Definition

GDPR Analytics Compliance

Meeting GDPR requirements for web analytics: lawful basis for processing, data minimization, purpose limitation, and — if using cookies — valid consent collection before tracking.

What does GDPR require from web analytics?

The General Data Protection Regulation (GDPR) applies to any processing of personal data of EU residents. For web analytics, the key requirements are:

—Lawful basis — typically consent (Article 6(1)(a)) for cookie-based tracking, or legitimate interest for non-personal data collection
—Data minimization — collect only what is necessary for the stated purpose
—Purpose limitation — use the data only for the declared analytics purpose
—Storage limitation — define and enforce data retention periods
—Data subject rights — facilitate access, rectification, erasure requests

What does the ePrivacy Directive add?

Beyond GDPR, the ePrivacy Directive (Article 5(3)) requires consent before accessing or storing information on a user’s device — which includes setting cookies. This is why consent management platforms are required for cookie-based analytics.

How does cookieless analytics achieve compliance by architecture?

Cookieless analytics approaches compliance differently. By collecting no personal data and storing nothing on the visitor’s device, the consent requirement under ePrivacy does not apply, and GDPR obligations are minimal. This is consistent with guidance from CNIL (France), DSK (Germany), and other EU data protection authorities on audience measurement exemptions.

Related concepts

Learn more: Security & Privacy Architecture · GDPR Analytics Without Consent

Quick answer

GDPR analytics compliance is the practice of meeting the EU’s General Data Protection Regulation requirements when measuring website traffic — lawful basis for processing, data minimisation, purpose limitation, storage limitation, and where cookies are involved, valid consent collected before any tracking begins. The ePrivacy Directive (Article 5(3)) adds a second layer: consent is required before reading or storing information on a user’s device, which covers cookies, localStorage, fingerprinting and similar mechanisms.

Two architectural paths satisfy these obligations. Cookie-based analytics (GA4, Adobe Analytics, Piwik PRO) require a Consent Management Platform; visitors who reject the banner — typically 40-60% of EU traffic — are excluded from measurement. Cookieless analytics avoids the trigger entirely: with no personal data collected and no identifier stored on the device, neither GDPR’s lawful-basis requirement nor ePrivacy’s consent requirement is engaged. CNIL’s 2020 audience-measurement deliberation explicitly supports this approach when properly implemented.