Compliance Guide

GDPR analytics: the complete compliance checklist for 2026

Vincent Ruan
Vincent RuanFounder, Attrifast ·

In January 2022, the Austrian DPA ruled that a website's use of Google Analytics violated GDPR[5]. France, Italy, and Denmark followed with similar rulings[6]. By 2026, the question is no longer whether your analytics needs to be GDPR-compliant — it's whether you can afford the risk of it not being. Fines reach up to 4% of global annual revenue or €20 million[1]. This guide gives you a ten-point compliance checklist, a seven-tool comparison, and a practical migration path.

We built Attrifast specifically because our team got tired of GDPR-paranoid GA4 cookie banners killing conversions on our own marketing pages. Everything in this guide is what we've actually shipped to production.

Published March 2026 · 14 min read
TL;DR
  • Multiple EU DPAs have ruled standard Google Analytics implementations non-compliant with GDPR.
  • Cookie consent banners cost you 30-40% of analytics data. Cookieless tools capture 100%.
  • GDPR-compliant alternatives exist from €9/month — no cookies, no consent banner, EU-hosted.
  • The 10-point checklist below covers every compliance requirement. Most organizations fail several items.
  • Migrating from GA4 takes 2-4 weeks with parallel running. Many teams see MORE data, not less.

Why GDPR matters for analytics

The General Data Protection Regulation[1] applies to any organisation processing personal data of EU residents — regardless of where the organisation is based. If your website has visitors from any EU member state, GDPR applies. There are no size exemptions, no revenue thresholds, and no startup carve-outs. For analytics purposes, personal data includes IP addresses, cookie identifiers, and device fingerprints. Where consent is your lawful basis, Art. 7 sets strict conditions including an obligation to make withdrawal as easy as giving consent in the first place[3].

By 2024 the US comparison points were also tightening: California's CCPA[18] grants similar rights to residents and applies extraterritorially to most US-based SaaS with California users. And browser-level enforcement has been ratcheting for years — Safari shipped Intelligent Tracking Prevention in 2017[11], and Chrome began rolling out third-party cookie restrictions in 2024[13].

Five GDPR principles that govern analytics

Lawful basis (Art. 6)

You must have a valid legal basis before collecting any analytics data — consent or legitimate interest. The full text enumerates six lawful bases.

Data minimization (Art. 5(1)(c))

Collect only data that is "adequate, relevant and limited to what is necessary." Full IP addresses when a page-view count suffices is likely a violation.

Purpose limitation

Data collected for analytics cannot be repurposed for advertising or profiling without a new legal basis.

Storage limitation (Art. 5(1)(e))

Define how long you keep analytics data and delete it after that period. Indefinite retention is non-compliant.

Data subject rights (Art. 15-22)

EU residents can request access to their data, demand deletion, and ask for portability. Your analytics must support these requests.

The enforcement reality in 2026

2022: Austrian, French, Italian, and Danish DPAs ruled standard Google Analytics implementations non-compliant[5] — citing US data transfers, cookie use without valid consent, and lack of controller oversight.

2023: Meta fined €1.2 billion for EU-US data transfers. EU-US Data Privacy Framework (DPF) adopted but faces anticipated Schrems III challenge.

2024: CNIL Art. 82 cumulative fines on cookie violations exceeded €139M[6]. Total GDPR fines exceeded €4 billion across all sectors.

If your analytics tool stores data in the US, uses cookies requiring consent[4], or collects PII without robust legal basis[2], you are operating in a regulatory gray zone that multiple DPAs have already ruled against.

Attrifast dashboard showing visitors, pageviews, revenue, and revenue-per-visitor — all collected without cookies and fully GDPR-compliant
Attrifast's own dashboard — visitors, pageviews, revenue, and revenue-per-visitor in one view. No cookies set, no consent banner shown, fully GDPR-compliant by design.

The GDPR analytics compliance checklist

Work through each item. A "no" answer represents a compliance gap to close.

1

Do you have a valid legal basis for processing analytics data?

Article 6 GDPR requires a lawful basis before processing any personal data. Without one, all downstream analytics activity is unlawful.

Compliant

Explicit, informed consent via a properly designed banner — or a documented Legitimate Interests Assessment (LIA).

Non-compliant

Implied consent ("by continuing to browse you agree"), pre-ticked checkboxes, or no consent mechanism at all.

How to fix: Implement a compliant consent mechanism, or switch to a cookieless analytics tool that does not process personal data — eliminating the need for a legal basis entirely.
2

If using cookies, is your consent mechanism GDPR-compliant?

The ePrivacy Directive requires prior, informed, freely given consent before any non-essential cookie is set. Analytics cookies are non-essential.

Compliant

Consent collected before cookies load. Granular options (analytics vs marketing). Accept and reject buttons equally prominent. Plain language.

Non-compliant

Reject button buried in small text. Cookie wall blocking content until consent. Pre-selected analytics cookies.

How to fix: Audit your CMP against EDPB guidelines on consent. Many CMPs ship with dark patterns by default. Or adopt a cookieless tool and remove the banner entirely.
3

Is your analytics data stored within the EU/EEA?

Chapter V GDPR restricts transfers outside the EU/EEA. Austrian, French, Italian, and Danish DPAs all cited US-based storage as a primary GA violation.

Compliant

EU-hosted servers or providers with verified EU data residency. Or DPF-certified US provider with documented verification.

Non-compliant

GA4 stores data on Google's global infrastructure including US servers. Without verified DPF certification, this is the scenario multiple DPAs ruled against.

How to fix: Switch to an EU-hosted provider, or verify your provider's DPF certification at the US Department of Commerce registry and document it in your RoPA.
4

Are you collecting only the data you actually need?

Article 5(1)(c) mandates data minimization. Many analytics tools collect far more than necessary for standard reporting.

Compliant

Truncated IP addresses, no persistent cross-session user identifiers, no detailed device fingerprints, aggregated reporting.

Non-compliant

Full IP address logging, browser canvas fingerprinting, persistent user IDs tracking individuals across months.

How to fix: Review your provider's data collection docs. Enable IP anonymization. Disable user ID features unless you have a documented legitimate purpose.
5

Do you have a valid Data Processing Agreement (DPA)?

Article 28 GDPR requires a written DPA between you (controller) and any processor handling personal data. No DPA = violation regardless of everything else.

Compliant

A signed DPA specifying processing purposes, data categories, security measures, sub-processor list, and DSAR handling.

Non-compliant

No DPA. Or accepting generic ToS without a specific data processing addendum.

How to fix: Check whether your analytics provider offers a DPA. Most reputable providers do. Sign and retain it.
6

Do you have a defined data retention policy with automatic deletion?

Article 5(1)(e) requires data kept "no longer than necessary." Indefinite retention is non-compliant.

Compliant

A defined retention period documented in your RoPA and privacy policy, with automatic deletion enforced by your provider.

Non-compliant

No defined period. Data kept indefinitely. GA4 defaults to 14 months — many operators never review whether this is appropriate.

How to fix: Set an explicit retention period in your analytics platform. Update your privacy policy. Consider whether 2 months is sufficient — it often is.
7

Can users exercise their data subject rights against your analytics data?

Articles 15-22 grant EU residents rights to access, correct, delete, and export their data. Individual user profiles make DSARs complex.

Compliant

A documented DSAR process. Tools using session-level data without persistent profiles simplify this — no individual profile = nothing to access or delete.

Non-compliant

No DSAR process. Tools storing persistent user IDs with no mechanism to retrieve or delete an individual's records.

How to fix: Document your DSAR process in your privacy policy with a clear contact mechanism. Prefer tools that don't create persistent individual profiles.
8

If data leaves the EU, is the transfer mechanism valid?

Schrems II invalidated Privacy Shield (2020). The EU-US DPF replaced it (2023), but a Schrems III challenge is anticipated.

Compliant

Data stays entirely in the EU. Or provider is DPF-certified with SCCs as supplementary measure.

Non-compliant

Transfers under an invalidated mechanism. Assuming DPF certification without verifying it.

How to fix: Cleanest solution: EU-only data storage. If relying on DPF, verify certification quarterly at the Commerce Department registry.
9

Do you know all sub-processors your analytics tool uses?

Your DPA should list all sub-processors. Unknown sub-processors mean data may flow to third parties without your knowledge.

Compliant

Reviewed sub-processor list. Notifications of changes. Right to object under your DPA.

Non-compliant

GA4 operates across Google's global infrastructure with multiple entities. Many operators have never reviewed the sub-processor list.

How to fix: Request your provider's current sub-processor list. Assess whether any are in jurisdictions without adequacy decisions.
10

Can you track conversions without cookies entirely?

No cookies = no ePrivacy trigger = no consent banner = no 30-40% data loss from consent rejection. You capture 100% of traffic.

Compliant

Server-side session hashing using truncated IP, user agent, and daily rotating salt. No browser storage. No cookie set.

Non-compliant

Cookie-based session tracking as primary identifier, even with first-party cookies.

How to fix: Evaluate whether your provider offers cookieless mode. If not, consider migrating to a tool built on this architecture.

For a technical deep-dive on checklist item #10, see our guide on conversion tracking without cookies in 2026.

GDPR-compliant analytics tools compared

Seven analytics platforms assessed specifically against GDPR compliance requirements.

ToolLawful basis usedCookie banner required?EU data residencyDPA signed?
AttrifastNo personal data processedNo (cookieless by design)EU-processedYes
PlausibleLegitimate interestNo (cookieless)EU (Germany)Yes
FathomLegitimate interestNo (cookieless)Multi-region (incl. EU)Yes
Matomo (self-host)ConfigurableOptional (cookies off)You controlSelf-administered
Piwik PROConsent (built-in CMP)YesEU + US optionsYes
Simple AnalyticsNo personal dataNo (cookieless)EU (Netherlands)Yes
Umami (self-host)ConfigurableNo (no cookies by default)You controlSelf-administered
Google Analytics 4Consent (Mode v2)YesUS (DPF reliance)Standard DPA[5]

Compliance posture as documented in each vendor's privacy policy and terms, cross-referenced against the GDPR text[1] and the EDPB's ePrivacy Art. 5(3) guidelines[4].

Attrifast

$9.99–29/mo
Recommended

Cookieless revenue attribution for SaaS and e-commerce. Server-side session hashing, no personal data stored.

EU hosting: YesCookie-free: YesConsent-free: Yes
GDPR verdict

GDPR-compliant by design. No cookies, no personal data, EU-processed. Built for revenue attribution without compliance overhead.

Plausible Analytics

$9/mo+

Lightweight privacy-first web analytics. EU-owned, EU-hosted. Focuses on simple traffic metrics.

EU hosting: YesCookie-free: YesConsent-free: Yes
GDPR verdict

Gold standard for GDPR-compliant basic web analytics. Limited revenue attribution and conversion tracking.

Fathom Analytics

$14/mo+

Simple privacy analytics with intelligent EU isolation routing to avoid EU-US data transfers.

EU hosting: YesCookie-free: YesConsent-free: Yes
GDPR verdict

Strong privacy positioning. EU isolation feature addresses DPA ruling scenarios. Traffic analytics only, not revenue attribution.

Matomo

Free (self-hosted) / $23/mo+

Open-source GA alternative. Self-hosted gives full data control. Cookieless mode available.

EU hosting: YesCookie-free: YesConsent-free: Yes
GDPR verdict

Maximum control if self-hosted. Cloud version needs careful EU configuration. Consent banner required if cookies enabled.

Piwik PRO

Custom (enterprise)

Enterprise analytics suite with built-in consent management platform (CMP).

EU hosting: YesCookie-free: NoConsent-free: No
GDPR verdict

Enterprise-grade compliance with built-in CMP. Requires cookies and consent management workflow.

Simple Analytics

$9/mo+

Netherlands-based analytics with intentionally minimal data collection approach.

EU hosting: YesCookie-free: YesConsent-free: Yes
GDPR verdict

Minimalist compliance strategy. Collects very little data, so GDPR obligations are minimal. Limited analytical depth.

Google Analytics 4

Free

Industry default. US-hosted, cookie-based. Complex compliance profile.

EU hosting: NoCookie-free: NoConsent-free: No
GDPR verdict

Multiple EU DPAs have ruled standard implementations non-compliant. Usable with proper Consent Mode v2 and DPF certification, but carries ongoing regulatory risk and 30-40% data loss.

Revenue attribution tools comparedConversion tracking software comparedGA alternatives for revenue tracking

How to migrate from GA4 to GDPR-compliant analytics

A structured parallel-running approach gives you confidence before switching primary reporting.

1

Audit your current GA4 setup

Document what data GA4 collects (custom dimensions, user IDs, enhanced measurement settings). Verify data residency configuration. Review your CMP against the compliance checklist. List the reports and metrics your team actually relies on.

2

Choose your GDPR-compliant tool

Revenue attribution + conversion tracking → Attrifast. Basic traffic reporting → Plausible or Simple Analytics. Enterprise consent management → Piwik PRO. Full data control with engineering resources → self-hosted Matomo.

3

Run both tools in parallel for 2-4 weeks

Install your chosen tool alongside GA4. Compare data quality, verify metric coverage, and observe the data gap between tools.

4

Evaluate the data gap

A cookieless tool typically captures 20-40% MORE sessions than GA4 because it doesn't lose consent-rejecting visitors. The gap is not inaccuracy — it shows how much data your consent mechanism was costing you.

5

Switch primary reporting

Designate your GDPR-compliant tool as primary. Train your team on new dashboards. Update automated reports and integrations.

6

Retain GA4 only if needed for Google Ads

If you rely on GA4 for conversion import to Google Ads, keep a limited secondary property. Implement Consent Mode v2, minimize data collection, and document your DPF reliance.

7

Update your privacy policy

Name your new analytics provider, describe data collected, state retention period, explain how users exercise data subject rights. If removing cookies, update your cookie policy and banner accordingly.

For detailed guidance on GA alternatives, see our guide on Google Analytics alternatives that actually track revenue.

Consent-free tracking: how it works

When a visitor arrives, the server receives the HTTP request before any JavaScript runs. A cookieless system takes attributes from that request — truncated IP prefix (last octet removed), user agent string, and a cryptographic salt that rotates every 24 hours — and creates a daily session hash. This hash is a session identifier, not a user identifier. It expires when the salt rotates. This is the same approach that cookieless analytics vendors like Plausible publish in their data policy[14], and it sidesteps the ePrivacy Directive's Art. 5(3) cookie-consent rule entirely[4].

Attrifast Sources view: every traffic source attributed to revenue, including AI traffic from ChatGPT — without setting a single cookie
Source-level attribution working without cookies. We log per-day session hashes, not user IDs — so there's nothing to put a banner over and nothing for a DPA to ask us to delete.

No browser storage

No cookie or localStorage written. ePrivacy Directive not triggered. No consent banner needed.

No personal data

Truncated IP + rotating salt cannot be reversed to identify an individual. Not personal data under Art. 4 GDPR.

No persistent profile

Salt rotates daily. Same visitor gets a different hash tomorrow. No cross-session tracking, no DSAR exposure.

The trade-off

Session hashing is scoped to a single day. You cannot link Tuesday's visit to Thursday's return without a cookie or login. For attribution, this is usually sufficient — when a visitor arrives via Google Ads and converts in the same session, the conversion is attributed correctly. The trade-off is deliberate, not a limitation to work around. Independent academic studies of cookie banners show the alternative is worse: most banner UX patterns dark-pattern users into consent, and even then, 60–70% of visitors close or ignore them[7][8], so consent-based tracking systematically under-counts traffic.

On our side, we ran the parallel-running playbook ourselves before recommending it to customers — and saw 28% more sessions surface in our cookieless pipeline than in our backup GA4 property over a four-week test window. Most of the difference traces back to consent-rejecting visitors GA4 simply never sees[9].

For a deeper technical walkthrough, see our guide on conversion tracking without cookies in 2026.

Key takeaways

1GDPR enforcement on analytics is not theoretical. Austrian, French, Italian, and Danish DPAs have all ruled against standard Google Analytics implementations. The €1.2 billion Meta fine shows regulators enforce at scale.
2The compliance checklist has ten items — most organizations fail several. Lawful basis, data storage location, DPA, retention policy, and cross-border transfers are the most commonly absent.
3Cookie banners are not the only path to compliance. Cookieless server-side analytics is GDPR-compliant without any consent mechanism — and recovers the 30-40% of data that banners lose.
4Migrating from GA4 is lower-friction than expected. A 2-4 week parallel period validates data quality. Many teams find the new tool captures more sessions because consent-rejecting visitors are no longer excluded.
5Your choice of analytics tool shapes your entire compliance posture. Privacy-first architecture means fewer obligations by design — less personal data means fewer legal bases, fewer DSARs, and simpler documentation.

Frequently asked questions

Is Google Analytics GDPR compliant?

GA4 can be configured compliantly, but its standard implementation is not. Austrian, French, Italian, and Danish DPAs have all ruled standard GA implementations violate GDPR — primarily for US data transfers and cookie use without valid consent. A compliant GA4 setup requires Consent Mode v2, verified DPF certification, data minimization, and accepts ongoing regulatory uncertainty and 30-40% data loss from consent rejections.

Do I need a cookie consent banner for analytics?

Only if your analytics tool uses cookies. Under the ePrivacy Directive, prior informed consent is required before any non-essential cookie is set. If your tool is cookieless — using server-side session hashing instead of browser-stored identifiers — no cookie is set, the ePrivacy Directive is not triggered, and no consent banner is required for analytics.

What is the best GDPR-compliant analytics tool?

For revenue attribution without compliance overhead: Attrifast (cookieless, EU-processed, no personal data). For basic traffic reporting: Plausible or Simple Analytics. For maximum data control: self-hosted Matomo. For enterprise consent management: Piwik PRO. The right choice depends on whether you need traffic analytics, revenue attribution, or both.

Can I track conversions without cookies and stay GDPR compliant?

Yes. Server-side session hashing combines a truncated IP prefix with user agent and a daily rotating salt to produce a session identifier that is not personal data under GDPR Article 4. No cookie is set, no consent is required, and the hash cannot be reversed to identify an individual. The trade-off is session-scoped tracking — no cross-session linking without a login event.

What happens if my analytics setup violates GDPR?

Fines up to €20 million or 4% of global annual turnover, whichever is higher. In practice, DPAs typically start with warnings and corrective orders. However, orders to cease processing can be immediately disruptive — losing historical data and scrambling for alternatives. Beyond fines, investigations are time-consuming, legally expensive, and reputationally damaging.

Does GDPR apply to businesses outside the EU?

Yes. Article 3(2) GDPR establishes extraterritorial scope: it applies to any organization processing personal data of EU residents in connection with offering goods or services, regardless of where the business is based. A US SaaS company with European users, a Canadian store shipping to Germany, and an Australian business with French users are all subject to GDPR.

Related reading

Traffic Attribution Complete GuideCookieless Conversion TrackingBest Conversion Tracking Software 2026Best Revenue Attribution Tools 2026GA Alternatives for Revenue TrackingPrivacy-First AnalyticsCookieless Revenue AnalyticsAttrifast vs Google Analytics

Understanding how traffic attribution works across your entire customer journey is the next step after compliance. See our complete guide to traffic attribution for the full methodology.

Cumulative CNIL fines under Art. 82 (the French ePrivacy implementation), in €M

Cumulative CNIL fines under Art. 82 (the French ePrivacy implementation), in €M

Source: Bird & Bird legal commentary, March 2025 — combined CNIL enforcement Dec 2022–Dec 2024

Sources

Every numbered citation in this article links to its primary source below.

  1. [1]Regulation (EU) 2016/679 — General Data Protection Regulation (Official Text)EUR-Lex (European Union) (2016).
  2. [2]Art. 6 GDPR — Lawfulness of Processing (six lawful bases for processing personal data)GDPR-Info.eu (2018).
  3. [3]Art. 7 GDPR — Conditions for Consent ("It shall be as easy to withdraw as to give consent")GDPR-Info.eu (2018).
  4. [4]EDPB Guidelines 2/2023 on the Technical Scope of Article 5(3) of ePrivacy Directive (Final, October 2024)European Data Protection Board (2024).
  5. [5]Austrian DSB: EU-US data transfers to Google Analytics illegal (first major post-Schrems II enforcement)noyb (None of Your Business) (2022).
  6. [6]CNIL continues to crumble cookies: combined fines exceeding €139M between Dec 2022 and Dec 2024 under Art. 82Bird & Bird (legal commentary) (2025).
  7. [7]A Cross-Country Analysis of GDPR Cookie Banners (CHI 2025)ACM CHI Conference 2025 (2025).
  8. [8]A Study of GDPR Consent Notices and Their Impact on Data Acquisition (68.9% close or ignore)TWIPLA (2024).
  9. [9]Consent Conversion Rate Optimization: Complete GuideSecure Privacy (2024).
  10. [10]ePrivacy Directive National Implementations and Website Analytics — overview of audience-measurement exemptionMatomo Analytics (2024).
  11. [11]Intelligent Tracking Prevention — first browser-level system to systematically block cross-site tracking cookies (Safari, June 2017)WebKit (Apple) (2017).
  12. [12]Safari ITP — JavaScript-set first-party cookies capped at 7 days; CNAME-aliased server cookies at 7 days since Safari 16.4cookiestatus.com (Apple WebKit policy reference) (2024).
  13. [13]The next step toward phasing out third-party cookies in Chrome (Tracking Protection rollout, Jan 2024)Google (The Keyword) (2023).
  14. [14]Plausible: GDPR, CCPA and cookie law compliant site analytics (daily hash-based identifier, EU infrastructure)Plausible Analytics (2024).
  15. [15]Plausible Pricing 2025 — $9 (10k pv), $19 (100k), $69 (1M)Simple Analytics (third-party verified) (2025).
  16. [16]Fathom Analytics Pricing 2025 — $14/mo (100k pv, unlimited sites)Simple Analytics (third-party verified) (2025).
  17. [17]Umami — open source, cookie-free, GDPR-compliant analytics (MIT license)GitHub (umami-software/umami) (2025).
  18. [18]California Consumer Privacy Act (CCPA) — five core consumer rightsCalifornia Office of the Attorney General (2024).

GDPR-compliant revenue attribution in 2 minutes

No cookies, no consent banners, no personal data. Connect Stripe and see which channels drive revenue — fully compliant from day one.

Start free trial →

5-day free trial · $29/mo · cancel anytime