Skip to content
SealMetrics
Regulatory gap analysis

Find where your analytics falls out of compliance.

“GDPR-compliant” is a claim, not an audit. A gap analysis maps your analytics stack against every requirement it actually has to meet — ePrivacy, GDPR, the Spanish AEPD, UK PECR — and shows exactly where it falls short. Below is the framework, requirement by requirement, and how a cookieless architecture closes each gap.

GDPR · ePrivacy · AEPD · UK PECR

The single source of truth eCommerce signs against

Dreamplace Hotels recovered +30% more traffic vs GA4 and closed a 15–20% gap in sales attribution against their CRM. Palladium Hotel Group recovered 35% of unattributed bookings and improved Display CPS by +165%.

Palladium Hotel Group
Dreamplace Hotels
Acciona
Crocs
Desigual
UNICEF
Casa Batlló
Juguettos
3Cat
Fundación Bankinter
Dormideo
Incapto
The framework

Eight requirements, one honest audit.

For each requirement: what the law demands, where a typical GA4 or Adobe stack opens a gap, and the architectural change that closes it. This is the compliance layer behind GDPR-compliant analytics.

ePrivacy · Art 5(3)

Consent for device storage

Any non-essential cookie, localStorage entry or fingerprint needs prior consent before it is set.

GapGA4 and Adobe set cookies, so a consent banner is mandatory — and roughly a third of EU visitors decline it.
ClosedNo cookies, no localStorage, no fingerprinting — nothing is stored on the device, so no consent is triggered.
GDPR · Art 6

Lawful basis for personal data

Processing an IP address or online identifier needs a valid lawful basis — consent or a defensible legitimate interest.

GapCookie-based tools lean on consent that is often withheld, or a legitimate interest that regulators increasingly contest.
ClosedMeasurement processes no personal data at all, so there is no basis to establish — GDPR does not apply to it.
GDPR · Art 5(1)(c)

Data minimisation

Collect only the data necessary for the purpose — no more.

GapClient IDs, device graphs and behavioural profiles collect far more than measurement requires.
ClosedAggregate, anonymous events only — the minimum needed to count what happened, nothing that identifies a person.
GDPR · Chapter V

International data transfers (Schrems II)

Personal data may not be transferred to a third country without adequate protection.

GapGA4 and Adobe are US processors; specific deployments were ruled unlawful by EU regulators over US transfers.
ClosedHosted end-to-end in Dublin, Ireland. No transfer to the US, no reliance on contested transfer mechanisms.
GDPR · Art 15 & 17

Data subject rights (access, erasure)

Individuals can request access to, and erasure of, their personal data.

GapPer-user analytics data creates a standing obligation to locate, disclose and delete it on request.
ClosedNo personal data is stored, so there is nothing to disclose or erase — the obligation never arises for measurement.
AEPD · cookie guidance

Valid consent UX (Spain)

Rejecting must be as easy as accepting, with no cookie walls and granular, unbundled choices.

GapDark-pattern banners that nudge acceptance are a frequent source of AEPD complaints and fines.
ClosedWith no cookies in scope for measurement, there is no banner to design, and no dark pattern to defend.
GDPR · Art 28

Processor terms & DPA

A data processing agreement must be in place with every processor handling personal data.

GapAnalytics, tag managers and CMPs form a patchwork of processors, each needing its own signed DPA.
ClosedOne EU processor, one DPA included as standard — a materially smaller processor surface to govern.
UK · PECR / DUAA 2025

Analytics consent exemption

Analytics can run without consent in the UK only if it meets the DUAA 2025 / PECR exemption criteria.

GapCookie-based, cross-site or personal-data analytics does not qualify for the exemption.
ClosedCookieless, first-party, no personal data — the profile the exemption was written for. See our PECR self-assessment.
Score your stack

A two-minute self-assessment.

Answer these six questions about your current analytics. Every “yes” is an open gap against one of the requirements above.

0 gaps — your measurement is compliant by architecture.
1–2 gaps — configuration risk; worth a formal review.
3+ gaps — you are relying on consent and losing EU data to it. A cookieless architecture closes the set at once.

  1. 01Does your analytics set any cookie, or store anything on the visitor's device?
  2. 02Do you show a consent banner in order to measure traffic?
  3. 03Does your tool process IP addresses or persistent identifiers?
  4. 04Is your analytics data processed in the US, or by a US-headquartered company?
  5. 05Would fulfilling an erasure request for analytics data be difficult?
  6. 06Do you lose EU visitors from your reporting when they reject the banner?
From analysis to evidence

A gap analysis is only useful if you can prove the close.

Closing a gap on paper is one thing; producing the documentation a DPO or regulator will accept is another. We publish the evidence: the CNIL self-assessment showing how the architecture meets France's technical criteria, the security & compliance posture (EU hosting in Dublin, Schrems II, the TPSR package), the DPA included as standard, and the underlying cookieless architecture that makes the gaps close by design rather than by configuration.

FAQ

The questions a compliance review raises.

Honest answers about analytics gap analysis, which regulations to cover, and what it takes to measure lawfully without a consent banner.

Still have questions? Our team — including the founder — is one message away.

Talk to us

Stop assuming compliance. Analyse the gaps.

Run SealMetrics alongside your current analytics for 30 days. See the gaps close and the EU data you were losing come back. If the gap isn't real, you owe us nothing.

Built by a founder · supported by a founder · EU-hosted by design