Skip to content
SealMetrics
Regulation

Is Your Analytics Actually GDPR-Compliant?

“GDPR-compliant” is printed on almost every analytics homepage. Two different laws decide whether it's true — and most tools only clear one of them. Here is the legal test, and where GA4, Matomo, Plausible, Piwik PRO and SealMetrics each land.

9 min readBy Rafa Jiménez

Every analytics vendor calls itself GDPR-compliant. The claim is nearly meaningless on its own, because compliance isn't a badge a tool either has or doesn't — it's a function of what the tool does on the page, what it stores, and what it can legally do without asking the visitor first. The gap that matters to a marketing team is narrow and expensive: whether your analytics needs a consent banner. If it does, roughly a third of your EU visitors will reject it, and those visitors vanish from your data before you can measure a single conversion.

So the practical question isn't “is this tool GDPR-compliant.” It's “can this tool measure my traffic without a consent banner, lawfully.” Answering that requires separating two laws that get collapsed into one in everyday conversation — because a tool can satisfy one and still fail the other.

Two laws, not one

“The GDPR” is doing too much work in most privacy conversations. Consent-free analytics has to clear two separate legal bars, set by two separate instruments:

ePrivacy
ePrivacy Directive — Article 5(3)
Governs storing or reading information on a visitor's device. Any cookie, localStorage entry or fingerprint that isn't strictly necessary needs prior consent. This is the “cookie law,” and it applies whether or not the data is personal.
GDPR
GDPR — the personal-data law
Governs the processing of personal data, including IP addresses and online identifiers. Touch personal data and you need a lawful basis plus the full set of GDPR obligations. Process none, and GDPR simply does not apply.
ePrivacy asks “did you touch the device?” GDPR asks “did you process personal data?” They are answered independently.

This is the distinction most “GDPR-compliant analytics” copy blurs. A tool can be perfectly clean under GDPR — anonymising everything it processes — and still trip Article 5(3) of ePrivacy because it drops a cookie. Conversely, a tool could avoid cookies yet still process an IP address in a way that needs a GDPR lawful basis. Both bars have to clear before you can drop the banner. The concept has a name and a longer treatment on our GDPR analytics compliance glossary entry; the two-part test below is the operational version of it.

The consent-free test

Reduced to its working form, analytics can run without a consent banner when it passes both of these — and only when it passes both:

Test 1 · the device

Nothing is stored on or read from the visitor's device — no cookies, no localStorage, no fingerprinting. This clears ePrivacy Article 5(3), the consent trigger that applies to all storage, personal or not.

Test 2 · the data

No personal data is processed — no IP retention, no online identifiers, only aggregate, anonymous counts. With no personal data in play, GDPR does not apply to the measurement at all.

Pass both and no consent banner is legally required for your analytics. Fail either and you are back to a banner — and the data loss that comes with it.

Both locks must open. Most tools open one.

Regulators have been converging on exactly this reading. France's CNIL maintains an exemption for analytics that meets a set of technical criteria — the basis for the self-assessment we published showing how SealMetrics satisfies it. The UK's DUAA 2025 introduced a live analytics exemption under PECR. And the proposed EU Digital Omnibus (COM(2025) 837) would move cookie-consent rules into GDPR and give first-party analytics an explicit legal footing — still a proposal, but a clear direction of travel. Every one of these rewards the same architecture: no device storage, no personal data.

Where each tool lands

With the test defined, the major analytics tools sort themselves cleanly. The table reads across the two-part test — device storage and personal data — plus where the data lives and which category the tool competes in.

ToolCookiesBanner in EUPersonal dataData locationCategory
GA4 (Google Analytics 4)Yes (_ga, client ID)Required for full dataYes — IP, client IDUS company; EU options via Consent ModeEnterprise incumbent
Adobe AnalyticsYesRequiredYesUS companyEnterprise legacy
Piwik PROConfigurableConsent-based by defaultConfigurableEU (Germany) or privateEU enterprise privacy
Matomo (cookieless + self-hosted)No, in that configNot required in exempted configMinimised / anonymisedWherever you host itOpen-source, self-managed
Plausible · Fathom · UmamiNoNot requiredNone / minimalEU optionsLightweight privacy-first (€9–50/mo)
SealMetricsNo — cookieless by architectureNot requiredNone — 0 PII, aggregate onlyEU — Dublin, IrelandEnterprise, complete-data

Assessment reflects each tool's standard EU deployment as of July 2026. Cookieless configurations of Matomo and privacy settings in Piwik PRO can change the outcome for those rows; the enterprise incumbents cannot be configured out of their cookie and consent dependency.

GA4 and Adobe — deep, but consent-dependent

GA4 works well as an analytics product, and for a US-centric business the compliance questions are lighter. In the EU, though, it sets cookies and processes personal data, so it needs a consent banner for full measurement — and that is precisely why GA4 ends up reporting a sliver of real EU traffic. Google has added EU data hosting and Consent Mode since the 2022 Schrems II rulings against specific GA deployments, but the architecture is unchanged: cookie-based, consent-gated, incomplete once visitors decline. Adobe Analytics sits in the same position at a higher price point.

Matomo and Piwik PRO — privacy-capable, with a cost

Matomo deserves credit: in its cookieless, anonymised-IP configuration it can run consent-free, and CNIL has recognised compliant Matomo setups. Self-hosting keeps the data on infrastructure you control. The cost is operational — you either run and maintain the server yourself, or move to Matomo Cloud — and the consent-free configuration trades away some measurement accuracy. Piwik PRO is the EU enterprise cousin: privacy-configurable, EU-hosted, but consent-based by default and priced at the enterprise tier (€30K+/yr). Both are real options; the open question for an eCommerce team is whether they deliver complete data and revenue attribution without an engineering project attached. We put the detail side by side on our SealMetrics vs Matomo comparison.

Plausible, Fathom, Umami — compliant, but a different category

These are the cleanest tools on the consent test and the easiest to praise: cookieless, little or no personal data, EU hosting available, no banner. They are also a different category of product. Priced around €9–50 a month, they are built for simple, privacy-respecting traffic reporting — pageviews, sources, top pages — not for eCommerce revenue attribution, funnel analysis, or the data depth a 10M€+ operation runs on. If you publish a blog, they are an excellent, honest choice. If you run a European eCommerce business making budget decisions on channel-level return, they were not built for the job. Compliant and complete are two different bars, and the lightweight tier clears the first by staying small.

SealMetrics — compliant and complete

The trade-off running through this whole table is between compliance and completeness. Enterprise incumbents are complete but consent-gated, so they lose EU data at the banner. Lightweight privacy tools are compliant but shallow. SealMetrics is designed to sit where neither has to be sacrificed: cookieless by architecture, zero PII, aggregate-only, and EU-hosted in Dublin — so it passes both halves of the consent test and needs no banner, while still delivering last-click revenue attribution and eCommerce depth on 100% of traffic. Compliance here is a property of the architecture, not a configuration you have to get right: GDPR by design, ePrivacy-clean, Schrems II-clean, DPA included. It is worth being precise about what that does not include — SealMetrics does not claim ISO 27001 or SOC 2 certification, and its case rests on how it's built rather than on a certificate.

What to actually check before you trust the badge

When a vendor tells you it's GDPR-compliant, the useful follow-ups are short and specific. Does it set anything on the device — a cookie, localStorage, a fingerprint? If yes, it needs consent under ePrivacy regardless of how anonymous the data is. Does it process any personal data, including raw IP addresses? If yes, it needs a GDPR lawful basis. Where is the data hosted, and is there a DPA? And — the question the compliance conversation usually forgets — how much of your traffic actually survives the setup, because a compliant tool that only sees the visitors who clicked “accept” is compliant and blind at the same time. For the full framework, our consentless analytics page walks through each requirement, and if you're weighing a move off GA4 specifically, the Google Analytics alternatives guide maps the options against exactly these tests.

The short version: compliance and completeness are separate properties, and most of the market makes you choose. The two-part test is how you tell which one a given tool actually gives you — and whether the “GDPR-compliant” on its homepage means lawful without a banner or just lawful if you ask permission first.

Frequently asked questions

Does web analytics require a cookie consent banner?

Not always. A consent banner is legally required only when your analytics does something that triggers consent under one of two laws. Under the ePrivacy Directive (Article 5(3)), consent is needed to store or read information on a visitor's device — a cookie, a localStorage entry, a fingerprint. Under GDPR, a lawful basis is needed to process personal data such as an IP address or an online identifier. Analytics that stores nothing on the device and processes no personal data clears both bars, and no banner is required for it.

Is Google Analytics (GA4) GDPR-compliant?

GA4 can be operated under GDPR with consent, but it is not consent-free. It sets first-party cookies and processes personal data (IP-derived location, client ID), so in the EU it requires a consent banner for full measurement — and consent rejection is why GA4 typically reports a fraction of real EU traffic. Google is a US company; between 2022 and 2023 several EU regulators (Austria, France, Italy) found specific GA deployments unlawful under the Schrems II ruling on US data transfers. Google has since added EU-based data options and Consent Mode, but the tool remains cookie-based and consent-dependent.

Is Matomo GDPR-compliant?

Matomo can be. In its cookieless configuration — no cookies, anonymised IP, respecting Do Not Track — Matomo can run without consent, and France's CNIL has listed compliant Matomo configurations among analytics that may be used consent-free. Self-hosting also keeps data on infrastructure you control. The trade-offs are operational: you either self-host and maintain it, or use Matomo Cloud, and the cookieless configuration sacrifices some measurement accuracy. It is a credible privacy-focused tool; the question is whether it gives an enterprise eCommerce team complete data and revenue attribution without an engineering burden.

Is Plausible GDPR-compliant?

Yes. Plausible, along with Fathom and Umami, is cookieless by default, processes little or no personal data, and can be hosted in the EU, so it generally runs without a consent banner. These are lightweight, privacy-first analytics tools in a different category from enterprise platforms — priced around €9–50/month and built for simple traffic reporting rather than eCommerce revenue attribution, funnels, or the data depth an enterprise marketing team needs. They are a good fit for a blog or a small site; they are not designed for a 10M€+ eCommerce operation.

What is the most complete GDPR-compliant analytics platform?

Most tools force a trade-off: enterprise platforms like GA4 and Adobe are deep but consent-dependent, so they lose EU data at the banner; lightweight privacy tools are compliant but shallow. SealMetrics is built to remove the trade-off — cookieless by architecture, zero PII, aggregate-only, and EU-hosted in Dublin, so it needs no consent banner and captures 100% of traffic, while still providing last-click revenue attribution and eCommerce depth. It is GDPR-compliant by architecture rather than by configuration, with a DPA included and a clean Schrems II posture.

What makes SealMetrics consent-free by design?

SealMetrics stores nothing on the visitor's device and processes no personal data. There are no cookies, no localStorage, no fingerprinting, and no IP retention or personal identifiers — measurement is aggregate and anonymous at the event level. Because it clears both the ePrivacy device test and the GDPR personal-data test, no consent banner is legally required for it. Data is hosted in Dublin, Ireland, a DPA is included, and attribution is last-click on 100% of traffic. Note SealMetrics does not claim ISO 27001 or SOC 2 certification; its compliance case rests on architecture — GDPR by design, ePrivacy, and Schrems II-clean EU hosting.

This article is general information about how data-protection law applies to web analytics, not legal advice. For your specific deployment, confirm with your DPO or counsel.

Related reading

Go deeper