Privacy-preserving analytics: alternatives to GA4 guide

Multiple EU data protection authorities have ruled that GA4 usage involving EU visitor data violates GDPR because it transfers personal data (IP addresses, unique identifiers, behavioural data) to Google's servers in the United States without adequate protection. Under GDPR Chapter V, transfers to third countries require either an adequacy decision, standard contractual clauses with additional safeguards, or binding corporate rules. DPAs in Austria, France, Italy, Denmark, and Finland have each determined that Google's data transfer mechanisms and anonymisation configurations are insufficient to prevent US government access to EU personal data — the Schrems II compliance concern that has affected many US cloud services.

Cookieless analytics tracks website visitors and behaviour without using browser cookies or other persistent identifiers that require GDPR consent. Instead, it uses aggregated, non-personal metrics derived from HTTP request data: page URL, referrer, browser type, screen size, and country (derived from anonymised IP). Because no personal data is stored and no persistent identifier is set, cookieless analytics tools like Plausible, Fathom, and Umami do not require a cookie consent banner — simplifying the user experience and removing the consent rejection problem that causes 20–40% data loss in cookie-dependent tools.

The opposite is typically true: cookieless analytics tools capture more of your actual traffic than GA4. GA4 uses a JavaScript tag that is blocked by ad blockers (used by 30–40% of desktop users), cookie consent banner rejections (up to 40% in Europe), Apple's Intelligent Tracking Prevention in Safari, and cookie expiry. Cookieless client-side tools using lightweight scripts bypass most ad blockers. Server-side analytics captures 100% of requests at the server level, independent of browser behaviour. Switching from GA4 to a cookieless tool typically shows 10–30% more traffic — the visitors GA4 was silently missing.

Matomo (self-hosted) offers the most comprehensive ecommerce analytics among privacy-preserving alternatives — order tracking, product performance, cart abandonment funnels, and customer lifetime value — comparable to GA4 Enhanced Ecommerce. PostHog is an alternative for product-focused ecommerce teams who want user funnel analysis with privacy controls. For simpler ecommerce reporting (revenue, conversion rate, top products), Plausible and Fathom have basic ecommerce tracking that covers most merchant needs. All require custom event instrumentation to match GA4's out-of-the-box ecommerce reports.

Yes — Matomo offers Matomo Cloud, a managed SaaS version hosted on Matomo's EU infrastructure (Frankfurt). Matomo Cloud eliminates the infrastructure management burden of self-hosting while retaining GDPR compliance through EU data residency. It is priced per monthly visits and supports most of the same features as self-hosted Matomo. For organisations that want the full Matomo feature set (heatmaps, session recordings, A/B testing, funnels) without managing servers, Matomo Cloud is the recommended option.

No — if your analytics tool is cookieless and collects no personal data (Plausible, Fathom, Umami, Pirsch, Cloudflare Web Analytics), you do not need a cookie consent banner for analytics purposes. GDPR's consent requirement applies to cookies and processing of personal data; cookieless aggregate analytics involves neither. However, if you use other cookies for marketing, personalisation, or third-party integrations, you may still need a consent banner for those purposes — just not for analytics. Removing the analytics cookie requirement simplifies your consent management platform configuration and typically improves user experience.

Server-side analytics processes web requests on the server rather than using a client-side JavaScript tag, capturing data before it reaches the browser. This approach is immune to ad blockers, JavaScript disabling, and cookie restrictions — achieving near-100% data capture. It typically uses web server access logs (Nginx, Apache, Cloudflare logs) parsed by an analytics tool. Use server-side analytics when complete data capture is essential (high-value ecommerce, financial services), when your audience has high ad blocker usage (tech-savvy B2B audiences), or when you want to eliminate all client-side tracking complexity. Cloudflare Web Analytics provides a free, zero-configuration server-side analytics option for any site behind Cloudflare.

The EU-US Data Privacy Framework (DPF), adopted in July 2023, provides a new legal mechanism for transferring personal data from the EU to certified US companies (including Google). Google is DPF-certified, meaning GA4 data transfers to Google US servers now have a legal transfer mechanism under GDPR. However, several EU DPAs and privacy advocates (including Max Schrems, whose legal challenges led to the Schrems I and II decisions) have signalled continued scrutiny of the DPF, and legal challenges are expected. Many European organisations and their legal counsel continue to prefer EU-hosted analytics solutions to eliminate transfer risk entirely rather than relying on a framework that may be challenged again.