Your "GDPR compliant" analytics is probably violating GDPR

published on 2023/05/11

Here’s a short summary of what I found after reading tons of legal documents. This is more a “what not to do” article than a “what you should do” one. Specifically, it won’t explain how you should write your privacy policy and get consent - that’s for another time.

I also looked through how other analytics provider were counting visitors - a lot of them, at best, are misunderstanding the law, and at worst, violating GDPR. This was especially the case for those that claim that they were GDPR complaint and don’t use cookies. And yes, that includes Plausible, Vercel Web Analytics, Umami, Matomo, PostHog, and Fathom. I also assume many people don’t really understand GDPR either. Did you know that GDPR isn’t about cookies, and in fact, by itself, you’re allowed to set cookies without user consent?