"GDPR compliant analytics" is a phrase that gets thrown around by almost every analytics vendor. Google says GA4 is GDPR compliant. Mixpanel says it's GDPR compliant. PostHog, Amplitude, Heap — all claim compliance. But when six EU data protection authorities rule against Google Analytics specifically, the word "compliant" clearly means different things to different vendors.
This guide breaks down what GDPR actually requires for web analytics, which tools genuinely meet those requirements, and why the difference between "configurable for compliance" and "compliant by architecture" matters more than most founders realize.
What Does GDPR Actually Require for Analytics?
GDPR is not specifically about analytics. It's about personal data processing. The question for any analytics tool is: does it process personal data? If yes, you need a legal basis. If no, GDPR's data processing rules don't apply.
What Counts as Personal Data in Analytics?
Under GDPR Article 4, personal data is "any information relating to an identified or identifiable natural person." For analytics, this includes:
- IP addresses — The CJEU confirmed in Breyer v. Germany (2016) that even dynamic IP addresses are personal data when the controller has the means to identify the individual.
- Cookie identifiers — Any persistent identifier that can distinguish one visitor from another across sessions is personal data.
- Device fingerprints — Combinations of browser version, screen resolution, fonts, and other signals that create a unique profile.
- User IDs or email addresses — Obviously personal data if passed to the analytics tool.
If your analytics tool collects any of these, it is processing personal data, and you need a legal basis under Article 6.
The Three Legal Bases for Analytics
Consent (Article 6(1)(a)). The gold standard — but the most operationally expensive. You must collect explicit, informed, freely given consent before setting cookies or collecting personal data. This is what cookie consent banners do. The cost: 30-50% of visitors decline, and your analytics data becomes systematically biased toward users who click "Accept All."
Legitimate interest (Article 6(1)(f)). Some companies claim that analytics constitutes a "legitimate interest" and doesn't require consent. This is legally contested. The French CNIL, Austrian DSB, and several other DPAs have rejected legitimate interest as a basis for third-party analytics that transfers data internationally. Even for first-party analytics, you must conduct a Legitimate Interest Assessment (LIA) and demonstrate that your interest does not override the data subject's rights. For tools that set cookies or transfer data outside the EU, this argument rarely holds.
No personal data (outside GDPR scope). If your analytics tool genuinely does not process personal data — no IPs stored, no cookies, no fingerprints, no persistent identifiers — then GDPR's data processing requirements do not apply. This is the approach taken by EngageTrack, Plausible, and Fathom. It's the cleanest legal position because there's no legal basis to argue about — no personal data means no GDPR obligation for that specific processing activity.
Why "GDPR Configuration" Is Insufficient
Several analytics vendors offer "GDPR-compliant configuration" — settings you can toggle to reduce data collection. GA4 has IP anonymization, restricted data processing, and consent mode. Mixpanel has EU data residency and PII scrubbing.
The problem is architectural, not configurational.
GA4's Architectural Problem
Even with IP anonymization enabled, GA4 briefly processes the full IP address on Google's servers before truncating it. The CNIL and DSB have both ruled that this brief processing constitutes personal data processing. Additionally, GA4 sets the _ga and _ga_XXXXXX cookies — persistent identifiers that track users across sessions. These cookies are personal data under GDPR regardless of any IP anonymization setting.
The fundamental issue: GA4 is architecturally designed to identify and re-identify visitors. You can reduce the identification, but you cannot eliminate it without breaking the tool's core functionality.
Mixpanel's Architectural Problem
Mixpanel tracks individual users with persistent identifiers. Its entire data model is built around user-level event streams — "User X did action Y at time Z." Even with EU data residency and PII scrubbing, Mixpanel's core purpose is to track identified individuals. You can configure it to collect less PII, but the tool fundamentally processes personal data.
The Configuration Treadmill
Every time a DPA issues new guidance, "configurable compliance" tools need new settings. Privacy Shield gets invalidated — toggle a new setting. The CNIL clarifies cookie rules — toggle another. The ePrivacy Regulation updates — toggle again. You're running on a compliance treadmill, hoping each configuration change satisfies the next regulatory interpretation.
Tools that process no personal data by architecture don't have this problem. There's nothing to configure because there's nothing to comply with at the data processing level.
Which Analytics Tools Are Actually GDPR Compliant?
Here's a technical assessment of common analytics tools against GDPR requirements:
| Tool | Sets Cookies | Stores PII | EU Hosting | Consent Required | Data Transfers Outside EU | Actual Compliance Status |
|---|---|---|---|---|---|---|
| Google Analytics 4 | Yes | Yes | Optional (US default) | Yes | Yes (US) | Ruled non-compliant by AT, FR, IT, DK DPAs |
| Mixpanel | Yes | Yes | EU option | Yes | Configurable | Requires careful configuration; PII by default |
| PostHog | Yes | Yes | EU option | Yes | Configurable | Stores PII; requires consent |
| Amplitude | Yes | Yes | US | Yes | Yes (US) | US-hosted; requires full consent |
| Plausible | No | No | EU | No | No | Compliant by architecture |
| Fathom | No | No | EU | No | No | Compliant by architecture |
| EngageTrack | No | No | EU (Frankfurt) | No | No | Compliant by architecture |
| Matomo (self-hosted) | Configurable | Configurable | Self-hosted | Depends on config | Depends on hosting | Compliant if cookies disabled + EU hosted |
| Matomo Cloud | Configurable | Configurable | EU | Depends on config | No | Requires configuration |
The pattern is clear: tools built for privacy from the ground up — no cookies, no PII, EU-hosted — are compliant by default. Tools that bolt on privacy as a configuration layer require ongoing compliance work and still face regulatory risk.
EngageTrack's Technical Approach to Zero-PII Analytics
EngageTrack achieves full analytics functionality without processing any personal data. Here's how each component works:
Session Grouping Without Cookies
EngageTrack uses a daily-rotating hash to group pageviews into sessions. The server combines an anonymized IP prefix (the first three octets only, the last octet is discarded before any processing), the user-agent string, and a cryptographic salt that rotates every 24 hours. These inputs are hashed with SHA-256 to produce a session identifier.
The critical properties:
- The raw IP prefix and user-agent are discarded immediately after hashing. They are never stored.
- The hash cannot be reversed to recover the inputs.
- The daily salt rotation means the same visitor produces a completely different hash the next day.
- No cross-day visitor tracking is possible, by design.
No Cookies, No Local Storage, No Fingerprinting
EngageTrack writes nothing to the visitor's browser. No cookies, no localStorage tokens, no sessionStorage, no IndexedDB entries. The 3KB tracking script sends events to EngageTrack's server and reads nothing back.
EngageTrack does not use browser fingerprinting. It does not read canvas data, WebGL renderer strings, font lists, or installed plugins. The only browser data used is the user-agent header, which is already sent with every HTTP request.
EU-Only Data Processing
All EngageTrack infrastructure runs in Frankfurt, Germany. Event data is received, processed, and stored in the EU. No data replication to non-EU regions. No CDN edge processing that would route data through non-EU jurisdictions.
Revenue Attribution Without User Tracking
EngageTrack connects to payment providers (Stripe, LemonSqueezy, Paddle, Polar) via webhook. When a payment occurs, EngageTrack attributes it to the traffic source that originated the session — using the session hash, not a user identity. The attribution is between a payment amount and a traffic source, not between a payment and an identified person.
For implementation details, see the getting started guide. For the full API reference, see the API documentation.
The ePrivacy Directive: The Other Regulation You Need to Know
GDPR gets most of the attention, but the ePrivacy Directive (2002/58/EC, updated by 2009/136/EC) is equally important for analytics. The ePrivacy Directive specifically governs the storage of information on a user's device — which includes cookies.
Under Article 5(3) of the ePrivacy Directive, storing or accessing information on a user's terminal equipment requires consent, unless the storage is "strictly necessary" for a service the user has requested.
Analytics cookies are not "strictly necessary." They're useful for the website operator, but the user didn't request analytics tracking. This means cookie-based analytics requires consent under the ePrivacy Directive independently of GDPR.
Tools that set no cookies and store nothing on the user's device are outside the scope of the ePrivacy Directive's consent requirement for analytics purposes.
Three Levels of Analytics Compliance
In practice, analytics compliance falls into three tiers:
Tier 1: Full consent (GA4, Mixpanel, Amplitude)
You implement a cookie consent banner, collect opt-in consent, and only track users who accept. Legally defensible if implemented correctly. Practically expensive: you lose a large portion of your visitors, your data is biased, and you maintain an ongoing consent management platform.
Tier 2: Legitimate interest with mitigation (Matomo configured, PostHog configured)
You claim legitimate interest as your legal basis, disable cookies, minimize data collection, and host in the EU. This is legally arguable but not settled law. Some DPAs accept it; others have rejected it for third-party analytics. You need a documented Legitimate Interest Assessment and should be prepared to switch to consent if challenged.
Tier 3: No personal data (EngageTrack, Plausible, Fathom)
You use a tool that processes no personal data. No legal basis is required. No consent banner needed. No LIA to document. No regulatory risk from changing DPA interpretations or international data transfer rulings. This is the most robust compliance position available.
FAQ
Is Plausible GDPR compliant?
Yes. Plausible does not set cookies, does not store IP addresses, does not use fingerprinting, and hosts data in the EU. Plausible is GDPR compliant by architecture. The trade-off compared to EngageTrack is that Plausible does not offer revenue attribution — you can see traffic sources but not which sources drive paying customers.
Do I still need a privacy policy if I use GDPR compliant analytics?
Yes. GDPR Articles 13 and 14 require transparency about data processing regardless of whether personal data is involved. Your privacy policy should describe what analytics tool you use, what data it collects (even if no personal data), where data is stored, and how long it's retained. The privacy policy can be simpler if you process no personal data, but it should still exist.
What about the ePrivacy Directive — does it change anything?
The ePrivacy Directive requires consent for storing information on a user's device (cookies, local storage). If your analytics tool sets no cookies and stores nothing on the device, the ePrivacy Directive's consent requirement does not apply to your analytics. Other tools on your site (marketing pixels, chat widgets) may still trigger the ePrivacy consent requirement.
Can I use GA4 with consent mode and be compliant?
GA4's consent mode adjusts data collection based on user consent — tracking less data when consent is denied. However, even in consent mode, GA4 still pings Google's servers, and the modeling it applies to fill gaps in unconsented data is a grey area. Multiple DPAs have ruled against GA4 regardless of configuration. Consent mode reduces the compliance risk but does not eliminate it, particularly for EU-US data transfers.
What if my company is outside the EU but has EU visitors?
GDPR applies to the processing of personal data of individuals in the EU, regardless of where the processor is located (Article 3(2)). If EU residents visit your website and your analytics tool processes their personal data, GDPR applies to you. Using a zero-PII analytics tool eliminates this concern entirely because no personal data is processed.
Stop configuring compliance. Start with a tool that's compliant by default. EngageTrack processes no personal data, sets no cookies, stores everything in Frankfurt, and adds revenue attribution that Plausible and Fathom lack. Start your free 14-day trial — no credit card required.