Last updated: February 2026
If you run a website with European visitors, your analytics setup is a legal liability. That’s not fear-mongering — it’s the reality of GDPR enforcement in 2026.
Since 2022, data protection authorities in Austria, France, Italy, Norway, Denmark, Finland, and Sweden have ruled against Google Analytics. The UK’s ICO reviewed the top 1,000 UK websites for cookie compliance in 2025 — and 564 had to fix their tracking. Meanwhile, the EU-US Data Privacy Framework that was supposed to fix transatlantic data transfers is under threat after the PCLOB board was dismantled in January 2025.
This guide explains what privacy-compliant analytics actually means, what the law requires, and how to set up analytics that won’t land you in trouble. Whether you’re running a blog or an enterprise SaaS, the principles are the same.
What “Privacy-Compliant” Actually Means
Every analytics vendor claims to be “GDPR-friendly.” Most of them are stretching the truth. Here’s what privacy-compliant analytics actually requires — based on how EU data protection authorities interpret the law, not how marketing departments describe their products.
1. Cookieless by default. If your analytics tool drops cookies, you need a consent banner. Under the ePrivacy Directive (Article 5.3), storing information on a user’s device requires prior consent — regardless of whether the data is “personal.” The only exception is cookies that are “strictly necessary” for providing a service the user requested. Analytics cookies are not strictly necessary.
2. No personal data collection. Under GDPR, personal data includes IP addresses, device fingerprints, and any combination of data points that could identify an individual. Truly compliant analytics tools hash or discard identifiers and work with aggregate data only.
3. Data stays in the EU (or under adequate protection). If your analytics tool transfers data outside the EEA, you need a legal basis — typically an adequacy decision or Standard Contractual Clauses (SCCs). As we’ll see below, the current EU-US framework is on shaky ground.
4. Valid legal basis for processing. Even without cookies, you still need a legal basis under GDPR Article 6. For analytics, this is typically either consent (Article 6(1)(a)) or legitimate interest (Article 6(1)(f)). The safest approach: use a tool that doesn’t process personal data at all, so GDPR doesn’t apply to the analytics data.
The Regulatory Landscape in 2026
The regulatory environment for web analytics has never been more complex — or more actively enforced. Here’s what matters right now.
GDPR: Still the Global Standard
Eight years after taking effect, the GDPR remains the world’s most influential privacy law. The European Data Protection Board (EDPB) coordinates enforcement across 30 EEA countries. Chair Anu Talus has emphasized that “enforcement and boosting enforcement cooperation will remain a top priority for the EDPB in the years to come.”
For analytics specifically, GDPR applies whenever you process personal data of EEA residents — regardless of where your company is based. The territorial scope (Article 3) means that a US company tracking European visitors must comply.
ePrivacy Directive: The Cookie Law
Often overlooked, the ePrivacy Directive (2002/58/EC) is the actual legal basis for cookie consent requirements. It pre-dates GDPR and applies specifically to electronic communications — including cookies, device fingerprinting, and local storage. The ePrivacy Regulation, intended to replace this directive, was officially withdrawn by the European Commission in February 2025 after years of failed negotiations. Instead, the EU Digital Omnibus Package (proposed November 2025) plans to integrate cookie consent rules directly into the GDPR. Until the Omnibus passes, the current directive remains in force.
EU Digital Markets Act (DMA)
The DMA took full effect in March 2024 and classifies Google as a “gatekeeper.” One consequence: Google must obtain explicit consent before combining data across its services. This is why Consent Mode v2 became mandatory for Google Ads and Analytics in the EEA from March 6, 2024. If you run Google Analytics without a properly implemented Consent Mode v2, your data collection in the EU is incomplete at best and non-compliant at worst.
UK GDPR: Diverging Path
Post-Brexit, the UK retained its own version of GDPR (UK GDPR) enforced by the Information Commissioner’s Office (ICO). In 2025, the ICO took its biggest step yet on tracking compliance: it audited the top 1,000 UK websites for cookie compliance. The results: 979 of 1,000 sites ultimately passed — but 564 had to fix their practices after initially failing. The ICO issued 17 preliminary enforcement notices and estimated the action gave 40 million people better control over their tracking.
Crucially, the UK has now diverged from the EU on analytics cookies through the Data (Use and Access) Act 2025. If your analytics cookies are used solely to collect aggregate statistics (not to identify or track individuals), you can now run them without consent — provided you clearly explain what you do and offer a simple way to opt out. This is an opt-out model, unlike the EU’s opt-in approach. The exemption does not cover advertising cookies.
The Google Analytics Problem
Google Analytics is still the most widely used analytics tool in the world. It’s also the tool that has drawn the most regulatory action in Europe.
The problem started in August 2020, when privacy advocacy group noyb filed 101 complaints across the EU about websites using Google Analytics and Facebook Connect. The complaints argued that these tools transfer EU user data to the US without adequate protection — a violation of GDPR following the Court of Justice’s Schrems II ruling.
Data protection authorities agreed. Between January 2022 and 2023, seven EU/EEA countries — Austria, France, Italy, Norway, Denmark, Finland, and Sweden — issued rulings or decisions against Google Analytics. Sweden imposed the first significant fine: €1 million.
Google responded by launching GA4 with server-side tagging, IP anonymization, and data residency options. But the fundamental issue remains: GA4 still processes data on Google’s infrastructure, requires cookies for full functionality, and depends on the EU-US Data Privacy Framework for legal transatlantic transfers — a framework that may not survive its next legal challenge.
For a detailed comparison of privacy-first alternatives, see our Google Analytics Alternatives Buyer’s Guide.
The Cookie Consent Tax
Even if you make Google Analytics technically compliant (with Consent Mode v2, server-side tagging, and proper consent banners), you face a practical problem I call the cookie consent tax: you only see data from visitors who click “Accept.”
The numbers are stark. When websites implement GDPR-compliant consent banners with an equally prominent “Reject All” button, 60-70% of EU visitors reject cookies. In privacy-conscious markets like Germany and France, fewer than 25% of users accept.
That means your cookie-based analytics dashboard shows less than half of your actual traffic. You’re making business decisions based on incomplete data — and the data you’re missing is systematically biased (privacy-conscious users, technical users, and users with ad blockers are disproportionately excluded).
Cookieless analytics tools solve this entirely. No consent banner needed, no data loss, 100% of your traffic visible.
How to Make Your Analytics Compliant
Whether you’re starting from scratch or fixing an existing setup, here’s the compliance checklist I use with every client.
1. Audit your current analytics
Run your website through a cookie scanner (like Cookiebot’s free scanner). Check what cookies are being set, what data is being collected, and where it’s being sent. You might be surprised — many sites have tracking scripts they’ve forgotten about.
2. Choose a privacy-compliant tool
The easiest path to compliance is switching to a tool that doesn’t require consent. Cookieless, privacy-first analytics tools like Plausible, Fathom, or Matomo (when properly configured) avoid the compliance burden entirely. See our comparison of Plausible, Fathom, and Matomo for details.
3. Configure correctly
Even privacy-first tools need proper configuration. Ensure:
- IP anonymization is enabled (or IPs are not collected at all)
- No cross-site tracking or user-level identification
- Data is stored in the EU (or in a country with an adequacy decision)
- If using Matomo, follow the CNIL configuration guide for consent exemption
4. Update your privacy policy
GDPR requires transparency (Articles 13 and 14). Your privacy policy must explain what analytics data you collect, why, how long you retain it, and who processes it. If you use a cookieless tool that doesn’t collect personal data, you should still mention it — transparency builds trust.
5. Document your legal basis
Under GDPR’s accountability principle (Article 5(2)), you must be able to demonstrate compliance. Document which legal basis you rely on for analytics (consent, legitimate interest, or “not applicable because no personal data is processed”), and keep records of your Data Protection Impact Assessment if you process data at scale.
6. Monitor continuously
Compliance isn’t a one-time setup. Regulations change, tools update, and new enforcement actions create new precedents. Review your analytics setup quarterly — especially after major regulatory developments.
Compliant Tools at a Glance
✓ = Yes ⚙ = Configurable — = No
For a comprehensive review of 14 tools, see our Google Analytics Alternatives Buyer’s Guide.
US Privacy Laws: A Growing Patchwork
The US has no federal privacy law equivalent to GDPR (as of February 2026). Instead, privacy regulation is happening state by state — creating a patchwork that’s increasingly complex for businesses to navigate.
California (CCPA/CPRA) remains the strictest, with a dedicated enforcement agency (the California Privacy Protection Agency) and requirements for opt-out mechanisms for data sales and sharing. Analytics that track users across sites may constitute “sharing” under CPRA.
Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware — and more than a dozen other states — have enacted or are implementing comprehensive privacy laws. Most follow a similar pattern: right to access, delete, and opt out of targeted advertising and data sales.
For analytics teams, the practical impact: if you track US visitors, you increasingly need to provide opt-out mechanisms and honor Global Privacy Control (GPC) signals. Or — simplify by using analytics that don’t track individual users in the first place.
The EU-US Data Transfer Problem
This is the most unstable part of the compliance landscape — and the one most likely to change.
The EU-US Data Privacy Framework (DPF) was adopted in July 2023 to replace the invalidated Privacy Shield. It was supposed to provide a stable legal basis for transatlantic data transfers — including analytics data flowing from EU visitors to US-based tools like Google Analytics.
In September 2025, the DPF survived its first legal challenge when the EU General Court dismissed the Latombe action. But the court assessed the DPF only as it stood in July 2023 and emphasized the Commission’s ongoing duty to monitor — a “trapdoor” for future challenges.
Meanwhile, the DPF’s oversight foundation is cracking. In January 2025, the US administration fired three members of the Privacy and Civil Liberties Oversight Board (PCLOB), leaving it without a quorum. PCLOB was the oversight mechanism that the European Commission cited as a key safeguard in its 2023 adequacy decision. Without it, the legal basis for the DPF is weakened.
Privacy advocacy group noyb has signaled it is preparing a broader “Schrems III” challenge. If the Court of Justice invalidates the DPF — as it did with Safe Harbor (2015) and Privacy Shield (2020) — every business using US-based analytics tools would face immediate compliance risk.
What this means for you: If your analytics data crosses the Atlantic, you’re betting on a framework that has been struck down twice before and may be struck down again. The safest approach is keeping data in the EU entirely — either through EU-hosted cloud services or self-hosting.
What’s Coming Next
The regulatory landscape is still evolving. Here’s what to watch.
EU Digital Omnibus Package. After the ePrivacy Regulation was withdrawn in February 2025, the Commission proposed the Digital Omnibus Package (November 2025) to integrate cookie consent rules directly into the GDPR. This could introduce new exceptions to consent requirements and harmonize rules across the EU. It’s working through the European Parliament now — expect amendments in 2026.
EU AI Act. The AI Act entered into force in August 2024 and is being phased in through 2027. While primarily targeting AI systems, it has implications for analytics tools that use machine learning for predictions, segmentation, or automated decision-making. If your analytics tool uses AI to profile users, new transparency requirements apply.
Browser-level consent. Both the W3C and browser vendors are exploring mechanisms where privacy preferences are communicated at the browser level (like Global Privacy Control) rather than through per-site consent banners. This could eventually make traditional consent banners obsolete — and make cookieless analytics the default standard.
Privacy-enhancing technologies (PETs). The global PET market is projected to grow from $3.3 billion to nearly $12 billion by 2032. Technologies like differential privacy, federated learning, and on-device processing are reshaping how analytics can work without collecting personal data.
FAQ
Is Google Analytics legal in the EU?
It depends on your configuration. Seven EU/EEA countries have issued rulings against standard Google Analytics deployments. GA4 with Consent Mode v2, server-side tagging, and proper consent management can be configured for compliance — but you’ll lose 60-70% of EU visitor data due to consent rejection. Cookieless alternatives avoid this entirely.
Do I need a cookie consent banner?
Only if your analytics tool uses cookies or collects personal data. Privacy-first tools like Plausible, Fathom, and properly configured Matomo are cookieless and don’t require consent banners. Google Analytics requires a GDPR-compliant consent banner in the EU.
What is the CNIL consent exemption?
France’s CNIL has approved certain analytics tools for use without cookie consent when configured to specific privacy standards. Matomo (self-hosted, with specific configuration) qualifies. Plausible and Fathom don’t need the exemption because they don’t use cookies at all.
Is the EU-US Data Privacy Framework safe to rely on?
It’s currently valid, but its future is uncertain. The PCLOB dismantling in January 2025 weakened the oversight mechanism that underpins the framework. A “Schrems III” legal challenge is being prepared by noyb. For maximum safety, keep analytics data in the EU.
What happens if I don’t comply?
GDPR fines can reach €20 million or 4% of global annual turnover, whichever is higher. In practice, most analytics enforcement has come through complaints to DPAs (often filed by noyb) resulting in orders to stop data collection. Sweden imposed a €1 million fine specifically for Google Analytics use.
Do US privacy laws affect my analytics?
Yes, if you have US visitors. California’s CCPA/CPRA, Virginia’s VCDPA, and 15+ other state laws require opt-out mechanisms for certain data processing. Analytics that track users across sites may constitute “sharing” or “selling” data under these laws. Using cookieless, non-tracking analytics avoids these obligations.
How do I choose a compliant analytics tool?
Start with three criteria: cookieless (no consent banner needed), EU-hosted (no transfer risk), and aggregate-only data (no personal data processing). See our complete guide to Google Analytics alternatives for 14 tools compared, or our Plausible vs Fathom vs Matomo comparison for the top three.
Privacy-compliant analytics isn’t just a legal requirement — it’s a competitive advantage. You get 100% of your traffic data, zero consent friction, and the peace of mind that comes from not depending on legal frameworks that keep getting struck down.
Ready to choose a tool? Start with our Google Analytics Alternatives Buyer’s Guide.