Join the waitlist and get Sublim Business free for 3 months  Claim offer

Product
Multichannel web analyticsAI recommendationsSEO audit & site healthBehavioral analyticsTask managementOKR trackingCampaign managementDashboards & Reports
Solutions
Marketing Manager / CMOTraffic Manager / GrowthDigital Project ManagerConsultant / Freelance
StartupsFreelancersMarketing agenciesSMEsMid-market & Enterprise
Resources
Product overviewIntegrationsBlogKnowledge base
Comparison
Sublim vs Google AnalyticsSublim vs PlausibleSublim vs MatomoSublim vs Simple AnalyticsSublim vs Fathom
PricingRequest a demo
Data & Technology

GDPR: definition, obligations and analytics compliance

Guillaume Sallé
Guillaume Sallé
Analytics Content & Glossary Lead

Updated on February 22, 2026

Quick definition

The GDPR (General Data Protection Regulation) is the European regulation that came into force on 25 May 2018 and governs the collection, processing and storage of personal data of European Union residents. It grants them extensive rights over their data and imposes strict obligations on organisations that process it. The GDPR has become the global benchmark for digital privacy protection.

How it works

The GDPR rests on six fundamental principles: lawfulness, fairness and transparency of processing; purpose limitation (data may only be collected for defined and legitimate goals); data minimisation (collect only what is strictly necessary); accuracy of data; storage limitation; and integrity and confidentiality.

For web publishers, GDPR has a direct impact on analytics: tools that place third-party cookies or collect browsing identifiers require explicit user consent, unless their purpose is strictly necessary for the operation of the service. The CNIL has clarified that analytics cookies are not considered strictly necessary.

There is, however, a consent exemption: analytics tools whose purpose is exclusively audience measurement, without cross-referencing with other data, without advertising purpose and with server-side anonymised data, may qualify. Sublim is specifically designed to operate within this framework — cookie-free, with aggregated data that does not allow individual identification.

In the event of a GDPR violation, sanctions can reach €20 million or 4% of the organisation's annual global turnover.

Why it matters

GDPR is not just a legal constraint: it is a framework that, when properly applied, builds user trust and reduces reputational risks linked to data scandals.

For web publishers, compliance is essential to avoid fines, but also to maintain reliable analytics data: a site whose cookie banner is rarely accepted can lose 40 to 70% of its analytics data, severely biasing marketing decisions.

  • Every organisation processing EU residents' data is concerned, regardless of its location
  • Data transfers outside the EU (e.g. to the US) are subject to specific safeguards
  • Enforcement actions have been actively pursued since 2020 across Europe

How to improve or use it

  1. 1Audit all cookies and trackers placed on your site to identify those requiring consent.
  2. 2Implement a CMP (Consent Management Platform) compliant with CNIL recommendations if you use consented analytics cookies.
  3. 3Consider a cookieless solution like Sublim to measure all traffic without a consent banner.
  4. 4Draft a processing register documenting every purpose, legal basis and data recipient.
  5. 5Appoint a DPO (Data Protection Officer) if your processing volume requires it.

With Sublim

Sublim is built from the ground up to operate without any cookies, in full compliance with GDPR. It places no persistent identifier on the user's browser and does not collect a full IP address. Unlike Google Analytics 4, Sublim requires no consent banner to collect reliable analytics data, guaranteeing 100% traffic measurement and eliminating consent bias. See also: zero-party data and first-party data.

Frequently asked questions

Is a cookie banner mandatory to use an analytics tool?

No, not necessarily. Analytics tools that do not place cookies, do not collect a full IP address, do not use persistent identifiers and have a purpose strictly limited to audience measurement may be exempt from consent under CNIL recommendations. Sublim falls into this category.

Is Google Analytics 4 GDPR-compliant?

The use of GA4 has been declared non-compliant by several European data protection authorities (the French CNIL, the Austrian, Italian and Danish authorities) because of the transfer of personal data to US servers subject to FISA 702. Alternative solutions like Sublim allow audience measurement without transferring data outside the EU.

What rights do users have under GDPR?

GDPR grants users: the right of access to their data, the right to rectification, the right to erasure ('right to be forgotten'), the right to portability, the right to object to processing, the right to restriction of processing and the right not to be subject to automated decision-making. These rights must be exercisable easily and free of charge.

Related terms

CMP (Consent Management Platform)

A CMP (Consent Management Platform) is a technical solution that allow

Third-party cookie

A third-party cookie is a text file placed on a user's browser by a do

First-party data

First-party data is all the data collected directly by an organisation

Zero-party data

Zero-party data refers to the data that users proactively and intentio

Back to glossary
GDPR: definition, obligations and analytics compliance, Sublim | Sublim Analytics