What Is GDPR and How It Affects Your Website Analytics

As a Dutch web analyst, GDPR is something I deal with every single day. When the regulation came into effect in 2018, it changed the way I approached GDPR analytics compliance for every client. Suddenly, tracking website visitors was no longer a simple “just add the code” situation. There were rules, and breaking them could mean massive fines.

If you run a website — whether it is a small blog or an online store — GDPR affects you too. In this guide, I will explain what GDPR actually is in plain English, how it impacts your website analytics, and what steps you need to take to stay compliant.

What Is GDPR in Plain English?

GDPR stands for General Data Protection Regulation. It is a law created by the European Union that went into effect on May 25, 2018. Its main goal is to give people more control over their personal data.

Before GDPR, companies could collect all sorts of information about you — your name, email, browsing habits, location — without really asking permission. GDPR changed that. Now, organizations must have a valid legal reason to collect and use personal data, and they must be transparent about what they do with it.

The key principles of GDPR are straightforward:

• Lawfulness and transparency: You must have a legal basis to process data, and you must tell people what you are doing with it.
• Purpose limitation: You can only collect data for a specific, stated purpose.
• Data minimization: Only collect the data you actually need.
• Accuracy: Keep data correct and up to date.
• Storage limitation: Do not keep data longer than necessary.
• Security: Protect the data you collect from breaches and unauthorized access.

You can read the full text of GDPR at gdpr.eu if you want all the legal details.

What Data Does GDPR Cover?

GDPR protects what it calls personal data. This is any information that can identify a living person, either directly or indirectly. Here are some examples:

• Names, email addresses, phone numbers
• IP addresses
• Cookie identifiers
• Location data
• Device fingerprints
• Online behavior patterns

This is where it gets important for analytics. When someone visits your website, your analytics tool typically collects their IP address, sets cookies to track their behavior, and records information about their device and location. Under GDPR, all of this counts as personal data.

According to Wikipedia’s GDPR article, the regulation applies to any organization that processes the personal data of individuals in the EU — even if the organization itself is based outside Europe. So if you run a website from the United States but have European visitors, GDPR still applies to you.

How GDPR Affects Your Website Analytics

Here is the part that caught many website owners off guard. Traditional analytics tools like Google Analytics collect a lot of personal data by default. They use cookies, track IP addresses, and build detailed profiles of user behavior across sessions.

Under GDPR, you need a legal basis to do this. The two most common legal bases for analytics are:

1. Consent: The visitor explicitly agrees to being tracked. This is the most common approach and is why you see cookie consent banners everywhere.
2. Legitimate interest: You argue that analytics is necessary for running your business. However, this is harder to justify for detailed tracking, and many data protection authorities have pushed back on it.

In my experience working with clients across the Netherlands, consent is the safest route for most websites. The problem? When you ask people for consent, many say no. I have seen consent rates as low as 30% on some sites, which means you lose a significant chunk of your analytics data.

Do You Need a Cookie Consent Banner?

The short answer: yes, almost certainly. If your website uses cookies for analytics, advertising, or any form of tracking, you need to ask visitors for permission before those cookies are set.

The UK Information Commissioner’s Office (ICO) makes it clear that consent must be:

• Freely given: People must have a real choice. No “dark patterns” that trick them into accepting.
• Specific: They should know exactly what they are consenting to.
• Informed: You need to explain what cookies you use and why.
• Unambiguous: Consent requires a clear action, like clicking “Accept.” Pre-ticked boxes do not count.

One thing I always tell my clients: a cookie banner that just says “This site uses cookies” with only an “OK” button is not GDPR-compliant. Visitors need the ability to accept or reject different categories of cookies.

Google Analytics and GDPR Compliance

Google Analytics is the most popular analytics tool in the world, and its relationship with GDPR has been complicated. In 2022 and 2023, several European data protection authorities — including those in Austria, France, and Italy — ruled that using Google Analytics violated GDPR because user data was being transferred to the United States without adequate protection.

Google responded with Google Analytics 4 (GA4), which includes some privacy-focused features:

• IP anonymization is now built in by default
• Data retention periods can be shortened
• You can disable data collection for specific regions
• Consent mode lets GA4 adjust its behavior based on user consent

If you are new to GA4, I recommend reading our beginner’s guide to Google Analytics 4 to understand the basics before diving into GDPR configuration.

However, even with these improvements, most legal experts agree that you still need a cookie consent banner when using Google Analytics. GA4 sets cookies, and those cookies require consent under GDPR.

When you use UTM parameters to track your marketing campaigns (learn more in our guide to UTM parameters), the tracking data they generate is also subject to GDPR rules if it is tied to identifiable users through cookies or other identifiers.

Privacy-Friendly Analytics Alternatives

If dealing with cookie consent banners sounds like a headache, there is another option: switch to a privacy-friendly analytics tool. These tools are designed from the ground up to comply with GDPR, often without needing cookies at all.

Here are some popular alternatives:

• Plausible Analytics: A lightweight, open-source tool that does not use cookies. It collects no personal data, so many legal experts say it can be used without a consent banner.
• Fathom Analytics: Similar to Plausible — cookieless, privacy-first, and designed for GDPR compliance.
• Matomo: A full-featured analytics platform that can be self-hosted. When configured correctly (with anonymized IPs and no cookies), it can be GDPR-compliant without consent.
• Simple Analytics: Another cookieless option that focuses on simplicity and privacy.

The trade-off with these tools is that you get less detailed data. You will not see individual user journeys or build audience segments the way you can with Google Analytics. But for many small to medium websites, the simpler data is more than enough — and you avoid the legal risk entirely.

From my own experience, I switched one of my personal projects to Plausible in 2022, and I honestly do not miss the complexity of Google Analytics for that site. The dashboard is clean, the data is actionable, and I never worry about compliance.

Steps to Make Your Analytics GDPR-Compliant

Whether you stick with Google Analytics or switch to something else, here is a practical checklist to get your analytics setup compliant:

1. Audit Your Current Setup

List every tracking tool, cookie, and third-party script on your website. You might be surprised how many there are. Browser extensions like “Ghostery” or “Cookie Editor” can help you find them. If you export your cookie or consent configuration as JSON, our JSON formatter can help you read and validate the data.

2. Implement a Proper Consent Banner

Use a consent management platform (CMP) like Cookiebot, CookieYes, or Complianz. Make sure it blocks tracking scripts until the visitor gives consent. The banner should offer clear “Accept” and “Reject” buttons — not just “Accept” and “Learn more.”

3. Configure Your Analytics Tool

If you use Google Analytics 4:

• Enable Google Consent Mode v2
• Set data retention to the minimum period you need (default is 14 months — consider reducing it)
• Turn off data sharing with Google where possible
• Disable Google Signals if you do not need it

4. Update Your Privacy Policy

Your privacy policy must explain what data you collect, why you collect it, how long you keep it, and who you share it with. Be specific about your analytics tools.

5. Set Up a Data Processing Agreement

If you use Google Analytics, you need a Data Processing Agreement (DPA) with Google. This is built into the Google Analytics admin settings — make sure you have accepted it.

6. Enable IP Anonymization

GA4 does this automatically, but if you are using any older tools, make sure IP addresses are anonymized before they are stored.

7. Regularly Review and Test

GDPR compliance is not a one-time task. Laws evolve, tools update, and new scripts get added to your site. Schedule a quarterly review of your tracking setup.

What Happens If You Do Not Comply?

GDPR fines can be severe. The maximum penalty is 20 million euros or 4% of annual global turnover — whichever is higher. While massive fines usually target large corporations (Amazon was fined 746 million euros in 2021), smaller companies have also been fined for violations related to analytics and cookies.

Beyond fines, non-compliance can damage your reputation and erode trust with your audience. In an era where people are increasingly aware of their privacy rights, showing that you respect their data is good business.

Frequently Asked Questions

Does GDPR apply to websites outside the EU?

Yes. If your website is accessible to people in the EU and you collect their personal data (including through analytics), GDPR applies to you regardless of where your business is located. This is called the “extraterritorial scope” of GDPR.

Can I use Google Analytics without a cookie consent banner?

In most cases, no. Google Analytics sets cookies and collects data that qualifies as personal data under GDPR. You need to obtain consent before Google Analytics loads. The only exception might be if you use Google Analytics in a very restricted “cookieless” mode, but this is not standard practice and offers limited data.

What is the difference between GDPR and the ePrivacy Directive?

GDPR is a broad data protection law covering all personal data processing. The ePrivacy Directive (also known as the “Cookie Law”) specifically covers electronic communications, including the use of cookies. They work together — the ePrivacy Directive requires consent for cookies, while GDPR sets the rules for how that consent must be obtained and how the data is processed.

Are cookieless analytics tools completely GDPR-compliant?

Cookieless tools like Plausible and Fathom are designed to be GDPR-compliant by default because they do not collect personal data. However, “completely compliant” depends on your entire setup, not just one tool. You should still have a privacy policy that mentions your analytics tool, and you should verify the tool’s data processing practices.

How much does GDPR compliance cost for a small website?

It can range from free to a few hundred dollars per year. Free consent management tools exist (like CookieYes’ free tier), and privacy-friendly analytics tools like Plausible start at around $9 per month. The biggest cost is usually your time in setting everything up correctly and maintaining it.