GDPR, CCPA, and Your Analytics: A No-Jargon Guide for Marketers

Analytics·Jun 25, 2026

Your marketing team wants more data. Legal wants less risk. And somewhere in the middle, you're trying to run campaigns with an analytics setup nobody has properly reviewed since you installed it three years ago.

Privacy law has become a marketing problem — not because marketers did anything wrong, but because the tools we've relied on for years were built in a world that no longer exists. GDPR and CCPA are now part of your stack whether you've acknowledged them or not. This guide is here to help you understand what they actually mean for your analytics, in plain English, without a law degree.


Privacy law is no longer just a legal team problem

For a while, GDPR felt like something that only affected enterprise companies with compliance departments and cookie banners managed by someone in legal. That's changed.

Regulators have increasingly focused on analytics specifically — not data breaches or stolen credentials, but the routine collection of visitor data through tracking tools. In 2023, several EU data protection authorities ruled that using Google Analytics violated GDPR, because visitor data was being transferred to US servers without adequate legal basis. Major brands were named. Fines followed.

The practical upshot: if your website has visitors from the EU or California, your analytics setup is in scope. And "we didn't know" is not a defence regulators have been sympathetic to.


What GDPR actually requires from your analytics setup

GDPR (the General Data Protection Regulation) applies to any organisation that collects data about people in the European Union — regardless of where your business is based. If someone in Germany visits your website, GDPR applies to what you track about them.

Here's what that means for analytics, stripped of the legal language:

You need a lawful basis to collect data. For most analytics use cases, that means either legitimate interest or consent. Consent is the safer route for tracking individual behaviour. This is why you see cookie banners — they're collecting consent before firing tracking scripts.

Consent mode is not the same as consent. Google's Consent Mode is a technical feature that adjusts how Google tags behave when a visitor hasn't consented. It does not make unconsented tracking legal. It just means you get modelled data instead of actual data for visitors who declined. Many marketers don't realise their analytics are now partially synthetic.

IP addresses are personal data under GDPR — but they're not the only thing. The broader category that matters here is PII: Personally Identifiable Information. This is any data that can be used to uniquely identify an individual, either on its own or in combination with other data points. IP addresses fall into this category, but so do email addresses, user IDs, device fingerprints, precise geolocation data, and even certain combinations of behavioural data that together make someone identifiable. If your analytics tool is collecting any of this — and many do, often without you realising — that collection requires consent under GDPR. The rule of thumb is simple: if it could, in any plausible scenario, be traced back to a specific person, it's PII and it's in scope.

Data residency matters. GDPR restricts transferring personal data to countries without equivalent protections. The US does not automatically qualify. Tools that store EU visitor data on US servers have been a specific target for regulators. This is why "EU-hosted analytics" has become a selling point, not just a feature.


CCPA vs GDPR: similar goals, different rules

The California Consumer Privacy Act (CCPA) covers residents of California and applies to businesses that meet any of these thresholds: annual gross revenue over $25 million, buy or sell personal data of 100,000+ consumers per year, or derive 50%+ of annual revenue from selling personal data.

That catches more companies than people expect.

The most important difference between GDPR and CCPA is the consent model:

  • GDPR is opt-in. You need affirmative consent before you can track someone for analytics or marketing purposes.
  • CCPA is opt-out. You can track by default, but you must give California residents a clear way to opt out — and if you share their data with third parties (including analytics platforms), that can constitute a "sale" of data under CCPA, which triggers additional obligations.

For marketers, the practical difference is this: under GDPR, visitors who ignore your cookie banner or decline consent simply won't appear in your analytics. Under CCPA, they will appear unless they actively opt out — but if you're passing their data to advertising platforms, you may be triggering CCPA's sale-of-data provisions and need to display a "Do Not Sell My Personal Information" link.

If you run traffic from both the EU and the US, you're operating under both frameworks simultaneously. Your analytics setup needs to handle both.


Five questions to ask about your current setup today

You don't need a compliance audit to get started. These five questions will tell you a lot about where you stand:

1. Where is your visitor data stored? If you're using a tool that stores data on US servers, EU visitor data may be in violation of GDPR's data transfer restrictions. Find out where your analytics provider stores data — it's usually in their privacy policy or documentation.

2. Are you collecting IP addresses — or any other PII? If you're using standard GA4 without additional configuration, you're collecting IP addresses by default. But it's worth thinking beyond IP addresses to the full picture of PII: any data that can be used to uniquely identify an individual. That includes email addresses, user IDs passed via tracking parameters, device fingerprints, and precise location data. All of it requires consent under GDPR. Some analytics tools are designed to never collect PII in the first place — no IP addresses, no persistent identifiers, no fingerprinting — which removes this problem at the source rather than trying to manage it after the fact.

3. Do you have a cookie consent banner — and is it actually working? A banner that pre-ticks "Analytics cookies" or makes it harder to decline than to accept doesn't meet GDPR's requirements for valid consent. Regulators have specifically called out dark patterns in consent interfaces. Check that declining is as easy as accepting.

4. Is GA4 GDPR-compliant out of the box? No — not without additional configuration. You need to enable IP anonymisation, set appropriate data retention periods, and address data transfer to the US. Even then, some EU data protection authorities have taken the position that GA4 is non-compliant regardless of configuration, due to the Google-to-US data transfer issue.

5. Are you sending visitor data to third parties? This includes advertising pixels, heatmap tools, session recording software, and CRM integrations. Each of these is a potential CCPA "sale" and a GDPR data processing relationship that requires a Data Processing Agreement (DPA). If you haven't signed a DPA with your analytics provider, that's worth flagging to your legal team.


What a compliant analytics setup actually looks like

Compliance in analytics isn't about collecting nothing — it's about collecting only what you need, in a way that respects the people whose data it is.

A privacy-first analytics setup typically has these characteristics:

No cookie dependency. Tools that don't use tracking cookies don't need consent banners in the same way. This isn't just a legal convenience — it means you see all your visitors, not just the ones who clicked "accept."

No PII collection. The tool never collects or logs IP addresses, persistent user identifiers, device fingerprints, or any other data that could be used to identify an individual. This isn't just about IP anonymisation after the fact — it means PII never enters the system to begin with.

EU-based data storage. Visitor data stays in the EU, avoiding the cross-border transfer issues that have caused problems for GA4 users.

No third-party data sharing. Your analytics data isn't used to train ad models, shared with data brokers, or aggregated into any external platform. It belongs to you.

Accurate, not modelled. Because privacy-first tools don't rely on consent-gated tracking, you're not working with filled-in estimates. The data you see reflects what actually happened on your site.

Palace Analytics is built around these principles. It gives you the traffic and conversion data you need for marketing decisions, without the compliance overhead of tools built in a different era.


Compliance isn't the ceiling — it's the floor

There's a tendency to think about privacy compliance as a constraint: something that limits what you can track and therefore limits your marketing intelligence. In practice, the opposite is often true.

Analytics tools that rely on cookies and consent show you a partial picture by design. In markets with high consent banner decline rates — which in the EU can run above 50% for non-essential cookies — more than half your visitors may be invisible to you. Your conversion rates, your traffic sources, your campaign attribution: all of it is calculated from a sample, not the full picture.

A privacy-respecting analytics setup that doesn't depend on consent doesn't have this problem. You see everyone. Your data is more accurate, not less. And you're not one regulatory ruling away from being told to change your entire measurement stack.

GDPR and CCPA pushed the industry in this direction. The marketers who've moved with it — rather than waiting for the next enforcement action — have ended up with better data and fewer surprises.

If you're ready to see what accurate, compliant analytics looks like for your site, try Palace Analytics free for 30 days.


Related reading: GA4 is Not Built For You · Best Google Analytics Alternative 2026 · Why Your Direct Traffic Numbers Are Wrong