GDPR Compliance for Website Analytics: A Complete Guide

Running analytics on your website involves processing visitor data. Under GDPR, that comes with specific obligations depending on what data you collect, how you store it, and where it goes. This guide covers what you need to know — and what you can avoid entirely by choosing the right tools.

What GDPR means for analytics

The General Data Protection Regulation applies to any website that processes personal data of individuals in the European Economic Area (EEA). Personal data, under GDPR, is any information that can directly or indirectly identify a person. This includes names and email addresses, but also IP addresses, cookie identifiers, device fingerprints, and behavioural profiles.

If your analytics platform collects any of these, GDPR applies. You become the data controller — responsible for determining what data is collected and why — and your analytics provider becomes the data processor, handling that data on your behalf.

The six lawful bases for processing

GDPR requires a lawful basis for every type of data processing. For analytics, the two most commonly invoked bases are:

1. Consent (Article 6(1)(a)): The visitor explicitly agrees to data collection. This is what cookie consent banners implement. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked checkboxes don't count. Implied consent doesn't count. The visitor must actively opt in.
2. Legitimate interest (Article 6(1)(f)): The processing is necessary for a legitimate business purpose and doesn't override the individual's rights. Aggregate, non-personal analytics can fall under this basis — but only if you genuinely aren't processing personal data.

The ePrivacy Directive (cookie law)

GDPR handles personal data. The ePrivacy Directive (2002/58/EC), often called the "cookie law", handles access to devices. Under Article 5(3), storing or accessing information on a user's device — including cookies — requires informed consent, unless the storage is "strictly necessary" for a service the user has explicitly requested.

Analytics cookies are not considered strictly necessary. This means that any analytics platform using cookies requires prior consent via a cookie banner, regardless of whether the data collected is personal or anonymous.

The PECR (Privacy and Electronic Communications Regulations) is the UK's implementation of the ePrivacy Directive and follows the same principles.

What happens if you get it wrong

GDPR fines can reach up to €20 million or 4% of global annual turnover, whichever is higher. While the largest fines have targeted tech giants — Meta was fined €1.2 billion in 2023 for US data transfers — small and medium businesses have also faced penalties. In January 2024, the Spanish DPA fined a small business €2,000 for processing personal data without a legal basis via its website analytics.

Beyond fines, there's the reputational cost. GDPR complaints from visitors are investigated by data protection authorities. Even without a fine, the process is time-consuming, stressful, and visible to customers if it becomes public.

Google Analytics and GDPR: the ongoing challenge

Google Analytics has been at the centre of GDPR enforcement actions since 2022. The core issue is data transfers: Google Analytics sends visitor data — including IP addresses and cookie identifiers — to servers in the United States. Multiple EU data protection authorities (Austria, France, Italy, Denmark, Finland, Norway) have ruled that this violates GDPR.

Google responded with GA4, server-side tagging options, and data residency features. However, the fundamental architecture of Google Analytics still involves processing personal data (IP addresses, client IDs, user IDs) and requires cookie consent. Even with the EU-US Data Privacy Framework adopted in July 2023, Google Analytics 4 still requires a consent banner for the cookies it sets.

How cookieless analytics solve GDPR compliance

Privacy-first analytics platforms take a fundamentally different approach. By collecting only aggregate, non-personal data and avoiding cookies entirely, they operate under a different legal framework:

• No cookies → No ePrivacy consent required → No cookie banner needed
• No IP storage → No personal data processing → Legitimate interest basis applies
• No cross-site tracking → No profiling → No DPIA required
• EU data hosting → No international transfers → No transfer impact assessment

GDPR compliance checklist for analytics

Regardless of which analytics platform you use, here's what GDPR requires:

If you use cookie-based analytics (e.g. Google Analytics 4)

1. Implement a consent management platform (CMP) that meets IAB TCF 2.2 or equivalent standards
2. Block analytics scripts until the visitor gives explicit consent
3. Record and store consent receipts (who consented, when, to what)
4. Provide a mechanism to withdraw consent at any time
5. Sign a Data Processing Agreement (DPA) with your analytics provider
6. Conduct a Data Protection Impact Assessment (DPIA) if processing at scale
7. Complete a Transfer Impact Assessment (TIA) if data leaves the EU
8. Document processing in your Records of Processing Activities (ROPA)
9. Update your privacy policy to explain what data is collected, why, and by whom
10. Appoint a Data Protection Officer (DPO) if required by Article 37

If you use cookieless, privacy-first analytics

1. Verify your analytics provider doesn't store personal data (IP addresses, user IDs, device fingerprints)
2. Sign a Data Processing Agreement (DPA) with your provider
3. Confirm data is hosted within the EU (or a country with an adequacy decision)
4. Mention your analytics provider in your privacy policy

The compliance burden difference is significant. Privacy-first analytics reduce your GDPR obligations to four straightforward steps, compared to ten or more with traditional platforms.

What about CCPA?

The California Consumer Privacy Act (CCPA), amended by CPRA, gives California residents the right to know what personal information is being collected, to delete it, to opt out of its sale or sharing, and to non-discrimination for exercising these rights.

If your analytics platform processes personal information of California residents (which includes IP addresses and unique identifiers), you need to disclose this in your privacy policy and provide opt-out mechanisms. Cookieless analytics that don't collect personal information largely avoid CCPA obligations, though you should still mention the analytics in your privacy policy for transparency.

Practical recommendations

• Choose EU-hosted analytics: Avoid cross-border data transfer issues entirely by selecting a provider that processes and stores all data within the EU.
• Go cookieless: Eliminate the need for consent banners and the complexity of consent management.
• Sign a DPA: Even with privacy-first analytics, a Data Processing Agreement formalises the relationship and demonstrates compliance.
• Review your privacy policy: Make sure it accurately describes what data you collect and what you don't.
• Audit regularly: Check that your analytics setup still matches your documented processing activities.

LiteStats is fully GDPR, PECR, and CCPA compliant by design. No cookies, no IP storage, EU-hosted data, and a Data Processing Agreement included. Start your free trial.