Privacy Hub

GDPR

ePrivacy

Is your website analytics GDPR-friendly?

GDPR

The top line

GDPR is Europe’s data protection law. If your website collects any data that could identify someone, you need to follow its rules. It applies to you whether you’re based in the EU or not, although it seems unlikely the European Union could actually punish a business which operates entirely outside the EU for non-compliance.

But here’s the thing: once you understand what it’s actually saying, it’s mostly common sense. Don’t collect data you don’t need. Tell people what you’re collecting. Use it only for the purpose you said you would. Keep it safe. There are some specifics, but that’s basically it.

GDPR in more detail

GDPR stands for General Data Protection Regulation. It came into effect on 25 May 2018 and immediately became the most talked-about piece of legislation in the history of web development – in part because before its implementation, there were very few rules about how companies should conduct themselves online. In fact, GDPR was implemented primarily to curb the behaviour of technology companies – primarily US technology companies – who were hoovering up as much personal data as they could, and not doing nearly enough to safeguard it.

It’s an EU Regulation, not a Directive. That distinction matters: a Regulation applies the same way in every EU country, automatically, without each country needing to write its own version The ePrivacy Directive, by contrast, is a Directive, and that’s why cookie law varies from country to country.

One-sentence summary: GDPR gives Europe residents control over their personal data and sets rules for anyone who collects or uses that data.

What counts as personal data?

More than you might think. Personal data is any information that can identify a specific person, even indirectly. In conversations about privacy, this is usually abbreviated to PII, meaning Personally Identifiable Information. There are thousands of things that could be PII, but in the context of websites and analytics, it usually means things like:

  • Names, email addresses, phone numbers
  • IP addresses
  • Cookies and device IDs
  • Location data
  • Biometric data (fingerprints, facial recognition)

The key test isn’t whether you are actually using this data to identify people, it’s whether you could identify them with the data you hold, either alone or in combination with other data.

Does GDPR apply to you?

Probably yes. If your website serves visitors from the EU, GDPR applies to you, regardless of where your business is based.

Specifically, GDPR applies if you:

  • Are established in the EU (even one employee in an EU country counts), or
  • Offer goods or services to people in the EU (even for free), or
  • Monitor the behaviour of people in the EU (for example with your website analytics).

You don’t have to be a large company. GDPR applies to sole traders, bloggers, freelancers, Shopify stores, software tools – everyone. The requirements are proportionate to the scale and risk of your processing, but there’s no size exemption.

The UK has its own equivalent — UK GDPR — which largely mirrors the EU version. If you have UK customers, both apply. But – finally some good news – if you’re compliant with one, you’re likely compliant with the other.

The seven principles

GDPR is built around seven core principles, set out in Article 5. Everything else in the regulation flows from these.

  1. Lawfulness, Fairness & Transparency: Have a valid reason to collect data, don’t be sneaky, and tell people what you’re doing.
  2. Purpose Limitation: Only use data in the way you said you would.
  3. Data Minimisation: Don’t collect more than you actually need.
  4. Accuracy: Keep data correct; fix it if it’s wrong.
  5. Storage Limitation: Don’t keep data indefinitely; set retention periods.
  6. Integrity & Confidentiality: Keep it safe from unauthorised access or loss.
  7. Accountability: Be able to demonstrate that you’re following all the above.

→ Here’s our deep dive into the 7 GDPR Principles

The six bases

Every time you process personal data, GDPR requires you to have a legal justification — a “lawful basis.” The rules provide 6 possible bases:

  1. Consent: The person has given clear agreement.
  2. Contract: Processing is necessary to fulfil a contract.
  3. Legal Obligation: The law requires it.
  4. Vital Interests: Someone’s life is at risk (very narrow).
  5. Public Task: Public authorities exercising official functions.
  6. Legitimate Interest: You have a genuine business reason that doesn’t override users’ rights (you have probably seen this one a lot in cookie consent banners).

A common misconception is that you always need consent. You don’t. Consent is one option, and it’s not always the best one. Using it when another basis applies can create unnecessary complexity (because users can withdraw consent at any time).

→ Find out which legal basis to use

Your users have rights

This was a key element of the pushback against aggressive data collection by US technology companies – you can’t collect vast swathes of personal information without giving individuals clarity on what data you hold, and what you’re doing with it. As a result, GDPR gives individuals eight specific rights over their personal data:

  • Right to be Informed: Know what’s being collected and why (usually contained within your privacy policy).
  • Right of Access: People can request a copy of their data.
  • Right to Rectification: People can ask you to correct inaccurate data.
  • Right to Erasure: The “right to be forgotten”; people can ask you to delete their data.
  • Right to Restrict Processing: Pause processing while a dispute is resolved.
  • Right to Data Portability: Receive data in a machine-readable format.
  • Right to Object: Object to processing, especially for marketing.
  • Rights around Automated Decision-Making: Protection against purely algorithmic decisions.

And in the majority of cases, once you receive a notice of someone exercising one of these rights, you have one month to respond.

→ Full guide to data subject rights and how to handle requests

What you actually need on your website

For a website or digital platform to be fully, indisputably, flawlessly compliant with GDPR, you need the following:

  1. A cookie consent banner that blocks scripts until consent: Just showing a banner isn’t enough — the scripts must not fire until the user opts in.
  2. A GDPR-compliant privacy policy: Specific, readable, and updated whenever your processing changes. What your privacy policy must include.
  3. A way for users to exercise their rights: At minimum: a contact email address dedicated to privacy requests, with a documented internal process.
  4. Analytics configured properly: Consent required before firing, DPA signed, retention limits set. Is your analytics tool compliant?
  5. Data Processing Agreements with third-party services: Every vendor that processes data on your behalf — payment processors, analytics tools, email platforms — needs a DPA.
  6. HTTPS enabled site-wide: This is more-or-less a requirement for a modern website anyway, but nonetheless, your website needs to be encrypted!
  7. A data retention policy: Know what data you keep, for how long, and when it gets deleted.

Note: These requirements are assuming you are collecting PII (people can register with their email address, for example), and using third-party cookies (a Google or Meta tag, for example).

You can measure digital performance while respecting user privacy

Etiquetta is:

  • Open source, so it’s trustworthy and fully auditable.
  • Self-hosted, so your data never leaves your infrastructure.
  • Cookieless and private by default, so you can be GDPR-compliant out-of-the-box.

Website analytics

Tag management

Cookie consent

PageSpeed monitoring

Session replays

Bot analytics

Ad fraud monitoring

Ad platform integration

GDPR data access & erasure requests

Get started

Do you need a Data Protection Officer?

Probably not, if you’re a typical small or medium-sized website. A DPO is mandatory only in three situations:

  • You’re a public authority or body.
  • Your core activities involve large-scale, systematic monitoring of individuals.
  • Your core activities involve large-scale processing of sensitive categories of data (health data, biometric data, etc.).

Running Google Analytics on your blog doesn’t trigger any of these. However, some businesses appoint a DPO voluntarily, as it shows commitment and helps with internal governance.

→ Full breakdown of DPO requirements — including when you do and don’t need one

What happens if I don’t comply with GDPR?

Supervisory authorities (data protection regulators) can investigate, issue warnings, mandate compliance changes, and impose fines. The maximum fine is €20 million or 4% of global annual turnover (whichever is higher). However, regulators typically focus on larger organisations first, and most enforcement actions against smaller businesses begin with warnings and instructions rather than fines. The risk is real, but proportionate action is the norm.