How To Configure Google Analytics Alternative For Gdpr

If you operate a website serving European visitors, Google Analytics requires significant configuration to meet GDPR standards. Many organizations now prefer self-hosted alternatives that provide analytics without the compliance complexity. This guide walks through configuring privacy-first analytics solutions that work out of the box for GDPR compliance.

The General Data Protection Regulation imposes strict requirements on how you collect and process personal data. Under GDPR, IP addresses constitute personal data, and analytics tools that collect this information without proper consent violate the regulation unless you implement specific technical safeguards.

GDPR requires explicit consent before setting non-essential cookies, the right to access collected data, and the ability to delete user data upon request. Google Analytics 4 provides these features, but implementation remains complex. Self-hosted alternatives simplify compliance by design, often requiring no cookie consent banners at all.

Quick Comparison

Feature	Tool A	Tool B
Privacy Policy	Privacy-focused	Privacy-focused
Open Source	Check license	Check license
Security Audit	See documentation	See documentation
Data Collection	Minimal	Minimal
Jurisdiction	Check provider	Check provider
Self-Hosting	Check availability	Check availability

Self-Hosted Analytics Solutions

Several open-source and commercial alternatives provide analytics without the GDPR complications. The most popular options include Matomo, Plausible, Fathom, and Umami. Each offers different trade-offs between features, hosting requirements, and pricing.

Matomo provides the most feature-complete alternative, offering goals, funnels, heatmaps, and custom events. You can host it yourself on any PHP-compatible server or use their cloud offering. The self-hosted version gives you complete data ownership.

Plausible offers a lightweight, privacy-focused approach. It doesn’t use cookies, requires no consent banner, and provides essential metrics without collecting personal information. You can self-host Plausible or use their managed service.

Umami represents the simplest self-hosted option. Built with simplicity in mind, it provides core page view and event tracking without the complexity of larger platforms. This makes it ideal for developers who want a minimal, privacy-compliant solution.

Matomo offers the most GDPR compliance features when self-hosted. Here’s how to set it up on a typical Linux server with Nginx.

First, install the required dependencies:

# Update system and install required packages
sudo apt update && sudo apt install php php-fpm php-mysql php-curl php-gd php-mbstring nginx mariadb-server

# Download Matomo
cd /var/www/html
wget https://builds.matomo.org/matomo.zip
unzip matomo.zip
rm matomo.zip

Configure your database:

sudo mysql -u root -p <<EOF
CREATE DATABASE matomo;
CREATE USER 'matomo_user'@'localhost' IDENTIFIED BY 'strong_password';
GRANT ALL PRIVILEGES ON matomo.* TO 'matomo_user'@'localhost';
FLUSH PRIVILEGES;
EOF

Set up Nginx with GDPR-focused configuration:

server {
    listen 80;
    server_name analytics.yourdomain.com;
    root /var/www/html/matomo;
    index index.php;

    # Disable access logs for full IP addresses
    access_log /var/log/nginx/matomo.access.log combined;

    # Ensure Matomo processes IP in GDPR-compliant manner
    # Configure IP anonymization in Matomo dashboard:
    # Administration > Privacy > Data Anonymization

    location / {
        try_files $uri $uri/ /index.php;
    }

    location ~ ^/(index|matomo|piwik|js/|plugins/) {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php-fpm.sock;
    }

    # Block access to sensitive files
    location ~ /\.git {
        deny all;
    }
    location ~ /(config|tmp|core) {
        deny all;
    }
}

Enable GDPR features in Matomo’s configuration file config/config.ini.php:

[General]
enable_processing = 1
anonymize_ip = 1
anonymize_user_id = 1
anonymizeReferrer = "query"

[Privacy]
deleteOldVisitorLogs = 1
deleteOldVisitorLogsOlderThan = 180
do_not_track = 1

Configuring Plausible for Privacy-First Tracking

Plausible requires no cookie consent because it doesn’t use cookies or collect personal data. The self-hosted version runs as a single Erlang application.

Deploy with Docker:

# Create plausible directory
mkdir -p ~/plausible && cd ~/plausible

# Create docker-compose.yml
cat > docker-compose.yml <<EOF
version: '3'
services:
  plausible:
    image: plausible/plausible:latest
    ports:
      - 8000:8000
    environment:
      - DATABASE_URL=postgresql://user:pass@db:5432/plausible
      - BASE_URL=https://analytics.yourdomain.com
      - SECRET_KEY_BASE=your_secret_key
    depends_on:
      - db
    labels:
      - "plausible.enabled=true"

  db:
    image: postgres:14-alpine
    environment:
      - POSTGRES_USER=user
      - POSTGRES_PASSWORD=pass
      - POSTGRES_DB=plausible
    volumes:
      - db-data:/var/lib/postgresql/data

volumes:
  db-data:
EOF

# Generate a secure secret key
openssl rand 64 | base64 -w 0

# Start the container
docker-compose up -d

Configure your website in Plausible’s admin interface, then add the lightweight JavaScript snippet to your site:

<script defer data-domain="yourdomain.com" src="https://analytics.yourdomain.com/js/script.js"></script>

Even with privacy-focused analytics, implementing a proper consent mechanism strengthens compliance. Create a simple consent banner that respects user choices:

// consent.js - Simple GDPR consent management
const consentBanner = document.getElementById('consent-banner');
const analyticsScript = document.getElementById('analytics-script');

function loadAnalytics() {
    if (!analyticsScript.src) {
        analyticsScript.src = 'https://analytics.yourdomain.com/js/script.js';
        document.head.appendChild(analyticsScript);
    }
}

function checkConsent() {
    const consent = localStorage.getItem('analytics_consent');
    if (consent === 'granted') {
        loadAnalytics();
    } else if (consent === 'denied') {
        consentBanner.style.display = 'none';
    } else {
        consentBanner.style.display = 'block';
    }
}

document.getElementById('accept-consent').addEventListener('click', () => {
    localStorage.setItem('analytics_consent', 'granted');
    consentBanner.style.display = 'none';
    loadAnalytics();
});

document.getElementById('deny-consent').addEventListener('click', () => {
    localStorage.setItem('analytics_consent', 'denied');
    consentBanner.style.display = 'none';
});

// Initialize on page load
checkConsent();

Add the corresponding HTML to your site’s footer:

<div id="consent-banner" style="display:none; position:fixed; bottom:0; background:#333; color:white; padding:20px; width:100%;">
    <p>We use privacy-focused analytics to understand site traffic.
       <button id="accept-consent">Accept</button>
       <button id="deny-consent">Decline</button>
    </p>
</div>
<script id="analytics-script" async defer></script>
<script src="/js/consent.js"></script>

After configuration, verify your setup meets GDPR requirements. Check that IP addresses are anonymized by examining server logs and analytics exports. Confirm users can request data deletion and that your system processes these requests within the required 30-day window.

Test the anonymization features by visiting your site and checking whether your full IP appears in analytics reports. With Matomo, the admin dashboard should show truncated IP addresses. Plausible never collects full IP addresses by design.

Document your data processing activities, update your privacy policy to reflect your analytics choice, and maintain records of consent when applicable. These steps demonstrate compliance during regulatory inquiries.

Built by theluckystrike — More at zovo.one

Understanding GDPR Requirements for Analytics

Quick Comparison

Self-Hosted Analytics Solutions

Configuring Matomo for GDPR Compliance

Configuring Plausible for Privacy-First Tracking

Implementing Consent Management

Verifying GDPR Compliance

Related Articles