If you're running Google Analytics — or any analytics tool that transfers data outside the EU — your company may already be in violation of GDPR.
This isn't theoretical risk. Six EU data protection authorities have ruled that Google Analytics violates GDPR. Cumulative GDPR fines exceeded €5.88 billion by January 2025. And the number of enforcement actions is accelerating, not slowing down.
This checklist walks you through everything you need to audit your current analytics setup, understand your compliance gaps, and take concrete steps to fix them.
What Makes Analytics GDPR Non-Compliant#
Before diving into the checklist, it's worth understanding why most analytics tools create GDPR problems.
GDPR is primarily violated by analytics tools in three ways:
1. Unlawful data transfers to the US
When a European user visits your website and your analytics tool sends their data to US-based servers, that's an international data transfer. Under GDPR Article 46, these transfers are only lawful if there are adequate safeguards in place.
The invalidation of Privacy Shield in 2020 (Schrems II) created a compliance gap that Google's Standard Contractual Clauses have not adequately bridged, according to multiple EU DPAs. The core problem: US intelligence law (FISA Section 702, Executive Order 12333) allows US authorities to access data held by US companies — including data about EU citizens. EU DPAs have ruled that this creates an unacceptable risk.
2. Processing without valid consent
Analytics cookies that store persistent identifiers require explicit, informed consent before being placed. "Consent" obtained through pre-ticked boxes, misleading UI (dark patterns), or buried opt-out mechanisms does not count as valid consent under GDPR Article 7.
3. Excessive data collection
GDPR's data minimization principle (Article 5(1)(c)) requires that personal data be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed." Many analytics platforms collect far more data than needed — detailed device fingerprints, precise geolocation, persistent cross-site tracking — none of which is necessary for basic product analytics.
Get the complete GDPR analytics checklist as a PDF
All 20 compliance checks in a single document you can share with your legal and engineering teams. We'll send it straight to your inbox.
No spam. Unsubscribe anytime.
The 6 EU DPA Rulings Against Google Analytics#
These aren't hypothetical risks. Here's what's actually happened:
| Country | Authority | Ruling | Date |
|---|---|---|---|
| Austria | DSB | Google Analytics violates GDPR; data transfers to US unlawful | Jan 2022 |
| France | CNIL | GA usage violates GDPR; ordered companies to comply or switch | Feb 2022 |
| Italy | Garante | GA transfers EU data to US unlawfully; multiple enforcement actions | Jun 2022 |
| Denmark | Datatilsynet | GA4 violates GDPR; municipalities ordered to stop using it | Sep 2022 |
| Finland | Tietosuojavaltuutettu | GA data transfers unlawful; enforcement letters sent | Oct 2022 |
| Norway | Datatilsynet | GA violates GDPR Chapter V; formal guidance issued | Jul 2023 |
The pattern is clear: EU DPAs across six countries have independently reached the same conclusion. Google Analytics — including the newer GA4 — does not provide adequate protection for EU user data.
This isn't a niche privacy law position. It's mainstream enforcement.
Set up privacy-first tracking
Grain is GDPR compliant out of the box — no cookies, no consent banners, EU-only data residency. Eliminate entire sections of this checklist by switching to analytics that were built for this regulatory environment.
The GDPR Analytics Compliance Checklist#
Work through each section. For each item, mark whether you're compliant, non-compliant, or uncertain (then investigate further).
Section 1: Data Transfers#
☐ 1.1 — Identify all analytics tools that transfer data outside the EU
List every analytics, tracking, and data enrichment tool in your stack. For each one, determine:
- Where are servers physically located?
- Is the parent company US-based (subject to FISA 702)?
- Is there a valid Transfer Impact Assessment (TIA) on file?
☐ 1.2 — Check your Standard Contractual Clauses are current
If you rely on SCCs for data transfers, ensure you're using the 2021 updated SCCs (not the deprecated pre-Schrems II versions). Check with your DPA — several have ruled that SCCs alone are insufficient for US transfers given US surveillance law.
☐ 1.3 — Document your legal basis for each transfer
For each international data transfer, you need a documented legal basis. "We signed up and accepted the ToS" is not a legal basis. Adequacy decision, binding corporate rules, or updated SCCs with supplementary measures are required.
☐ 1.4 — Evaluate EU-only analytics alternatives
The simplest way to eliminate transfer risk is to use an analytics tool that processes and stores data exclusively in EU-based infrastructure. Tools that don't transfer data to the US by design eliminate the need for transfer impact assessments entirely.
Section 2: Cookie Consent#
☐ 2.1 — Audit your consent mechanism
Your consent banner must meet all of these criteria:
- Consent is freely given (declining doesn't block site access)
- Consent is specific (separate toggles for analytics, marketing, etc.)
- Consent is informed (clearly explains what data is collected and why)
- Consent is unambiguous (requires affirmative action — pre-ticked boxes are invalid)
☐ 2.2 — Verify that analytics scripts fire AFTER consent
Use your browser's network inspector to verify: do analytics scripts load before consent is given? If you see analytics requests before the user has clicked anything on your consent banner, you have a compliance violation.
☐ 2.3 — Implement proper consent withdrawal
Users must be able to withdraw consent as easily as they granted it. If you have a "Accept All" button, you need an equally accessible "Withdraw Consent" mechanism. Check that withdrawal actually stops data collection — not just hides the banner.
☐ 2.4 — Store consent records
Under GDPR Article 7(1), you must be able to demonstrate that consent was obtained. This means logging consent timestamps, the version of your privacy notice shown, and the user's choice. Your Consent Management Platform (CMP) should handle this.
☐ 2.5 — Consider cookieless analytics to bypass consent requirements
Analytics that don't use persistent cookies or cross-site tracking identifiers may not require consent under the ePrivacy Directive's "strictly necessary" exemption. Cookieless approaches that aggregate data without storing personal data on user devices can significantly simplify your compliance posture.
Section 3: Data Processing & Storage#
☐ 3.1 — Verify data retention limits
GDPR's storage limitation principle requires that personal data be kept only as long as necessary. Most analytics platforms offer configurable retention periods — set them. 14 months is a common default in GA4; consider whether your use case actually requires that. 3 months is often sufficient for product analytics.
☐ 3.2 — Confirm data residency
Where is your analytics data actually stored? "EU region" options on US cloud providers (AWS EU-West, Google Cloud EU) may not be sufficient if the US parent company has legal access to that data. Ideally, your analytics vendor is headquartered and incorporated in the EU, with no US parent.
☐ 3.3 — Document your Records of Processing Activities (RoPA)
GDPR Article 30 requires maintaining a record of processing activities. Your analytics processing must be documented: purpose, categories of data, retention period, legal basis, and recipients. Check that your RoPA is up to date.
Section 4: Privacy Policy & Transparency#
☐ 4.1 — Update your privacy policy to accurately describe analytics
Your privacy policy must disclose:
- What analytics tools you use (by name)
- What data is collected
- How long it's retained
- Who it's shared with (including sub-processors)
- The legal basis for processing
Vague references to "analytics providers" are not sufficient. Users are entitled to know specifically what tools process their data.
☐ 4.2 — Make your privacy policy findable
A GDPR-compliant privacy policy must be easily accessible — not buried in footer links with 6pt font. It should be available from every page, clearly labeled.
☐ 4.3 — Provide a mechanism for data subject requests
EU users have the right to access, correct, and delete their personal data. If someone emails asking you to delete their analytics data, do you have a process to handle that? Do you know which records correspond to that user? Test your data subject request workflow.
Section 5: Technical Safeguards#
☐ 5.1 — IP anonymization is enabled (if using IP-based analytics)
If your analytics tool logs IP addresses, ensure IP anonymization is enabled before any data leaves your infrastructure. Note: IP anonymization in GA4 truncates the last octet, which may still allow precise geolocation — some DPAs consider this insufficient.
☐ 5.2 — Disable advertising features and cross-site tracking
In GA4 and similar tools, "advertising features" enable cross-site tracking, interest category inference, and data sharing with advertising networks. These require explicit consent and are high-risk for GDPR. Disable them unless you have a specific, consented use case.
☐ 5.3 — Audit third-party scripts for hidden analytics
Many marketing tools (chat widgets, social sharing buttons, embedded maps) include their own analytics and tracking. Run a full audit of all third-party scripts on your site. Tools like Request Map or browser network inspection can reveal what's actually being called.
☐ 5.4 — Review user ID and cross-device tracking
If you use User IDs to link sessions across devices or logged-out/logged-in states, ensure users have consented to this. User ID tracking is typically more privacy-invasive than session-based tracking.
Section 6: Organizational Readiness#
☐ 6.1 — Assign a responsible owner for analytics compliance
Someone in your organization needs to own this. Typically: Head of Product, CTO, or DPO (if you have one). Without clear ownership, compliance gaps accumulate.
☐ 6.2 — Establish a review cadence
GDPR compliance isn't a one-time project. New tools get added, consent mechanisms change, DPA interpretations evolve. Schedule a quarterly analytics compliance review.
☐ 6.3 — Brief your engineering and product teams
Developers implementing new tracking and product managers adding new analytics events need to understand what they can and can't do without additional consent or DPA review. Create a brief internal guide.
☐ 6.4 — Know your supervisory authority
Which EU member state supervises your company for GDPR purposes? Generally determined by your EU establishment's location (or "main establishment" for cross-border processing). Know who your lead DPA is and how to contact them.
Quick Reference: Compliant vs. Non-Compliant Analytics Setups#
| Setup | GDPR Status | Why |
|---|---|---|
| Google Analytics 4 (default settings) | ⛔ Non-compliant | US data transfers, persistent cookies, advertising features |
| GA4 + IP anonymization + SCCs | ⚠️ Disputed | Multiple DPAs ruled SCCs insufficient for US transfers |
| GA4 + Consent Mode + valid CMP | ⚠️ Partial | Consent Mode still transfers some data; EU DPAs skeptical |
| Plausible / Fathom (EU hosting) | ✅ Generally compliant | No cookies, no personal data, EU infrastructure |
| Self-hosted Matomo (no cookies) | ✅ Compliant | Full control, no transfers, cookieless config available |
| Grain Analytics | ✅ Compliant | EU-only infrastructure, cookie-less, no data transfers |
| Mixpanel (EU data residency opt-in) | ⚠️ Partial | US parent company access still possible under US law |
What to Do If You Find Compliance Gaps#
If you've worked through the checklist and found problems — don't panic. Here's a practical response framework:
Step 1: Stop the bleeding first
If you're using Google Analytics without valid consent collection, disable it immediately. A data collection pause costs you insights; a DPA enforcement action can cost 4% of global annual turnover.
Step 2: Evaluate your path to compliance
Two options:
- Fix your existing setup: Add a compliant CMP, configure IP anonymization, disable advertising features, set up proper consent logging. Feasible, but complex — and still leaves you exposed to the data transfer issue.
- Switch to a privacy-first analytics tool: Choose a tool designed for GDPR compliance from the ground up. This is often faster to implement and more durable than patching a non-compliant tool.
Step 3: Document everything
As you make changes, document them. Compliance isn't just about what you do — it's about being able to demonstrate what you did. DPAs ask for documentation; have it ready.
Step 4: Conduct a Transfer Impact Assessment if needed
If you continue using any US-based tool, conduct and document a Transfer Impact Assessment. EDPB guidelines on Chapter V transfers outline what this needs to cover. Your legal team or DPO should lead this.
The Privacy-First Analytics Alternative#
The simplest way to pass GDPR analytics compliance is to use an analytics tool that doesn't create compliance problems in the first place.
Grain Analytics was built specifically for this: EU-only infrastructure, cookie-less tracking that requires no consent banner, and no data transfers to the US or third parties. You get full funnel analytics, session replays, heatmaps, and event tracking — without any of the GDPR complexity.
The practical benefit: if your analytics tool doesn't use cookies and doesn't transfer personal data, you eliminate entire sections of this checklist. No consent mechanism required for analytics. No transfer impact assessments. No cookie audit. No sub-processor changes to monitor.
Privacy-first analytics isn't just a compliance workaround. When you don't depend on cookies, you see 100% of your traffic — not the 40–70% that actually accepts your consent banner. Your data is more accurate, your compliance burden is lighter, and your users trust you more.
Compliance Checklist Summary#
Save or share this condensed version:
GDPR Analytics Compliance Checklist 2026
DATA TRANSFERS
☐ All analytics tools with EU data transfer identified
☐ Current SCCs in place (2021 versions)
☐ Legal basis documented for each transfer
☐ EU-only tools evaluated as alternatives
COOKIE CONSENT
☐ Consent is freely given, specific, informed, unambiguous
☐ Analytics scripts fire AFTER consent only
☐ Consent withdrawal mechanism exists and works
☐ Consent records stored with timestamps
DATA PROCESSING
☐ Retention periods set and documented
☐ EU data residency confirmed (truly EU-only)
☐ Records of Processing Activities (RoPA) updated
PRIVACY POLICY
☐ Analytics tools named explicitly in privacy policy
☐ Policy is findable from all pages
☐ Data subject request process exists and is tested
TECHNICAL SAFEGUARDS
☐ IP anonymization enabled (if using IP-based tools)
☐ Advertising features and cross-site tracking disabled
☐ Third-party scripts audited for hidden tracking
☐ User ID / cross-device tracking reviewed
ORGANIZATIONAL
☐ Compliance owner assigned
☐ Quarterly review cadence established
☐ Engineering/product teams briefed
☐ Supervisory authority identified
Start Your Free Trial#
Ready to eliminate GDPR analytics risk entirely? Grain's privacy-first analytics gives you full behavioral analytics — funnels, heatmaps, session replays, AI-powered insights — with zero cookie consent requirements and EU-only data processing.
No credit card required. Up and running in under 10 minutes. Your compliance lawyer will be relieved.
Skip the compliance headache
Grain's cookie-free tracking means no consent banners, no data transfer risks, and no DPA enforcement worries. Full analytics — funnels, heatmaps, session replays — with zero GDPR complexity.
This post is for informational purposes and does not constitute legal advice. For specific compliance questions, consult a qualified legal professional familiar with GDPR and applicable EU member state law.