Find where your analytics falls out of compliance.
“GDPR-compliant” is a claim, not an audit. A gap analysis maps your analytics stack against every requirement it actually has to meet — ePrivacy, GDPR, the Spanish AEPD, UK PECR — and shows exactly where it falls short. Below is the framework, requirement by requirement, and how a cookieless architecture closes each gap.
GDPR · ePrivacy · AEPD · UK PECR
The single source of truth eCommerce signs against
Dreamplace Hotels recovered +30% more traffic vs GA4 and closed a 15–20% gap in sales attribution against their CRM. Palladium Hotel Group recovered 35% of unattributed bookings and improved Display CPS by +165%.





Eight requirements, one honest audit.
For each requirement: what the law demands, where a typical GA4 or Adobe stack opens a gap, and the architectural change that closes it. This is the compliance layer behind GDPR-compliant analytics.
Consent for device storage
Any non-essential cookie, localStorage entry or fingerprint needs prior consent before it is set.
Lawful basis for personal data
Processing an IP address or online identifier needs a valid lawful basis — consent or a defensible legitimate interest.
Data minimisation
Collect only the data necessary for the purpose — no more.
International data transfers (Schrems II)
Personal data may not be transferred to a third country without adequate protection.
Data subject rights (access, erasure)
Individuals can request access to, and erasure of, their personal data.
Valid consent UX (Spain)
Rejecting must be as easy as accepting, with no cookie walls and granular, unbundled choices.
Processor terms & DPA
A data processing agreement must be in place with every processor handling personal data.
Analytics consent exemption
Analytics can run without consent in the UK only if it meets the DUAA 2025 / PECR exemption criteria.
A two-minute self-assessment.
Answer these six questions about your current analytics. Every “yes” is an open gap against one of the requirements above.
0 gaps — your measurement is compliant by architecture.
1–2 gaps — configuration risk; worth a formal review.
3+ gaps — you are relying on consent and losing EU data to it. A cookieless architecture closes the set at once.
- 01Does your analytics set any cookie, or store anything on the visitor's device?
- 02Do you show a consent banner in order to measure traffic?
- 03Does your tool process IP addresses or persistent identifiers?
- 04Is your analytics data processed in the US, or by a US-headquartered company?
- 05Would fulfilling an erasure request for analytics data be difficult?
- 06Do you lose EU visitors from your reporting when they reject the banner?
A gap analysis is only useful if you can prove the close.
Closing a gap on paper is one thing; producing the documentation a DPO or regulator will accept is another. We publish the evidence: the CNIL self-assessment showing how the architecture meets France's technical criteria, the security & compliance posture (EU hosting in Dublin, Schrems II, the TPSR package), the DPA included as standard, and the underlying cookieless architecture that makes the gaps close by design rather than by configuration.
The questions a compliance review raises.
Honest answers about analytics gap analysis, which regulations to cover, and what it takes to measure lawfully without a consent banner.
Still have questions? Our team — including the founder — is one message away.
Talk to us →Stop assuming compliance. Analyse the gaps.
Run SealMetrics alongside your current analytics for 30 days. See the gaps close and the EU data you were losing come back. If the gap isn't real, you owe us nothing.
Built by a founder · supported by a founder · EU-hosted by design
