Skip to content
Home » Web Analytics Blog » GDPR-Compliant Analytics Setup: Step-by-Step

GDPR-Compliant Analytics Setup: Step-by-Step

European data protection authorities have issued over 100 million euros in fines related to analytics tracking violations. The Austrian, French, and Italian regulators all ruled that standard Google Analytics setups illegally transfer personal data to the US. If you’re still running analytics without thinking about GDPR compliance, you’re playing a losing game.

However, getting compliant doesn’t mean giving up on data. It means being intentional about what you collect, how you process it, and where it goes. In this guide, I’ll walk you through a complete GDPR compliant analytics setup — from auditing your current tracking to documenting your data processing activities. If you’re new to analytics in general, start with our guide to digital marketing analytics first.

What GDPR Requires for Analytics

The General Data Protection Regulation doesn’t ban analytics. Instead, it sets strict rules about how you handle personal data. For analytics specifically, the key requirements boil down to a few core principles.

First, you need a lawful basis for processing data. For most analytics, this means either legitimate interest (for privacy-friendly, cookieless tools) or explicit consent (for tools that use cookies or collect personal data). Second, you must practice data minimization — only collect what you actually need. Third, if data leaves the EU, you need adequate transfer safeguards in place.

Additionally, you’re required to be transparent. Your visitors must know what data you collect, why you collect it, and who has access. This isn’t optional — it’s the foundation of GDPR compliance.

The GDPR Article 6 spells out the six lawful bases for processing. For analytics, you’ll typically rely on consent (Article 6(1)(a)) or legitimate interest (Article 6(1)(f)), depending on which tool you use and how invasive your tracking is.

What You’ll Need Before Starting

Before you touch any settings, gather the following:

  • Access to your current analytics platform — admin-level permissions to review configurations
  • A list of all tracking scripts on your site — check your tag manager, theme settings, and plugin configurations
  • Your privacy policy — you’ll need to update it
  • Server access or hosting panel — if you’re considering self-hosted solutions
  • 30-60 minutes — this isn’t a five-minute task, but it’s not a weekend project either

Moreover, if you use a data layer for your tracking implementation, have that documentation handy. You’ll want to review exactly what variables you’re pushing and whether any contain personal data.

Step 1: Audit Your Current Tracking

You can’t fix what you don’t understand. Therefore, start by cataloging everything that’s currently tracking visitors on your site.

Open your browser’s developer tools, navigate to the Network tab, and load your site. Filter by requests going to analytics domains. You’re looking for calls to services like google-analytics.com, analytics.google.com, facebook.com/tr, hotjar.com, and similar endpoints.

For each tracking script you find, document the following:

  1. What data does it collect? — IP addresses, device info, browsing behavior, user IDs
  2. Where does the data go? — US servers, EU servers, unknown
  3. Does it set cookies? — First-party, third-party, duration
  4. Is there a consent mechanism? — Does it wait for consent or fire immediately
  5. Do you actually use this data? — Be honest here

In my experience, most sites have at least two or three tracking scripts they’ve forgotten about. That old Hotjar snippet from 2021? The Facebook pixel someone added for a campaign that ended years ago? Those are liabilities waiting to happen. Remove anything you’re not actively using.

Step 2: Choose a Compliant Analytics Tool

This is the most important decision you’ll make. Not all analytics tools are created equal when it comes to GDPR compliance. Here’s how the major options compare:

Tool Data Location Cookies Consent Required Self-Hosted Option Starting Price
Google Analytics 4 US (default) / EU option Yes Yes No Free
Matomo Your server / EU (cloud) Optional Configurable Yes Free (self-hosted)
Plausible EU No No Yes $9/mo
Fathom EU isolation available No No No $15/mo
Simple Analytics EU No No No $9/mo

The simplest path to compliance is choosing a cookieless, EU-hosted analytics tool like Plausible or Fathom. Because these tools don’t use cookies and don’t collect personal data, they typically don’t require consent banners at all. As a result, you get cleaner data — no consent-driven sampling bias.

If you need more advanced features like funnel analysis, custom events, or session recordings, Matomo is a strong choice. Specifically, the self-hosted version gives you full control over your data. You can configure it to anonymize IPs, disable cookies, and keep everything on EU servers.

Google Analytics 4 can be made compliant, but it’s significantly harder. If you’d rather explore other platforms entirely, we’ve reviewed privacy-friendly Google Analytics alternatives that are compliant out of the box. You need server-side tagging, EU-only data storage, IP anonymization, consent mode v2, reduced data collection, and more. For most small to mid-sized sites, the effort isn’t worth it when simpler alternatives exist.

Step 3: Configure Privacy Settings

Once you’ve chosen your tool, configure it for maximum privacy. The exact steps vary by platform, but here are the universal settings to address.

IP Anonymization. Ensure IP addresses are either anonymized or never stored. In Matomo, navigate to Administration > Privacy > Anonymize Data and enable IP anonymization with at least 2 bytes masked. For Plausible, this is handled automatically — they never store raw IPs.

Cookie Configuration. If your chosen tool uses cookies, minimize their scope and duration. Disable any cookies that aren’t essential for basic analytics. For instance, Matomo lets you run in cookieless mode by adding _paq.push(['disableCookies']); to your tracking code.

Data Retention. Set the shortest retention period that still serves your needs. You probably don’t need visitor-level data from three years ago. Most GDPR-conscious setups use 14-26 months for raw data, with aggregated reports kept longer.

Disable User-ID Tracking. Unless you have a specific, documented need and explicit consent, turn off any user-ID or cross-device tracking features. These create personal data by definition.

Step 4: Set Up Proper Consent Management

If your analytics tool uses cookies or collects personal data, you need a consent management platform (CMP). For a detailed walkthrough of setting one up, see our cookie consent management implementation guide. However, if you’ve chosen a cookieless tool like Plausible, you can skip this step entirely — that’s one of the biggest advantages of going cookieless.

For those who do need consent management, here’s what a compliant implementation looks like:

  • No pre-ticked boxes. Consent must be freely given through an affirmative action.
  • No tracking before consent. Analytics scripts must not fire until the user explicitly opts in. This is where most setups fail.
  • Equal prominence for accept and reject. The “reject” option must be as easy to find as “accept.” No dark patterns.
  • Granular choices. Users should be able to accept analytics cookies while rejecting marketing cookies.
  • Easy withdrawal. Users must be able to change their mind just as easily as they gave consent.

In technical terms, your tag manager should block all analytics tags until the consent signal fires. In Google Tag Manager, use the built-in Consent Mode v2 with analytics_storage set to denied by default. Only switch it to granted after the user accepts.

Keep in mind that the CNIL (France’s data protection authority) has been particularly strict on cookie consent. They’ve fined Google and Facebook hundreds of millions for making it harder to refuse cookies than to accept them. Don’t repeat those mistakes.

Step 5: Document Your Data Processing

GDPR Article 30 requires you to maintain a Record of Processing Activities (ROPA). For your analytics setup, this means documenting:

  • What data you collect (page views, events, referrers, device type)
  • Your lawful basis (consent or legitimate interest)
  • Where data is stored and for how long
  • Who has access to the data
  • What technical and organizational security measures are in place
  • Any third parties who receive the data

Additionally, update your privacy policy to reflect your analytics setup accurately. Be specific — don’t just say “we use analytics.” Instead, name the tool, explain what it collects, state your lawful basis, and provide opt-out instructions.

If you’re relying on legitimate interest as your lawful basis (common with cookieless tools), you also need a documented Legitimate Interest Assessment (LIA). This is a written analysis showing that your interest in collecting analytics data doesn’t override your visitors’ privacy rights. For basic, cookieless page view tracking, this is usually straightforward to justify.

Testing Your GDPR Compliance

Configuration is only half the battle. You need to verify everything works as intended. Here’s a practical testing checklist:

  1. Clear all cookies and visit your site. Does the consent banner appear before any analytics scripts fire? Use the Network tab to verify.
  2. Reject all cookies. Confirm that no analytics cookies are set and no tracking requests are sent.
  3. Accept cookies, then withdraw consent. Verify that cookies are deleted and tracking stops.
  4. Check server-side data. If using self-hosted analytics, verify that stored IP addresses are properly anonymized.
  5. Test from an EU IP address. Some setups only show consent banners to EU visitors — make sure that’s intentional and correctly implemented.
  6. Review data retention. Confirm that old data is actually being purged according to your retention policy.

Furthermore, consider using an automated cookie scanner to verify what cookies your site sets. These tools often catch tracking scripts you’ve missed during manual review.

If you’re using UTM parameters for campaign tracking, verify that these values aren’t being stored alongside personal data in ways you haven’t documented.

Common Mistakes to Avoid

After auditing dozens of analytics setups, I see the same mistakes repeatedly. Here are the ones that create the most risk.

Loading analytics before consent. This is the number one violation I find. The script loads on page load, then the consent banner appears a moment later. By that point, data has already been sent. The UK ICO’s cookie guidance is crystal clear: non-essential cookies require prior consent.

Treating Google Analytics as automatically compliant. GA4 isn’t inherently GDPR-compliant. Without specific configuration — EU-only storage, consent mode, IP anonymization, data retention limits — it’s almost certainly violating GDPR. The 2022 decisions by Austrian, French, and Italian regulators confirmed this.

Using cookie walls. Blocking access to your site unless visitors accept cookies is illegal in most EU jurisdictions. Consent must be freely given, and making your content conditional on tracking acceptance doesn’t qualify.

Ignoring server logs. Your web server already collects IP addresses and request data in its access logs. This is also personal data under GDPR. Therefore, ensure your server log retention policy is documented and reasonable.

Copy-pasting a generic privacy policy. Regulators check whether your privacy policy matches your actual data practices. A generic template that mentions cookies you don’t use — or fails to mention ones you do — is a compliance gap that’s easy to spot.

Next Steps

Getting your analytics GDPR-compliant is a significant step, but it’s not the finish line. Here’s what to focus on after completing this guide:

  • Schedule quarterly audits. Tracking scripts creep back in as teams add new tools and plugins. Review your setup every three months.
  • Train your team. Anyone who can add tracking code to your site needs to understand these requirements. One rogue marketing pixel can undo your compliance work.
  • Monitor regulatory updates. GDPR enforcement evolves constantly. The EU-US Data Privacy Framework may affect your options — stay informed through resources like the European Data Protection Board.
  • Optimize your measurement strategy. With less data available, every tracked event matters more. Focus on the metrics that actually drive decisions rather than collecting everything you can.

Ultimately, GDPR compliant analytics isn’t about tracking less — it’s about tracking responsibly. The companies that get this right don’t just avoid fines. They build trust with their visitors, collect cleaner data without consent bias, and make better decisions as a result. That’s a competitive advantage worth investing in.

Benjamin Whitmore

About Benjamin Whitmore

Web analytics specialist with expertise in privacy-focused tracking solutions. Helps businesses understand their audience while respecting user privacy. Writes about cookieless analytics, GDPR compliance, and modern marketing measurement.