← Back to blog

The Complete Guide to GDPR-Compliant Web Analytics

The Complete Guide to GDPR-Compliant Web Analytics

Meta description: A practical walkthrough of what GDPR actually requires of your analytics stack, how to comply without a consent banner, and the pitfalls to avoid.

Is your website actually compliant with GDPR? Most website owners think installing a consent banner solves the problem. The truth is messier—and actually more empowering. GDPR compliance for your analytics stack isn't about checking a legal checkbox with a popup; it's about understanding what data you collect, why you collect it, and how you process it. This guide walks you through the real requirements, the myths, and the practical steps to ensure your web analytics respects privacy without slowing your data collection to a crawl.

What GDPR Actually Requires of Your Analytics

GDPR doesn't ban analytics. It regulates personal data. And here's the key: not all analytics data is personal data.

Personal data under GDPR is any information that identifies or could identify an individual. An IP address, a cookie ID that tracks someone across days or weeks, a device fingerprint—these are personal data. But a simple session ID that expires after 30 minutes and resets every day? That's much harder to link to an individual, and GDPR treats it differently.

Your analytics stack must meet two foundational requirements:

  1. Have a lawful basis for processing. This doesn't always mean consent. Under GDPR, there are six lawful bases:

    • Consent (the most obvious one)
    • Contractual necessity (you need the data to deliver a service)
    • Legal obligation (you're required by law)
    • Vital interests (protecting someone's health or safety)
    • Public task (government agencies)
    • Legitimate interest (this is the hidden one that changes everything)

  2. Be transparent and allow opt-out. You must tell visitors what you track and why. A privacy policy isn't optional—it's mandatory.

Most website owners jump to consent because it feels like the "safe" option. But legitimate interest is often more honest and doesn't require a banner. If you're using cookieless analytics with daily-resetting session IDs, you can argue that tracking visitor behavior is a legitimate business interest (improving your site, detecting fraud) and that individual visitors aren't meaningfully identified.

Common mistakes to avoid:

  • Storing IP addresses (especially with timestamps). If you store IPs, they're personal data—you need a legal basis or consent. Many GDPR lawyers recommend never logging IPs at all.
  • Long-term cookies. A 2-year tracking cookie makes it personal data. GDPR enforcers have fined companies for persistent cookies without explicit consent.
  • Fingerprinting. Combining multiple browser signals (user agent, screen resolution, timezone, fonts) to create a pseudo-identifier is considered personal data in many EU jurisdictions.
  • Sharing with third parties without disclosure. If you send visitor data to Google Analytics, Facebook, or any vendor, your privacy policy must name them.

The Consent Banner Myth

Here's what many lawyers won't tell you: if you use cookieless analytics, you don't need a consent banner at all.

This seems counterintuitive. Isn't a consent banner the mark of compliance? No. A consent banner is one way to be compliant—but only if you actually use it correctly, which most sites don't. A banner that pre-selects "Accept" or buries "Reject"? That's illegal under GDPR and the ePrivacy Directive. A banner that disappears if users ignore it? Also illegal—silence is not consent.

But if you're using cookieless tracking—session-based analytics with no persistent identifiers, no long-term storage, no cross-device or cross-site tracking—then the legal argument changes. You're not processing personal data in a way that requires consent. You're logging aggregated, session-level behavior.

Cookieless tracking means:

  • No cookies stored on the visitor's device
  • Session IDs that expire after 30 minutes of inactivity
  • No tracking across multiple days
  • No device fingerprinting
  • No persistent visitor IDs
  • Data resets every day

Under this model, you can argue legitimate interest as your lawful basis. Your privacy policy should disclose that you track sessions (which is obvious—they're on your site). But you don't need a banner asking for permission.

This is why privacy-first analytics tools are GDPR's best-kept secret. They shift the legal burden from "How do I get consent?" to "Am I being transparent and respectful?"

How to Audit Your Current Setup

Before changing anything, audit what you're actually tracking. Many sites inherit tracking code from years ago and have no idea what it does.

Step 1: List every tracking tool you use. Open your browser's developer console (F12) and go to the Network tab. Reload your site. Look at the requests. You'll likely see:

  • Google Analytics (loads from google-analytics.com or analytics.google.com)
  • Facebook Pixel (from facebook.com)
  • Hotjar (from hotjar.com)
  • Intercom, Drift, or other chat tools
  • Advertising pixels from Google Ads, LinkedIn, etc.

Write them all down. You probably have more than you realize.

Step 2: Check what each tool stores. Visit your site in an incognito window (so cookies are fresh). Open DevTools → Application → Cookies. Look for:

  • 1st-party cookies (from your domain)
  • 3rd-party cookies (from other domains)
  • Cookie names, values, and expiration dates

If you see cookies expiring months or years from now, they're personal data. If they're session-only or expire after 24 hours, the risk is lower.

Step 3: Review each tool's privacy policies and data processing agreements. Every vendor should have a Data Processing Agreement (DPA) that explains:

  • What data they collect
  • How long they keep it
  • Who they share it with
  • Your rights as a data controller

If a vendor won't provide a DPA, that's a red flag. Many GDPR violations happen because companies use tools that aren't GDPR-ready.

Step 4: Check your privacy policy. Does it mention every tracking tool by name? Does it explain what data you collect? If your privacy policy says "We use cookies to improve your experience" but doesn't say "We use Google Analytics, which may set cookies on your device," you're not being transparent.

Step 5: Decide on your legal basis. For each tracking tool, choose:

  • Consent (display a banner, let users opt-in)
  • Legitimate interest (disclose in privacy policy, allow opt-out)
  • Contract/legal obligation (rare for marketing analytics)

If you choose consent, you need a banner that's actually compliant. If you choose legitimate interest, you need an easy opt-out mechanism.

Tools That Are Already GDPR-Compliant

Not all analytics tools are built for GDPR. Many assume cookies and third-party tracking are non-negotiable. The privacy-first category is different.

Cookieless analytics tools operate on the principle that if you don't store personal data, you don't need consent:

  • Statalog (our focus): Uses session-based tracking with daily-resetting session IDs. No cookies, no fingerprinting, no persistent visitor IDs. Lighter than GA4, faster to load, and compliant by design.
  • Plausible: Cookieless, anonymous IP, no cookies. Positions itself as a GA4 alternative for privacy-conscious sites.
  • Fathom: Also cookieless and cookie-free. Focuses on simplicity and privacy.
  • Simple Analytics: Cookieless, GDPR-compliant by default.

Traditional tools made GDPR-ready:

  • Google Analytics 4 (with proper setup): You can configure GA4 to anonymize IP addresses and disable certain tracking. But it still uses long-term cookies by default, so most sites need a consent banner.
  • Matomo: Open-source, self-hosted option. GDPR-compliant if configured correctly (anonymize IPs, use cookies sparingly).

The easiest path to GDPR compliance is choosing a tool that's designed for privacy. This removes the need to configure, audit, and worry about missteps.

FAQ: GDPR and Analytics

Q: Do I definitely need a consent banner? A: Only if you're storing personal data in a way that requires consent. Cookieless analytics with daily-resetting sessions? No banner needed. Long-term cookies or third-party tracking? Yes, you need a compliant banner.

Q: Is IP anonymization enough? A: Anonymization is helpful, but EU data protection authorities consider an IP address + timestamp + behavioral data (pages visited) to still be personal data, even if anonymized. Most lawyers recommend not storing IPs at all.

Q: Can I use Google Analytics 4 without consent? A: Only with significant configuration (anonymize IPs, disable certain features, limit cookie lifespan). Most GA4 setups use cookies that require consent.

Q: What's the penalty for non-compliance? A: GDPR fines can reach €20 million or 4% of global revenue, whichever is higher. But most fines come from data breaches or repeated violations, not minor configuration mistakes. The real risk is reputational: a privacy lawsuit or bad press can hurt more than a fine.

Q: Is legitimate interest a gray area? A: Yes, and that's why legal opinions vary. Some EU regulators are skeptical of legitimate interest for advertising and tracking. If you're uncomfortable with the legal gray area, stick with cookieless tools and explicit disclosure.

Q: Do I need to mention analytics in my terms of service? A: No, but you must mention it in your privacy policy. Terms of service are for user conduct; privacy policy is for data handling.

Next Steps: Get Started

Start with the audit. You may find that switching to a privacy-first analytics tool removes legal friction entirely. No consent banner needed, fewer vendor relationships to manage, faster page loads, and a simpler compliance story.

Ready to move forward? Explore Statalog's GDPR-compliant features or review our full privacy documentation.