Can I use Google Analytics and still be GDPR compliant?

Yes, but it requires careful configuration. Since Google Analytics 4 (GA4), Google offers options like IP anonymization by default, data retention controls, and the ability to disable data sharing with Google. However, you must obtain explicit user consent before loading the GA4 tracking script, and you need to ensure data is processed within the EU or that adequate safeguards are in place for transatlantic transfers. Several EU data protection authorities have ruled that standard GA implementations violate GDPR, so professional configuration is strongly recommended.

Do cookieless analytics tools still require a consent banner?

It depends on the tool and the jurisdiction. Truly cookieless tools like Plausible or Fathom that do not store any personal data and do not use cookies generally do not require consent under GDPR, because they fall outside the scope of the ePrivacy Directive's cookie rules. However, if a tool fingerprints users or processes any personal data, consent is still required. Always verify the specific tool's data processing methods and consult your local data protection authority's guidance.

Analytics and GDPR: Collecting Data While Respecting User Privacy

Web analytics is the backbone of digital marketing. Every conversion funnel, every A/B test, every ROI calculation depends on data collected from real users visiting your website. But since May 25, 2018—the date the General Data Protection Regulation (GDPR) became enforceable—collecting that data without respecting strict privacy rules can cost you up to €20 million or 4% of global annual turnover, whichever is higher.

The tension is real: marketers need data to make informed decisions, yet users have a fundamental right to control what happens with their personal information. In 2024 alone, EU data protection authorities issued over €2.1 billion in GDPR fines, a stark reminder that compliance is not optional.

The good news? You don’t have to choose between actionable insights and legal compliance. This guide walks you through exactly how to collect analytics data while respecting user privacy—from choosing the right tools to writing compliant consent logic.

Understanding GDPR’s Impact on Analytics

What Counts as Personal Data in Analytics?

Many site owners assume analytics is harmless because they’re “just counting page views.” GDPR tells a different story. Under Article 4, personal data includes any information that can directly or indirectly identify a natural person. In the context of analytics, this includes:

IP addresses (even truncated ones, according to some DPAs)
Device fingerprints (screen resolution + browser + OS + language = unique identifier)
User IDs and client IDs stored in cookies
Location data derived from IP geolocation
Referrer URLs that may contain personal identifiers

If your analytics tool processes any of these, you’re handling personal data, and GDPR applies.

The ePrivacy Directive (often called the “Cookie Law”), working alongside GDPR, requires that you obtain informed, specific, and freely given consent before placing non-essential cookies or trackers on a user’s device. This means:

No pre-ticked checkboxes
No “cookie walls” that block content entirely unless users accept tracking
No bundling analytics consent with essential cookie consent
Consent must be as easy to withdraw as it is to give
You must keep a record of consent for auditing purposes

A 2023 study by Cookiebot found that 65% of European websites still fail to implement consent correctly, exposing themselves to significant regulatory risk.

The Real Cost of Non-Compliance

Let’s look at actual enforcement actions that illustrate the risk:

Year	Company	Fine	Reason
2022	Google (France - CNIL)	€150 million	Cookies placed without valid consent
2022	Meta (Ireland - DPC)	€265 million	Data scraping and insufficient protection
2023	Criteo (France - CNIL)	€40 million	Tracking without proper consent
2024	Spotify (Sweden)	€5.4 million	Insufficient DSAR response related to analytics data

These aren’t just Big Tech problems. Small and mid-sized businesses across the EU receive fines regularly. In France, the CNIL issues several dozen sanctions per year targeting companies of all sizes.

Privacy-First Analytics: Your Options Compared

Not all analytics platforms are created equal when it comes to GDPR compliance. Here’s a practical comparison of the most popular options:

Feature	Google Analytics 4	Matomo (self-hosted)	Plausible	Fathom
Cookies used	Yes	Optional	No	No
IP anonymization	Default	Configurable	Default	Default
Data hosting location	US/EU (configurable)	Your server	EU	Canada (EU option)
Consent required	Yes	Depends on config	Generally no	Generally no
Free tier	Yes	Yes (self-hosted)	No (€9/mo+)	No ($14/mo+)
Data ownership	Google	You	You	You
Real-time reporting	Yes	Yes	Yes	Yes
E-commerce tracking	Advanced	Advanced	Basic	Basic

Google Analytics 4: Powerful but Complex to Make Compliant

GA4 is by far the most widely used analytics tool, powering over 55% of all websites according to W3Techs. It offers unmatched integration with Google Ads, advanced machine learning-powered insights, and robust e-commerce tracking.

However, making GA4 fully GDPR compliant requires significant effort:

Implementing a proper Consent Management Platform (CMP)
Configuring Google Consent Mode v2
Setting up region-specific data collection rules
Ensuring data processing agreements (DPA) are signed
Potentially using server-side tagging to limit data exposure

Several EU data protection authorities—including those in Austria, France, Italy, and Denmark—have issued decisions questioning or outright declaring certain Google Analytics implementations unlawful. While the EU-US Data Privacy Framework (adopted in July 2023) has eased transatlantic transfer concerns somewhat, the legal landscape remains fragile.

Matomo: The Self-Hosted Compliance Champion

Matomo (formerly Piwik) is the leading open-source analytics platform. When self-hosted, it keeps all data on your own servers, eliminating third-party transfer issues entirely. The CNIL explicitly recommends Matomo as a compliant alternative when configured correctly—specifically when:

Cookies are limited to first-party, 13-month maximum lifetime
IP addresses are anonymized by at least 2 bytes
The “Do Not Track” browser setting is respected
No data is shared with third parties

With this configuration, the CNIL has stated that Matomo can be used without consent, which dramatically increases the amount of data you can collect (since you bypass the ~40-60% of users who typically reject consent banners).

Plausible and Fathom: Lightweight and Privacy-Native

These newer tools were built from the ground up with privacy in mind. They use no cookies, collect no personal data, and produce a tracking script under 1 KB. The trade-off is fewer features: no user-level tracking, limited segmentation, and basic e-commerce support.

For content-driven websites, blogs, and smaller businesses, they’re often the ideal choice. For complex e-commerce operations—the kind of projects Lueur Externe regularly handles on Prestashop and WordPress—you’ll likely need Matomo or a properly configured GA4 setup alongside these lighter tools.

A CMP is the interface through which users grant or deny consent for various tracking categories. Popular options include:

Cookiebot – automated scanning, strong EU presence
Axeptio – user-friendly design, popular in France
Tarteaucitron.js – free, open-source, lightweight
OneTrust – enterprise-grade, expensive

The CMP must categorize cookies correctly (essential, analytics, marketing, etc.) and block all non-essential scripts until positive consent is recorded.

Step 2: Implement Conditional Script Loading

Here’s a practical example of how to conditionally load Google Analytics 4 only after the user grants consent, using a custom consent check:

<script>
// Check if analytics consent has been granted
function hasAnalyticsConsent() {
  const consent = document.cookie
    .split('; ')
    .find(row => row.startsWith('analytics_consent='));
  return consent ? consent.split('=')[1] === 'true' : false;
}

// Load GA4 only if consent is given
function loadGA4() {
  if (!hasAnalyticsConsent()) return;

  const script = document.createElement('script');
  script.async = true;
  script.src = 'https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX';
  document.head.appendChild(script);

  script.onload = function() {
    window.dataLayer = window.dataLayer || [];
    function gtag(){dataLayer.push(arguments);}
    gtag('js', new Date());
    gtag('config', 'G-XXXXXXXXXX', {
      anonymize_ip: true,
      cookie_expires: 13 * 30 * 24 * 60 * 60, // 13 months in seconds
      cookie_flags: 'SameSite=Lax;Secure'
    });
  };
}

// Listen for consent changes
document.addEventListener('analyticsConsentGranted', loadGA4);

// Also check on page load (returning visitor who already consented)
if (document.readyState === 'loading') {
  document.addEventListener('DOMContentLoaded', loadGA4);
} else {
  loadGA4();
}
</script>

This approach ensures the GA4 script never fires without explicit consent—a requirement that many default Google Tag Manager setups fail to enforce.

Google introduced Consent Mode v2 in late 2023, and it became mandatory for Google Ads in the EEA from March 2024. It allows you to adjust how Google tags behave based on consent status:

// Set default consent state (before user interaction)
gtag('consent', 'default', {
  'analytics_storage': 'denied',
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'wait_for_update': 500
});

// Update consent when user makes a choice
function updateConsent(analyticsGranted, adsGranted) {
  gtag('consent', 'update', {
    'analytics_storage': analyticsGranted ? 'granted' : 'denied',
    'ad_storage': adsGranted ? 'granted' : 'denied',
    'ad_user_data': adsGranted ? 'granted' : 'denied',
    'ad_personalization': adsGranted ? 'granted' : 'denied'
  });
}

When analytics_storage is denied, GA4 sends cookieless pings that enable behavioral modeling—Google fills in data gaps using machine learning. This recovers an estimated 50-70% of lost analytics data without violating consent.

Step 4: Consider Server-Side Tagging

Server-side tagging is an increasingly popular architecture where tracking requests are routed through your own server (or a cloud endpoint you control) before being forwarded to analytics platforms. Benefits include:

Full control over what data leaves your infrastructure
Reduced client-side scripts, improving page speed
First-party context for all data collection
Ability to strip PII before it reaches third-party tools

At Lueur Externe, our AWS Solutions Architect certification comes into play here—we deploy server-side Google Tag Manager containers on AWS infrastructure within the EU (typically the eu-west-3 Paris region), ensuring data never touches US-based servers before being sanitized.

Step 5: Document Everything

GDPR’s accountability principle (Article 5(2)) requires you to demonstrate compliance proactively. Maintain documentation covering:

Records of Processing Activities (ROPA) for analytics data
Data Protection Impact Assessment (DPIA) if using profiling or large-scale tracking
Data Processing Agreements (DPA) with every analytics vendor
Consent records with timestamps and version history
Cookie audit results updated at least quarterly

Let’s be honest: requiring consent means losing data. Studies consistently show that 30-60% of European users decline analytics cookies when presented with a compliant consent banner. This creates a painful data gap.

Here are strategies to mitigate this:

Use Consent Mode v2 modeling to recover modeled conversions (GA4)
Run Matomo in cookieless first-party mode alongside GA4 to capture 100% of traffic for basic metrics
Implement enhanced conversions using hashed first-party data for ads measurement
Leverage server logs for basic visitor counting—no cookies, no consent needed
Optimize your consent banner UX (studies show that a well-designed banner can achieve 70-80% opt-in rates versus 40-50% for a poorly designed one)

Place “Accept” and “Refuse” buttons with equal visual weight
Avoid dark patterns (misleading colors, hidden reject buttons)
Offer a clear, one-click reject option on the first layer
Use plain language, not legal jargon
Keep the banner non-intrusive but visible
Load it before any non-essential scripts fire

The Future: What’s Coming in 2025 and Beyond

The regulatory landscape continues to evolve:

The ePrivacy Regulation (meant to replace the ePrivacy Directive) is still in legislative limbo but could harmonize cookie rules across all EU member states
The EU-US Data Privacy Framework faces a potential challenge at the CJEU, which could invalidate transatlantic transfers again (a “Schrems III” scenario)
AI-driven analytics is raising new questions about profiling and automated decision-making under GDPR Articles 21 and 22
Browser-level privacy features (Safari ITP, Firefox ETP, Chrome’s Privacy Sandbox) are making client-side tracking increasingly unreliable regardless of GDPR

The trend is unmistakable: privacy-first analytics isn’t just a legal requirement—it’s becoming a technical necessity. Businesses that adapt now will have a competitive advantage.

A Practical Compliance Checklist

Before we wrap up, here’s a quick checklist you can use to audit your current analytics setup:

Conclusion: Privacy and Performance Can Coexist

GDPR didn’t kill web analytics—it forced the industry to grow up. The days of silently harvesting every data point from unsuspecting visitors are over, and that’s a good thing. Businesses that embrace privacy-first analytics earn user trust, reduce legal risk, and often discover that the data they actually need is far less invasive than what they were collecting before.

The key is implementation. Choosing the right tools, configuring them correctly, building proper consent flows, and documenting everything requires real expertise at the intersection of web development, data architecture, and privacy law.

That’s exactly where Lueur Externe excels. With over 20 years of experience building and optimizing web platforms—from Prestashop e-commerce stores to complex WordPress ecosystems—and deep expertise in server-side infrastructure (AWS Solutions Architect certified), our team helps businesses across the Alpes-Maritimes and beyond implement analytics setups that are both powerful and fully compliant.

Ready to make your analytics GDPR-proof without sacrificing the insights you need? Get in touch with Lueur Externe for a free privacy audit of your current setup. Let’s build something that respects your users and drives your business forward.

Why Analytics and GDPR Are on a Collision Course

Understanding GDPR’s Impact on Analytics

What Counts as Personal Data in Analytics?

The Consent Requirement

The Real Cost of Non-Compliance

Privacy-First Analytics: Your Options Compared

Google Analytics 4: Powerful but Complex to Make Compliant

Matomo: The Self-Hosted Compliance Champion

Plausible and Fathom: Lightweight and Privacy-Native

Implementing GDPR-Compliant Analytics: A Practical Guide

Step 1: Set Up a Consent Management Platform (CMP)

Step 2: Implement Conditional Script Loading

Step 3: Configure Google Consent Mode v2

Step 4: Consider Server-Side Tagging

Step 5: Document Everything

Measuring the Impact: What Happens to Your Data After Implementing Consent

Consent Banner UX Best Practices

The Future: What’s Coming in 2025 and Beyond

A Practical Compliance Checklist

Conclusion: Privacy and Performance Can Coexist