At a glance
This may come as a surprise, but no major analytics tool is GDPR compliant out of the box. All of them require additional configuration – consent integration, IP anonymisation, data retention limits, and data processing agreements.
They can all be made compliant – or close enough – with the right setup. Here’s what “GDPR compliant” actually means for an analytics tool, and how the most popular tools compare.
What does “GDPR-compliant” mean for analytics?
For a web analytics tool to operate within GDPR requirements, it needs to satisfy three separate conditions.
1. Cookie consent (ePrivacy)
Analytics cookies are not strictly necessary. Under the ePrivacy Directive, they cannot be set until the user has actively consented. This means your cookie banner must block the analytics script from firing until consent is given (not just show a banner while the script loads in the background).
2. Personal data handling (GDPR)
Analytics tools can collect personal data: IP addresses, cookie identifiers, device information. You need a legal basis for this (typically consent), a signed Data Processing Agreement with the vendor, and appropriate data retention limits. You also need to be able to handle data subject requests – including deletion – for data held in your analytics platform.
3. International data transfers (GDPR)
Most major analytics tools are US-based companies. If data leaves the EU/EEA and lands on US servers, you need a valid transfer mechanism – currently the EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs). This has been struck down twice before (Schrems I and II), which is why it remains a live compliance issue.
Five top tools compared
| Tool | Compliant by default? | EU data storage? | DSAR handling | Difficulty to make compliant |
|---|---|---|---|---|
| Google Analytics 4 | No | Partial (EU routing opt-in) | Limited (data deletion requests) | Medium |
| Adobe Analytics | No | Yes (EU DC option) | Privacy API available | High (enterprise complexity) |
| Microsoft Clarity | No | No (US only) | Limited | High |
| Mixpanel | No | Yes (EU residency option) | Deletion API available | Medium |
| Hotjar | No | Yes (EEA storage) | GDPR API | Medium |
The US data transfer problem
With the exception of tools that offer EU data residency options (Adobe, Mixpanel, Hotjar), most analytics tools transfer data to US servers. This has been the source of significant regulatory attention.
In 2022 and early 2023, a wave of decisions from European data protection authorities – Austria, France, Italy, Denmark, Finland, and others – ruled that the use of Google Analytics without adequate safeguards constituted an unlawful international transfer. These decisions were driven by complaints coordinated by None of Your Business (NOYB)1 and argued that US intelligence agencies could theoretically access data on US servers in ways that would not be permitted under EU law.
The EU-US Data Privacy Framework (DPF) created a new legal pathway for US data transfers, and Google quickly certified under DPF. This makes the transfer mechanism more stable than it was under Privacy Shield (which was struck down in Schrems II). However, DPF faces an ongoing legal challenge, and a third invalidation is considered possible by many legal observers.
For now: you can transfer data to DPF-certified US companies. But choosing tools with EU data residency options removes this risk entirely.
Steps to consider
Regardless of which tool you use, these steps apply to all of them:
- Wire your consent banner to the analytics script: Your analytics tool must not fire until the user consents. Use your CMP’s integration with your analytics tag, or configure your tag manager to only trigger analytics tags when consent is granted.
- Sign a Data Processing Agreement: Every analytics vendor that processes personal data on your behalf needs a signed DPA – required by GDPR Article 28. Most vendors provide a standard DPA in their account settings.
- Enable IP anonymisation (where available): IP addresses are personal data. Most analytics tools offer IP anonymisation or obfuscation settings – enable them.
- Set appropriate data retention periods: Don’t retain analytics data forever. Set retention to what you actually use – for most websites, 14 months is sufficient. Many tools default to longer periods.
- Have a process for DSARs: If someone exercises their right of erasure, you need to be able to delete their data from your analytics tool – not just your CRM. Check each tool’s data deletion capabilities.
- Mention the tool in your privacy policy: Whichever tool you use needs to be named in your privacy policy, with a description of what it does and where data goes.