Is classic analytics GDPR-compliant?
Short answer: it is nuanced and it has changed. In 2022 several EU data-protection regulators ruled that sending visitor data to the US through mainstream analytics tools breached the GDPR, mainly over those transfers. A 2023 EU decision changed the legal basis for them. Classic, cookie-based analytics can be configured more defensibly now, but it still uses cookies and needs care.
What happened in 2022
In 2022, several EU data-protection regulators ruled that sending visitor data to the US through mainstream analytics tools breached the GDPR. As those tools were configured at the time, the regulators found the cross-border transfers lacked sufficient safeguards under the GDPR rules on international transfers. Prompted by a wave of privacy complaints, those decisions pushed many EU sites to reconsider.
What changed in 2023
In 2023, the EU-US Data Privacy Framework changed the picture again. The European Commission adopted an adequacy decision for it, and for US organisations that self-certify under the framework, this restored a legal basis for transferring personal data from the EU. Many mainstream analytics providers participate in the framework, which materially changes the 2022 transfer analysis. The framework itself has been challenged and could evolve.
So, can you use it compliantly today?
Often, with care. In practice that usually means using the current generation of the tool, obtaining valid consent because it sets cookies, configuring data handling and retention sensibly, and keeping your privacy policy accurate. The point is that "compliant" is a property of your whole setup and configuration, not a fixed yes or no about the product.
The simpler path
A cookieless, EU-processed analytics tool sidesteps most of these questions: no consent banner to get right, no cross-border transfer to defend, no personal data to retain. That is the trade PlainStats makes. See GDPR-compliant analytics and the privacy analytics alternative overview.
Sources
- GDPR, Regulation (EU) 2016/679, full text: eur-lex.europa.eu.
- ePrivacy Directive 2002/58/EC, Article 5(3): eur-lex.europa.eu.
- EU-US Data Privacy Framework adequacy decision (2023): commission.europa.eu.
- European Data Protection Board guidance: edpb.europa.eu.
General information, not legal advice. This area moves quickly and varies by country. Confirm the current position with a data protection officer or qualified counsel.