GDPR
General Data Protection Regulation
A European Union privacy regulation governing how organizations collect, process, and store personal data of EU residents, requiring explicit consent and data protection measures.
Definition
The General Data Protection Regulation (GDPR) is an EU privacy law governing how organizations collect, store, and process personal data of EU residents. It applies to any company serving EU users, regardless of where the company is based.
Key GDPR Requirements
| Requirement | What It Means |
|---|---|
| Consent | Users must actively opt-in to data collection |
| Data access | Users can request copies of their data |
| Right to erasure | Users can request data deletion |
| Data portability | Users can export their data |
| Breach notification | Report breaches within 72 hours |
| Privacy by design | Build privacy into products from the start |
GDPR and Analytics Tools
Analytics tools must support:
- Cookie consent - Get permission before tracking
- Data deletion - Remove user data on request
- Data export - Provide user data in portable format
- EU data residency - Option to store data in EU
- IP anonymization - Mask user IP addresses
Cookie-Free Analytics
Some tools avoid GDPR consent requirements by not using cookies:
- Plausible - Privacy-first, no cookies
- Fathom Analytics - Cookie-free tracking
- Pirsch - No cookies, EU-based
GDPR Penalties
Non-compliance can result in fines up to €20 million or 4% of annual global revenue, whichever is higher. Major tech companies have faced multi-million euro fines.
Frequently Asked Questions
Does GDPR apply to my US-based company?
If you have EU users or customers, GDPR likely applies to you. The law covers data about EU residents regardless of where your company is located.
Do I need a cookie consent banner?
If you use cookies for analytics, advertising, or tracking, yes. Essential cookies (login, security) don’t require consent. Many privacy-focused analytics tools don’t require banners because they don’t use cookies.
What’s a Data Processing Agreement (DPA)?
A DPA is a contract between you and vendors who process data on your behalf. Most SaaS tools provide standard DPAs. You should have DPAs with all vendors handling personal data.