Analytics Without Consent Issues: Privacy-Friendly Analytics Alternatives
Why Google Analytics creates GDPR compliance problems for EU users, and a practical comparison of privacy-friendly alternatives including Plausible, Fathom, and PostHog, plus server-side analytics as the gold-standard approach.
In January 2022, the Austrian Data Protection Authority (DSB) issued a landmark ruling: using Google Analytics constitutes a violation of GDPR because it transfers personal data to the United States without adequate safeguards. The French CNIL and Italian Garante issued equivalent decisions within months. Since then, every EU supervisory authority has made clear that the GA4 migration and the EU-US Data Privacy Framework (DPF, in place since July 2023) partially resolve some of these concerns — but structural issues remain for many organizations.
This guide explains the precise nature of the compliance risk, evaluates the leading privacy-friendly analytics alternatives, and covers server-side analytics as the approach with the lowest risk surface.
Why Google Analytics Remains Problematic for Many Organizations
The core issues with Google Analytics in a GDPR context are:
Data transfer to the US: GA4 sends data to Google's US servers. The EU-US DPF provides a legal mechanism for this transfer, but the DPF has faced legal challenges before (Privacy Shield was invalidated in 2020) and may face them again. Organizations that cannot accept this legal uncertainty have reason to consider alternatives.
Google as a data controller: Google's Terms of Service for GA4 establish Google as an independent data controller for certain purposes (improving Google products). This means you are not the sole controller of your analytics data — Google has independent rights to use it. This complicates your ability to fulfill data subject rights requests, since Google has its own retention periods and data practices.
Cookie-based tracking: GA4 uses persistent cookies (_ga, _gid) that store a client ID allowing cross-session user tracking. Under ePrivacy Directive Article 5(3) (implemented in national cookie laws across the EU), storing information on a user's device requires prior consent unless strictly necessary. This requires a functional consent banner, and measurements before consent is given are lost entirely.
IP address processing: GA4 processes IP addresses as part of the data pipeline, even though it does not expose them to customers. IP addresses are personal data. Google's documentation states IP anonymization is applied before storage, but the processing itself occurs in the US.
None of these issues make GA4 categorically illegal for all organizations. Many use it with proper consent banners, DPF reliance, and DPA agreements. But for teams that want to simplify compliance or eliminate consent banner dependency for analytics, privacy-friendly alternatives are compelling.
Plausible Analytics
Plausible is an open-source, EU-hosted analytics tool built specifically for privacy compliance. Key technical characteristics:
No cookies, no cross-site tracking: Plausible uses a cookieless fingerprinting approach based on daily-rotating hashes of IP address + user agent + site domain. This hash cannot be used to track users across sites or across days. Because no persistent identifier is stored on the device, the ePrivacy Directive's consent requirement for cookies does not apply.
Data processing in the EU: Plausible's cloud offering is hosted in Germany (Hetzner). Data does not leave the EU.
No personal data in the data model: Plausible's data model records page views, referrers, browser/OS categories, country (not city), and custom events. It does not store IP addresses or any individual-level data. The company's privacy policy explicitly states they are a data processor, not a controller, and that they do not sell data or use it for advertising.
Self-hosting option: Plausible CE (Community Edition) is fully open-source and can be self-hosted on your own infrastructure, eliminating any third-party data transfer.
Implementation is minimal — a single <script> tag with no consent banner required for EU visitors:
<script defer data-domain="yourdomain.com" src="https://plausible.io/js/script.js"></script>
For custom event tracking:
plausible('Purchase', {props: {plan: 'Pro', value: '29'}});
The tradeoff: Plausible's data model is intentionally simple. You get page views, sessions, bounce rate, referrers, and custom events. You do not get user-level journeys, cohort analysis, funnel analysis (unless you build it with custom events), or the ML-powered predictions GA4 provides. For product analytics, this may be insufficient.
Fathom Analytics
Fathom is a Canadian company (PIPEDA jurisdiction) with EU-isolated data routing. Its architecture is similar to Plausible — cookieless, privacy-first, no personal data retention — but it is a closed-source commercial product with a stronger focus on performance.
Technical differentiators:
- EU isolation: EU-origin traffic is routed exclusively through EU servers and never leaves the EU regulatory zone, even for processing.
- GDPR-compliant by design: Fathom has obtained legal opinions confirming its architecture meets GDPR requirements without consent banners.
- Bypass ad blockers: Fathom offers a custom domain feature that proxies their script through your own domain, reducing ad blocker blocking rates (which affects data completeness).
Fathom is appropriate for teams that want a polished, maintained commercial product with compliance guarantees, and are willing to pay for it ($14/month at the entry tier).
PostHog: Privacy-Friendly Product Analytics
For teams that need full product analytics capabilities — funnels, session recordings, feature flags, A/B testing, cohort analysis — PostHog is the self-hostable alternative to Mixpanel and Amplitude.
PostHog's EU Cloud offering is hosted on AWS eu-west-2 (London). Self-hosting on your own infrastructure eliminates third-party data transfer entirely. This is the architecture choice that provides the most compliance certainty for teams processing significant volumes of EU personal data.
Key privacy configuration options in PostHog:
IP anonymization: PostHog can be configured to anonymize IP addresses before storage, dropping the last octet (IPv4) or last 80 bits (IPv6).
Person data opt-out: In cookieless mode (persistence: 'memory'), PostHog does not set any cookies or localStorage values. Sessions are not linked across page loads. This eliminates the ePrivacy consent requirement.
posthog.init('phc_XXXX', {
api_host: 'https://eu.posthog.com',
persistence: 'memory', // No cookies or localStorage
ip: false, // Don't capture IP
capture_pageview: true,
autocapture: false // Disable autocapture to control data collection
});
Session recordings with PII masking: If you use session recordings, PostHog can mask input fields automatically. Configure the mask list to cover any fields that capture personal data.
Data retention controls: PostHog's enterprise tier allows configuring per-event retention periods, automatically deleting events older than a specified window.
The tradeoff with self-hosting: you take on operational responsibility for the PostHog instance — infrastructure, upgrades, backups. For teams without DevOps capacity, the EU Cloud offering is the pragmatic choice.
Server-Side Analytics
Server-side analytics is architecturally different from all client-side tools: instead of loading a JavaScript library in the browser, you record events directly on your backend when they occur. This approach has the lowest compliance risk surface because:
- No data is sent from the user's browser to a third party
- No cookies or localStorage entries are set on the user's device
- The ePrivacy Directive consent requirement does not apply
- Data never leaves your infrastructure (unless you forward it to a third-party warehouse)
Implementation pattern for a Next.js application:
// lib/analytics.ts
interface PageViewEvent {
path: string;
referrer: string | null;
countryCode: string | null; // From CDN headers, not IP
timestamp: Date;
sessionId: string; // Pseudonymous, session-scoped only
}
export async function recordPageView(event: PageViewEvent): Promise<void> {
await db.analyticsEvents.insertOne({
type: 'pageview',
...event,
// Never store raw IP — use country from CDN header
});
}
// app/api/pageview/route.ts
import { NextRequest, NextResponse } from 'next/server';
import { recordPageView } from '@/lib/analytics';
export async function POST(request: NextRequest): Promise<NextResponse> {
const body = await request.json();
await recordPageView({
path: body.path,
referrer: body.referrer ?? null,
countryCode: request.headers.get('cf-ipcountry') ?? null, // Cloudflare header
timestamp: new Date(),
sessionId: body.sessionId // Generated client-side per session, not persisted
});
return NextResponse.json({ ok: true });
}
The client-side component simply fires a beacon:
// In your layout or page component
useEffect(() => {
// Use sessionStorage for session ID — not persisted across sessions
let sessionId = sessionStorage.getItem('_sid');
if (!sessionId) {
sessionId = crypto.randomUUID();
sessionStorage.setItem('_sid', sessionId);
}
fetch('/api/pageview', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
path: window.location.pathname,
referrer: document.referrer || null,
sessionId
})
});
}, []);
Because sessionStorage is cleared when the browser tab closes (it does not persist), the session ID does not constitute a "cookie" under the ePrivacy Directive — it is not stored on the device in a persistent manner and cannot be used for cross-session tracking.
The limitations of this approach: you lose third-party referrer attribution for UTM parameters beyond the initial landing (since your server cannot read third-party cookies), and you cannot track user journeys across your marketing site and app if they are on different domains. For many products, especially B2B SaaS, these tradeoffs are acceptable.
Choosing the Right Approach
| Tool | Cookie Consent Required (EU) | Data Location | User-Level Analysis | Self-Hosting |
|---|---|---|---|---|
| Google Analytics 4 | Yes | US (DPF) | Yes | No |
| Plausible | No | EU (Germany) | No | Yes |
| Fathom | No | EU-isolated | No | No |
| PostHog EU Cloud | Configurable | EU | Yes | Cloud or self |
| Server-side custom | No | Your infra | Limited | N/A |
For most SaaS products launching or operating in the EU, the practical recommendation is:
- Start with Plausible or Fathom for web analytics — minimal setup, no consent banner required
- Add PostHog (self-hosted or EU Cloud) when you need product analytics, session recordings, or feature flags
- Build server-side event recording for conversion tracking that must be accurate (not blocked by ad blockers)
The goal is not to avoid all analytics — it is to implement analytics that provides the product insights you need while genuinely respecting user privacy, not just appearing to.