Purpose AI Code of Practice published in July 2025 provides operational guidance for the GPAI obligations that took effect August 2, 2025.
By volume of adverse rulings against standard GA4 deployments, France (CNIL) and Austria (DSB) have been the most active. By severity per ruling, the Italian Garante has issued some of the largest individual fines against analytics-related processing. Germany is a fragmented landscape — 17 state-level data protection authorities plus the federal BfDI — and tends toward stricter interpretations than France on details like cookie consent walls.
The EU-US Data Privacy Framework (DPF) is the adequacy decision adopted by the European Commission on July 10, 2023 [2], replacing the invalidated Privacy Shield. NOYB filed challenges within months of adoption arguing that the DPF does not address the FISA 702 and EO 12333 surveillance powers that caused Schrems II [3]. The case is widely referred to as "Schrems III" and is expected to reach the CJEU on the same timeline pattern as the previous two challenges.
The GDPR Enforcement Tracker [4][11] catalogues fines by category. Analytics-related actions cluster in three bands: warnings and compliance orders with no monetary penalty, fines of EUR 10,000 to EUR 250,000 for smaller violations, and large multi-million-euro fines for systemic violations or where analytics is bundled with broader processing failures.
Server-side GTM (sGTM) proxies the client-to-Google traffic through your own EU-hosted server. It does not change where the data ultimately lands. Google still ingests, stores, and processes the data on Google infrastructure under US jurisdiction. sGTM can help with point-in-time IP redaction, custom parameter scrubbing, and consent enforcement before the event reaches Google. It is a useful operational improvement, not an architectural fix.
From a GDPR perspective, "cookieless" means no persistent client-side identifier. The EDPB's Guidelines 2/2023 on the technical scope of ePrivacy Article 5(3) [7] made explicit that localStorage and fingerprinting fall under the same consent regime as cookies. True cookieless architectures avoid Article 5(3) entirely by not writing to the device. They still need to satisfy GDPR's broader requirements around lawful basis, data minimization, and (for international transfers) the Schrems II rules.
Cookiebot's annual benchmarks through 2024 [9] reported median consent rates of 40-55% across EU traffic, with significant variance by country. Germany sits around 30-40%, Italy around 50-60%, Nordic countries 35-45%. The CNIL's 2023 cookie sweep found a substantial share of banners non-compliant on at least one criterion.
ePrivacy Directive 2002/58/EC Article 5(3) governs the act of storing or accessing information on a user's device — the cookie or storage question. GDPR governs the subsequent processing of personal data. ePrivacy is the gate; GDPR is the post-gate regime. Both apply simultaneously. The ePrivacy Regulation, intended to replace the Directive, has been stalled in EU trilogue since 2017 [12].
If your EU traffic is over 25-30% of total sessions, your sales cycle exceeds 7 days, and your business depends on accurate first-party attribution to revenue, the data-quality case for migrating is compelling regardless of the legal angle. If your EU exposure is small and you have documented contractual safeguards under the DPF, the immediate legal risk of staying on GA4 is real but low. The forward-looking risk is that a Schrems III invalidation in 2026-2027 forces a migration on a regulatory timeline rather than a planned one.
Attrifast ships approach 2 (cookieless first-party) with EU residency option, rotating daily salt, IP truncation, no client-side storage, and no third-party data sharing. The architecture is designed to satisfy the CNIL audience-measurement exemption and to avoid the Schrems II transfer issue by keeping data in the EU. Like any analytics tool, GDPR compliance also depends on the operator's own lawful basis, retention policies, and DPIA process — the tool removes the architectural risks; the operator handles the remaining process obligations. The product details are at /features/privacy-first-analytics and the longer comparison versus the alternatives is at cookieless tracking solutions.
GA4 was built for an internet that does not legally exist anymore. The migration off it is a project, not an emergency — unless you wait for Schrems III, in which case it becomes both. See what cookieless, Stripe-native, EU-residency-capable analytics looks like in Attrifast → Start free trial
Discover which marketing channels bring customers so you can grow your business, fast.
Start free trial →5-day free trial · $29/mo · cancel anytime
