GDPR and Website Analytics: A Practical Guide for Website Owners

Most website owners have a vague sense that GDPR and analytics are in tension with each other, but few have a clear picture of what the regulation actually requires. The result is a lot of compliance theater: cookie banners that are configured wrong, consent management platforms that collect consent without actually controlling the underlying tracking, and analytics setups that look compliant but are not.

This guide covers what GDPR means specifically for website analytics, what the three main approaches to lawful analytics look like in practice, and how to choose between them based on your situation.

The core conflict

Web analytics, in its traditional form, works by assigning a persistent identifier to each visitor and using that identifier to track their behavior across pages, sessions, and time. The identifier is usually stored in a browser cookie. Because a persistent identifier attached to a person's browsing behavior constitutes personal data under GDPR, collecting it requires a lawful basis.

The ePrivacy Directive adds a second layer on top of GDPR: any tool that reads or writes data to a user's device — including analytics cookies — requires the user's prior consent, unless the cookie is strictly necessary for a service the user explicitly requested. Analytics is not strictly necessary by that definition. So traditional cookie-based analytics requires consent before the tracking begins.

This is the origin of cookie consent banners. They exist because the standard analytics stack sets cookies, and those cookies require consent under EU law.

The three approaches to GDPR-compliant analytics

There are three legal frameworks under which websites in the EU operate their analytics. Each has different practical consequences.

Consent-based tracking. This is the approach most websites using Google Analytics take. You display a cookie consent banner before the analytics script loads. Visitors who accept are tracked; visitors who decline are not. The approach is legally defensible when implemented correctly, but the operational cost is significant. You need a consent management platform (CMP) that actually blocks scripts until consent is given. You need to log consent records. You need to honor withdrawal requests. And you permanently lose data for every visitor who declines, which can be 20 to 40 percent of EU traffic depending on your audience and how the banner is designed.

Legitimate interest. Some website owners argue that analytics can be run under the "legitimate interest" lawful basis (Article 6(1)(f) of GDPR), which does not require consent. The key limitation: it only works if the analytics genuinely does not create persistent identifiers, does not share data with third parties, and is strictly limited to measuring site performance. Google Analytics does not meet these criteria, and neither do most standard analytics tools. The French CNIL has been explicit on this point, stating that the legitimate interest exemption for analytics applies only to tools that are genuinely privacy-preserving by design. If your tool sets cookies or builds individual profiles, legitimate interest is not a viable lawful basis regardless of how you frame it in your privacy policy.

Privacy-first, cookieless analytics. The third approach avoids the problem entirely by never collecting personal data. If your analytics tool does not set cookies, does not store IP addresses, and does not create persistent identifiers, then there is no personal data being processed. GDPR's consent requirements do not apply. The ePrivacy Directive's cookie rules do not apply. You can collect analytics data from every visitor without a banner, without a CMP, and without data gaps caused by visitors who opt out.

The problem with consent-based analytics in practice

Consent-based analytics sounds reasonable in principle — ask for permission, respect the answer. The practical problems are significant enough that many website owners who started with this approach have moved away from it.

First, the data gap. Visitors who decline consent are invisible to your analytics. On EU-focused sites, this can be a substantial portion of your audience. The effect is not random noise — it tends to skew toward privacy-conscious users, technically sophisticated visitors, and people using browsers with strong privacy defaults. Your analytics data systematically underrepresents these groups.

Second, implementation complexity. GDPR-compliant consent management requires that the analytics script not load at all until consent is granted. Many implementations get this wrong — the script loads before the banner interaction is recorded, or the CMP is configured to block the script but the implementation has a race condition. A consent banner that does not actually block tracking is a GDPR violation even if it looks compliant to a casual observer.

Third, the consent record requirement. You must be able to demonstrate that consent was obtained for each visitor. This means storing consent logs with timestamps, and honoring requests to withdraw consent. The operational overhead is real.

Fourth, conversion impact. Cookie banners measurably affect user behavior. Visitors who encounter a consent modal before seeing your content are more likely to leave immediately. The analytics tool intended to help you understand your traffic ends up reducing the traffic worth measuring.

What EU enforcement has looked like

GDPR enforcement against analytics tools has been more active than many website owners realize. Between 2022 and 2023, data protection authorities in Austria, France, Italy, the Netherlands, Denmark, Norway, Sweden, and Finland all issued formal guidance or enforcement decisions finding that the use of Google Analytics in its standard configuration violated GDPR. The core issue in most cases was the transfer of personal data to the United States, where EU citizens' data is subject to US surveillance laws and lacks equivalent legal protection.

The Austrian decision, issued by the Datenschutzbehörde (DSB) in January 2022, was the first. It found that a website's transmission of visitor data to Google's US servers via the analytics script constituted an unlawful international transfer. Similar conclusions followed in France (CNIL), Italy (Garante), and elsewhere. These decisions applied not just to the analytics vendor but to the website operators using the tool.

The EU-US Data Privacy Framework adopted in 2023 created a new legal mechanism for transatlantic data transfers. Google Analytics was updated to comply with it. However, Max Schrems (whose legal action triggered the Court of Justice of the EU's invalidation of Safe Harbor in 2015 and Privacy Shield in 2020) has already signaled intent to challenge the new framework. The same pattern has played out three times: US and EU negotiate a data transfer mechanism, Schrems challenges it, courts strike it down, negotiations start again. For website operators who want compliance certainty rather than compliance probability, the safest path is an analytics tool that does not transfer personal data in the first place, because there is nothing to challenge.

How cookieless analytics satisfies GDPR

A cookieless analytics tool eliminates the GDPR problem at its source. No cookie is set. No IP address is stored. Instead, the analytics server uses a daily-rotating cryptographic hash to count unique visitors without creating any persistent record that could be linked to an individual. When the day ends and the salt rotates, the same visitor generates a completely different hash. Visits cannot be linked across days, and there is no identifier that constitutes personal data under GDPR's definition.

Because this approach never processes personal data, the GDPR lawful basis question does not arise. The ePrivacy Directive's cookie consent requirement does not apply. The French CNIL has specifically recognized this category of audience measurement as outside the scope of consent requirements, provided the tool does not share data with third parties and limits its purpose to measuring site performance. (For a more detailed technical explanation of how cookieless visitor counting works, see our post on GDPR-compliant analytics without cookie banners.)

The data you retain is sufficient for most website operators' purposes: pageviews, unique visitors (per day), referrers, UTM parameters, top pages, countries, browsers, and devices. What you give up is persistent user identification across multiple days and cross-session behavioral funnels. For most SaaS marketing sites, content sites, and e-commerce stores, the day-level aggregate data is more than enough to make good decisions about traffic and content.

Choosing the right approach for your site

The right analytics approach depends on what questions you need to answer.

If your primary analytics use case is understanding traffic: where visitors come from, which pages they read, which countries they are in, and whether traffic is growing or declining, cookieless analytics gives you complete data with no compliance overhead. This covers the overwhelming majority of website owners.

If you need to connect web behavior to paid advertising campaigns with cross-session attribution, or if you require individual-level behavioral analysis for product decisions, you will need consent-based tracking. The trade-off is accepting the data gap from visitors who decline, the cost and complexity of a compliant CMP, and ongoing monitoring of the legal landscape for transatlantic data transfers.

For SaaS founders specifically, there is a third consideration: connecting traffic data to revenue. Web analytics tells you how many visitors you have; it does not tell you which traffic sources convert to paying customers. Tools that combine cookieless web analytics with native Stripe integration let you see MRR, churn, and trial conversion rates alongside traffic data, without the compliance cost of a consent-based stack.

A practical compliance checklist

If you are auditing your current analytics setup for GDPR compliance, these are the questions to answer:

• Does your analytics tool set cookies or use any other persistent client-side storage?
• Does it store or process visitor IP addresses?
• Does it transfer data to servers located outside the EEA?
• If yes to any of the above: do you have a consent management platform that blocks the analytics script until consent is granted (not merely displayed)?
• Do you log consent timestamps and respect withdrawal requests?
• Does your privacy policy accurately describe what data is collected and how it is used?
• Do you have a Data Processing Agreement (DPA) with your analytics vendor? (GDPR requires a DPA with any third-party processor that handles personal data on your behalf. Your analytics vendor qualifies if they are processing personal data from your visitors.)

If you use a cookieless analytics tool that does not process personal data, you can answer "no" to the first three questions and skip the rest of the checklist. Your privacy policy still needs to mention your analytics approach, but you do not need to describe data transfers, consent mechanisms, or subject rights over analytics data because no personal data is collected.

How Abner handles GDPR

Abner is a cookieless analytics platform built specifically for SaaS founders. It uses daily-salted IP hashing for visitor identification, sets no cookies, stores no raw IP addresses, and transmits no personal data. The tracking script is under 2KB. No consent banner is required.

Because Abner does not process personal data, you do not need to include it in your GDPR consent configuration, your Data Protection Impact Assessment, or your cookie policy. It falls outside the scope of GDPR's consent requirements by design.

Alongside web analytics, Abner connects to Stripe to show MRR, churn rate, LTV, ARPU, and trial-to-paid conversion on the same dashboard as your traffic data. The installation takes five minutes. There is no complex configuration and no CMP to set up.

Try Abner free for 14 days with no credit card required.