EU Compliance Teardowns

Pillar: what EU privacy law actually requires of an analytics setup in 2026. CNIL guidance, the GDPR-ePrivacy interaction, the DSA’s reach into observability code, and concrete teardowns of compliance audits — what passes, what fails, what’s the borderline case.

Compliance is not “we self-host, so we’re fine.” It’s not “we anonymize IPs, so we’re fine.” It’s a stack of decisions about identifiers, transfers, retention, and disclosure. This pillar walks through them concretely — with cited regulator opinions, not vibes.

Published guides

• GDPR in Simple Words: What It Means for a Basic Website — the entry-level read. What “personal data” actually covers, what “processing” means in the regulation’s terms, what a small site has to do.
• Consent Management Without Killing Your Analytics Data — the trade-off space. What you can collect with implicit consent, what requires explicit consent, and the data-quality cost of getting it wrong.
• Server-Side Tracking Explained: Why It Matters for Privacy — the architectural reason server-side tracking improves your compliance posture, beyond just bypassing ad-blockers.

Cookbook entries shipping next

• The CNIL cookieless checklist (point-by-point) — the actual list French regulators look for. With self-hosted analytics implementation notes on each item.
• Schrems II for analytics data — what the EU-US data transfer ruling means for sites still on Google Analytics or Mixpanel. With migration paths.
• Privacy notice templates that actually match self-hosted analytics — most templates online describe Google Analytics behavior. These are written for what self-hosted tools actually do.
• DSA Article 28 for analytics tooling — minor users, “addictive design” provisions, and what your event taxonomy gives away about UX patterns.
• Data retention ladder — 14d / 30d / 13mo / forever — what each retention tier costs and gains you, with a worked example of a Plausible CE install at each.

Related across pillars

• Cookieless tracking — the most common compliance entry point. Cookieless reduces but does not eliminate your obligations.
• Install recipes — every recipe ships with EU-region hosting (Hetzner Falkenstein, Helsinki) by default. The pillar explains why that matters.
• Self-hosted tag manager — server-side TMS shifts the compliance surface. This pillar covers what shifts.