GDPR

GDPR (General Data Protection Regulation) is a European Union privacy law that governs how organizations collect, process, and store personal data of EU residents. It’s the most comprehensive data protection regulation globally and has significantly influenced analytics practices worldwide.

Why analysts care

  • Applies globally: Any organization processing EU residents’ data must comply, regardless of company location.
  • Consent requirements: Most tracking requires explicit, informed consent before data collection begins.
  • Individual rights: Users can request access, correction, or deletion of their data at any time.
  • Serious penalties: Violations can result in fines up to €20 million or 4% of global annual revenue.

Core principles

GDPR is built on seven key principles:

  1. Lawfulness, fairness, transparency: Process data legally and openly.
  2. Purpose limitation: Collect data for specific, stated purposes only.
  3. Data minimization: Collect only what’s necessary.
  4. Accuracy: Keep data accurate and up to date.
  5. Storage limitation: Don’t keep data longer than needed.
  6. Integrity and confidentiality: Protect data security.
  7. Accountability: Demonstrate compliance.

What counts as personal data

Under GDPR, personal data includes any information relating to an identifiable person:

  • Name, email, phone number
  • IP addresses
  • Cookie identifiers
  • Device IDs
  • Geography and location data
  • Online behavior that can identify someone

This broad definition means most web analytics involve personal data processing.

Consent requirements

GDPR consent must be:

  • Freely given: No penalty for refusing.
  • Specific: Separate consent for different purposes.
  • Informed: Users understand what they’re agreeing to.
  • Unambiguous: Clear affirmative action required.

Pre-ticked boxes, implied consent, and bundled permissions don’t meet these requirements. Use a proper consent mode implementation.

Impact on analytics

GDPR has transformed web analytics practice:

  • Cookie consent banners became mandatory.
  • Privacy-first analytics tools gained popularity.
  • IP anonymization became standard practice.
  • Data retention policies require regular review.
  • Server location matters (EU data residency concerns).
  • First-party cookie strategies replaced third-party tracking.

Practical guidance

Implement proper consent mode to collect data only after user approval. Use server-side tagging for better control over data flows.

Document your data processing activities and maintain records of consent. Configure data layer to respect user preferences.

Review data retention settings in your analytics platform. Delete or anonymize data that’s no longer needed for stated purposes.

A US company with European users must comply with GDPR for those visitors—geographic scope is based on user location, not company location.