When GDPR conversations happen in publishing, the focus is almost always on advertising. Cookie consent banners. Ad network agreements. Third-party tracking. These are legitimate concerns, and they are where the largest fines have historically been issued. But there is a parallel compliance exposure that many publishers systematically underestimate: their analytics implementation.

The assumption that most publishers carry is something like: “We use Google Analytics. It’s a global standard tool used by millions of sites. Surely it’s compliant.” This assumption is wrong, and multiple European data protection authorities have confirmed as much in binding decisions.

The Google Analytics problem

Starting in 2022 and continuing through 2023 and 2024, the data protection authorities of Austria, France, Italy, Denmark, Finland, Norway, and others found that the use of Google Analytics on European websites violated GDPR. The core issue was data transfer: Google Analytics sends data - including IP addresses and browser characteristics that can identify individual users - to servers in the United States. Under GDPR, transfers of personal data to third countries require specific legal mechanisms to ensure the data receives equivalent protection. The standard contractual clauses that Google relied on were found insufficient, in the wake of the Schrems II judgment, to protect European users’ data from US government surveillance access.

The UK position is slightly different: following Brexit, the UK has its own data protection framework (UK GDPR), and the UK has granted an adequacy decision for data transfers to some countries. But the fundamental question - whether personal data collected via analytics is processed in a manner consistent with users’ rights - applies regardless of the specific transfer mechanism.

What “analytics cookies” actually collect

Part of the problem is the framing of analytics as somehow less intrusive than advertising. In practice, the data that analytics tools collect about individual users can be extensive:

• IP addresses (which can be used to infer location at city or neighbourhood level)
• Device type, operating system, and browser version
• The full URL of every page visited, including any parameters in the URL
• Referral source (which can reveal what sites a user visited before yours)
• Time spent on each page
• User interactions - scroll depth, clicks, video plays
• If logged in or cross-device tracking is enabled, persistent identifiers that link behaviour across sessions

Whether any of this constitutes “personal data” under GDPR depends on whether it can be used to identify an individual user, directly or indirectly. The regulators’ consistent position is that much of it can, particularly when combined with other data available to the analytics provider.

The consent question for analytics

Even setting aside data transfer issues, the consent question for analytics is more complex than many publishers realise. Under GDPR, processing personal data requires a legal basis. For most analytics processing, publishers rely on either legitimate interests or consent.

Legitimate interests can be a valid basis for analytics that are strictly necessary for a publisher’s own purposes - understanding which content is popular, diagnosing technical problems, monitoring traffic patterns. But the ICO’s guidance is clear that this basis is less likely to be available for analytics that involve cross-site tracking, integration with advertising data, or sharing data with the analytics provider for their own purposes.

For anything beyond basic, privacy-preserving analytics, consent is the appropriate legal basis - which means analytics cookies should be presented in the consent management process alongside advertising cookies, and users who decline should not have their analytics data collected.

Many publishers are not doing this. Their CMP presents advertising cookies as a category requiring consent, while analytics run regardless of consent status. This is a compliance gap.

Practical solutions

The good news is that this is a solvable problem, and solving it does not require abandoning analytics. Several approaches are available:

Server-side analytics: By processing analytics data on your own server before it is sent to an analytics provider, you can anonymise IP addresses and strip identifying parameters before any data leaves your infrastructure. This significantly reduces the compliance exposure associated with third-party analytics.

Cookieless analytics: There are analytics platforms designed from the ground up to work without cookies and without collecting personal data. Plausible, Fathom, and Matomo (in cookieless mode) are among the most established. These typically provide less granular data than Google Analytics, but they operate cleanly within GDPR without requiring consent - and for most publishers, the data they provide is sufficient for practical purposes.

Google Analytics with proper configuration: GA4 can be configured with IP anonymisation, data retention limits, and consent mode integration. This doesn’t eliminate all compliance exposure, but it reduces it substantially compared to a default implementation. Google’s Consent Mode v2 allows GA to function in a limited, aggregated mode for users who haven’t consented to analytics, which is a better approach than simply ignoring consent status.

Hybrid approach: Many publishers use a cookieless analytics tool for general traffic understanding (which can fire unconditionally) and a more powerful tool with proper consent for the deeper analytics they need for specific purposes.

The key action is to audit your current setup honestly. Map every analytics tool that fires on your site, understand what data it collects and where it sends it, and assess whether your consent framework is accurately reflecting the processing it enables. If your analytics tools are firing before consent is given, or firing for users who have declined consent, that needs to change.

This is not a theoretical risk. Enforcement actions against analytics implementations are increasing, and the ICO has made clear that it considers analytics privacy compliance to be part of its enforcement priorities. The cost of fixing your analytics setup is small compared to the cost of not doing so.