GDPR in Web Analytics: What It Is and How It Works

What is GDPR?

The General Data Protection Regulation (GDPR) is the European Union’s data-protection law that has applied since 25 May 2018. It governs how organizations collect, store, and use personal data of people in the EU/EEA—regardless of where the organization is located. For analytics teams, GDPR defines what counts as personal data (e.g., IPs, device IDs, Client ID) and sets strict rules on consent, transparency, and user rights.

How GDPR affects web analytics

Under GDPR, tracking for measurement—such as Pageview, Session, and Event data—must have a lawful basis. Most sites rely on freely given, informed, unambiguous consent before setting a Cookie or firing tags that enable Cross-Device Tracking or Cross-Domain Tracking. Without consent, you should restrict processing (e.g., no ad identifiers, IP anonymization, no marketing audiences) and still provide access/erasure on request.

Core requirements (analytics context)

Lawful basis & records: Document why you collect analytics data (consent or legitimate interests with balancing test).
Consent management: A compliant Cookie Banner that logs consent choices and enables opt-in/opt-out per purpose.
Data minimization: Collect only what you need for KPIs like Conversion and Micro-Conversion; avoid unnecessary user identifiers.
Transparency: Clear privacy notices describing tools (e.g., GA4, Matomo, Plausible, Simple Analytics) and purposes (performance, product analytics, marketing).
User rights: Support access, rectification, erasure, portability, restriction, and objection.
Security & retention: Protect data in transit/at rest; define short retention aligned to business needs.
Processor controls: Sign DPAs with vendors and ensure third-country transfers have valid safeguards.

Practical implementation tips

Tag governance: Use a Tag Management system to conditionally fire tags based on consent.
Purpose partitioning: Separate measurement vs. marketing tags; avoid piggybacking that reintroduces identifiers.
Modeling without personal data: Lean on aggregated reports, server-side pipelines, or privacy-friendly tools.
Attribution with less tracking: Prefer modelled Attribution or rule-based Attribution Model over invasive user stitching; treat UTMs as campaign metadata (UTM).
BI exports: If exporting to BigQuery or Power BI, apply access controls, pseudonymization, and retention policies.

Why it matters

Non-compliance risks heavy fines (up to the higher of €20M or 4% of global turnover), but good GDPR practice also improves data quality and user trust—your analytics becomes cleaner, more intentional, and easier to defend.