Measure Measure
Sign In Start Free Trial
← Blog
gdpr privacy analytics compliance eu cookieless

GDPR-Compliant Analytics in 2026: What You Actually Need to Know

by Jules

In 2022, data protection authorities in Austria, France, Denmark, Finland, and Italy all ruled that using Google Analytics violates GDPR. The reason: GA sends data (including IP addresses and device identifiers) to US servers, and the US doesn’t provide the same level of data protection the EU requires.

More rulings have followed. If you’re running a site with EU traffic and using standard analytics, you probably have a compliance problem. Here’s what GDPR actually requires from analytics tools, and what “compliant” looks like in practice.

What GDPR Requires from Analytics

GDPR’s analytics obligations come down to three things:

1. Lawful basis for processing

You need a legal reason to process personal data. The options are:

  • Consent — the user explicitly opts in (via cookie banner)
  • Legitimate interests — your interest in processing outweighs the user’s interest in not being processed
  • Contractual necessity — you need the data to provide the service

For analytics, most organizations use consent (which is why cookie banners exist) or argue legitimate interests (which is disputed and increasingly hard to rely on for detailed tracking).

2. No unnecessary transfer to unsafe third countries

Sending personal data to the US requires either a valid transfer mechanism (Standard Contractual Clauses, adequacy decision) or explicit consent. The EU-US Data Privacy Framework adopted in 2023 provides a legal transfer mechanism for some US companies — but only those certified under it, and it remains subject to legal challenge.

3. Data minimization

GDPR requires collecting only the data you actually need. If you can answer your analytics questions without IP addresses, cookie IDs, or device fingerprints — you should.

The Two Paths to Compliant Analytics

Path 1: Consent + Cookies (the complex route)

Use a standard cookie-based analytics tool (GA4, Mixpanel, Hotjar) and add:

  • A cookie consent management platform (CMP) like Cookiebot, OneTrust, or Iubenda
  • A privacy policy that discloses each third-party tool and its data transfers
  • Regular compliance audits as regulations evolve

This works, but:

  • 40-60% of EU users decline cookies, making your analytics data structurally incomplete
  • CMPs cost $20-500/month on top of your analytics
  • The technical implementation is complex (consent signals need to propagate correctly to each tool)
  • Regulations keep changing — you need to maintain this ongoing

Path 2: Cookieless analytics (the simple route)

Use a privacy-first analytics tool that doesn’t set cookies, doesn’t collect IP addresses, and doesn’t transfer data to unsafe third countries.

Cookieless analytics typically works by:

  1. Hashing the IP address immediately (the actual IP is never stored)
  2. Using non-identifying session signals for visit deduplication
  3. Collecting aggregate data, not individual user data

Because no personal data is collected, GDPR consent requirements either don’t apply or are dramatically simplified. No cookie banner required in most EU jurisdictions. No transfer restrictions. No CMP.

Measure.events is built on this model: no cookies, no IP storage, no cross-site tracking, EU-friendly by design. The data lives on your account, and no visitor identifiers are ever collected.

Does Cookieless Analytics Mean Less Accurate Data?

Somewhat, but less than you’d think.

Cookie-based analytics overcounts in some ways (same user on multiple devices looks like multiple users) and undercounts in others (Safari’s ITP blocks persistent cookies after 7 days; adblockers block tracking scripts).

Cookieless analytics using session estimation typically undercounts returning users. The tradeoff: instead of 0% accurate on EU visitors who opt out, you get ~70-80% accurate across all visitors.

For most products, knowing that your top blog post got 500 visitors this week vs 350 last week is more useful than a precise count that’s missing 40% of your EU traffic anyway.

The Practical Setup for EU Sites

If your site serves EU visitors and you want to be clearly compliant without the consent banner overhead:

Option 1: Measure.events

Install the script tag — no cookies, no consent banner required:

<script
  src="https://lets.measure.events/api/script/YOUR_SITE_KEY"
  defer
></script>

Your privacy policy needs one sentence: “We use Measure.events for anonymous, cookieless analytics. No personal data is collected.”

Option 2: Plausible (self-hosted)

If you need full data sovereignty, Plausible has a self-hosted option you can run on your own EU infrastructure. More setup, but the data never leaves your control.

Option 3: Matomo with privacy mode

Matomo self-hosted with IP anonymization enabled, cookies disabled, and respect for Do Not Track. More configuration, but fully open-source.

What to Put in Your Privacy Policy

If you’re using cookieless analytics, your privacy policy analytics section can be simple:

Analytics
We use [Tool Name] to collect anonymous, aggregate website analytics. This includes page visits, referrer sources, and general geographic regions (country-level only). No cookies are set. No personal information (name, email, IP address) is collected or stored. This data cannot be used to identify any individual visitor.

No disclosure of data transfers. No user rights section for analytics data. No CMP required.

Compare this to the typical GA4 privacy policy section, which requires disclosing: data collection, purposes, transfers to the US, retention periods, user rights, and the legal basis for processing.

Google’s Consent Mode v2 attempts to model conversions from users who declined cookies. It uses machine learning to estimate what opted-out users would have done, then fills in the gaps.

This is useful for conversion tracking and Google Ads, but:

  • The modeled data isn’t the same as real data
  • It still requires a consent banner (just handles the case where users decline)
  • The EU tracking situation remains contested even with Consent Mode

For pure analytics (not tied to Google Ads), Consent Mode doesn’t simplify compliance — it’s primarily an advertising tool.

Quick Compliance Checklist

For a small site or SaaS that wants clean GDPR compliance on analytics:

  • Switch to a cookieless analytics tool
  • Confirm no IP addresses are stored by the tool
  • Confirm data is stored in the EU (or you’ve verified the transfer mechanism)
  • Update privacy policy with a simple analytics disclosure
  • Remove cookie consent banner for analytics cookies (if all cookies are now gone, the banner may be entirely unnecessary)
  • Test: run a privacy audit tool like Blacklight to confirm no cookies are set

If you’re also running Google Ads or Facebook Pixel, those require consent regardless of your analytics choice — but you can limit consent to those specific tools instead of applying it to everything.

The Short Version

GDPR-compliant analytics in 2026 is easier than it used to be: use a cookieless tool, skip the consent banner, update three sentences in your privacy policy, and move on.

The complex route (consent + GA4 + CMP) is appropriate if you need the richer behavioral data GA4 provides or if you’re running Google Ads. For most product analytics needs, it’s unnecessary overhead.

Start with Measure.events free — cookieless, no consent banner required, takes 2 minutes to install.

Ready to see accurate analytics?

No cookies. No consent banners. No personal data. $29/mo with a 14-day free trial.

Start free trial →