PostHog & GDPR compliance

Last updated:

|Edit this page

On this page

The General Data Protection Regulation (GDPR) is a privacy and security law, drafted and passed by the European Union (EU). It imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.

We recommend that you read the full text of the GDPR and seek independent legal advice regarding your obligations. The consequences of violating GDPR are severe.

If you require robust GDPR compliance, we recommend using PostHog Cloud EU – a managed version of PostHog that's hosted on servers based in Frankfurt.

What data is protected under GDPR?

Personal data is protected under GDPR, which means any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data.

What is the impact of GDPR on product analytics?

The number one rule is don’t collect, store or use any personal data without a good reason for it, such as:

  • The person gave you specific, unambiguous consent to process the data (e.g. they’ve opted in to your marketing email list)

  • Processing is necessary to enter into a contract to someone (e.g. you need to do a background check)

  • You need to process it to comply with a legal obligation of yours (e.g. you receive an order from the court in your jurisdiction)

  • You need to process the data to save somebody’s life (e.g. well, you’ll probably know when this one applies)

  • Processing is necessary to perform a task in the public interest or to carry out some official function (e.g. you’re a private garbage collection company)

  • You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a minor's data

You must acquire "Unambiguous Consent"

There are specific rules about what consent means; hiding it away on page 73 or of your terms and conditions is not good enough:

  • Consent must be “freely given, specific, informed and unambiguous”

  • Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language”

  • Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision

  • Children under 13 can only give consent with permission from their parent

  • You need to keep documentary evidence of consent

So, if you're tracking users in your product using PostHog to improve your product, you should explicitly ask for consent to use this data and explain exactly how you will use it when users sign up for your service.

If you use PostHog with cookies on your website (for logged out users), you should also use a cookie banner to enable people to give and withdraw their consent for using cookies.

Data must be handled securely

You’re required to handle data securely by implementing “appropriate technical and organizational measures.”

This means both technical measures (like encrypting data) and organizational measures (like staff training and limiting access to personal data).

If you have a data breach, you have 72 hours to tell the data subjects or face penalties. (This notification requirement may be waived if you use technological safeguards, such as encryption, to render data useless to an attacker.)

You should not transfer EU users' personal data outside the EU

If you are self-hosting PostHog on a server outside the EU and are collecting EU user data, you should anonymize any of those users' personal data.

If you are using PostHog Cloud US, we also recommend you anonymize any EU user data.

The PostHog Property Filter app allows you to anonymize user data to ensure you stay compliant with GDPR in both cases.

How to set PostHog up for GDPR compliance

GDPR requirements differ depending on how your business interacts with personal data. Companies can be data controllers, data processors, or both a controller and a processor. Data controllers collect their end users’ data and decide why and how it is processed. Data processors are businesses instructed to process customer data on behalf of other businesses.

You will be using PostHog in one of two ways:

  1. Hosted and managed by us on PostHog Cloud
  2. Self-hosted by you on a private cloud or your own infrastructure

If you are using PostHog Cloud then PostHog is the Data Processor and you are the Data Controller.

If you are self-hosting PostHog then you are both the Data Processor and the Data Controller because you are responsible for your PostHog instance.

Step 1: Choose a hosting provider

We recommend using PostHog Cloud EU for GDPR compliance, though you can use PostHog Cloud US if you follow additional steps to protect user data. If self-hosting, the steps will depend on where you're hosting your data.

Step 2: Deploy PostHog

If using PostHog Cloud EU, simply follow the steps in the onboarding process to start sending events. Read our integration documentation for more information on sending events to PostHog.

Deploying PostHog onto your own infrastructure is straightforward but we do not provide support for self-hosted instances. You can follow our standard deployment guides to get started.

Step 3: Security configuration

When setting up a PostHog instance we strongly recommend that you use HTTPS to secure data in transmission, whether or not your instance has access to the wider internet. We also have a guide for securing PostHog which you should follow to further protect your instance.

We also strongly recommend that you limit access to PostHog and the infrastructure it is deployed on only to people who are authorized and need to access the data, including shared dashboard links. Although aggregate data in dashboards should not contain personal data, it may be possible for malicious users to infer personal data unless it is evaluated thoroughly via expert determination.

Finally, we advise caution when installing, building and enabling plugins for your PostHog instance. Apps are a great way to share and augment data from your instance with other systems, but it’s essential to ensure you have the proper controls in place when sharing personal data outside of your self-hosted PostHog instance.

Step 4: Configure consent

Since PostHog automatically captures data which can be personal data, you must provide a mechanism for the consensual capturing of that data. In the GDPR, this is called the right to be informed.

Within the consent you should identify the types of personal data that are being processed and what tools are being used to process them:

  • If you are using PostHog Cloud you should identify PostHog as a tool
  • If you are self-hosting you can either not list a tool or provide a generic description such as "Product Analytics".

If a user opts out then you must stop data capturing and processing. Here are some ways PostHog makes this possible:

  • If posthog-js has been initialized, call posthog.opt_out_capturing(). See the posthog-js docs

  • Ensure posthog-js is configured not to auto-capture and do not make capture calls using the installed PostHog SDK on any client

  • Do not load the posthog-js SDK. If you do this you should ensure your application logic always performs conditional checks for the availability of the PostHog SDK. This may not be possible in modern JavaScript applications.

  • Do not initialize the posthog-js SDK via the call to init. If you do this you should ensure your application logic always performs conditional checks regarding the initialization state of the PostHog SDK.

Cookieless Tracking: It is possible to use PostHog without tracking cookies. In this mode, PostHog doesn't create permanent user profiles. Read How to use PostHog without cookie banners

Step 5: Enable the Property Filter app (optional)

If you are self-hosting PostHog outside the EU, or are using PostHog Cloud US, and are capturing EU users' data, you should enable the Property Filter app. This will allow you to anonymize user data.

Complying with 'right to be forgotten' requests

A user must be able to request that their data be removed from PostHog. How you facilitate that request is up to you. For example, you could accept requests via email or form submission.

You can remove a user from a PostHog instance via the PostHog user interface. To do this:

  • Select Persons from the left-hand menu
  • Search for the person via their unique ID. For example, their email
  • Click view next to the person within the search results
  • Click Delete this person to remove them and all their associated data from the PostHog instance. You will be prompted to confirm this action.

Further reading

Questions?

  • Frank    3 months ago

    I still can't wrap my head around, why the user needs to consent to anonymized tracking.

    You write that Since PostHog automatically captures data which can be personal data, you must provide a mechanism for the consensual capturing of that data..

    1. How can anonymized data become personal data?
    2. Why do I need user consent? GDPR only is applicable for personal data.
  • Thierry    7 months ago

    GDPR - Default Opt-Out

    Hi!

    I yesterday came across your product and I am already in love with it (as well as the company). Really great job all of you are doing!

    I do have a question (well, actually it is a ton of questions 😂) related to GDPR. I am trying to understand, how I can legally implement Web Analytics (for the website). Product Analytics will follow later on.

    From my readings so far related to GDPR, a user by design must be "opt outed" (if that is the correct term in English). When reading your above suggestions, one solution is to call posthog.opt_out_capturing(). But this would imply, that before calling opt_out_capturing, data capturing is happening. This would not be compliant with GDPR.

    Then my next question is, if a user does not accept consent (and cookies) I would need to switch everything to anonymous and usage of different approach than local storage / cookies (e.g. query params with anonymous session id, or other memory based approach). So at least I could track interactions with the side on an anonymous base (no IP, no browser fingerprint, no location, ...).

    How would I tackle such an approach in a Next.js application? Thanks for your help, Thierry

    • Thierry      Author7 months agoSolution

      Well, one should read the whole page 🤦. https://posthog.com/tutorials/react-cookie-banner solves my question. Sorry!

    • Max      7 months ago

      For GDPR compliance with PostHog, there are several key requirements:

      Consent Requirements

      • You must acquire "unambiguous consent" that is "freely given, specific, informed and unambiguous" (1)
      • Consent requests must be "clearly distinguishable from other matters" and presented in "clear and plain language" (1)
      • Users can withdraw consent at any time (1)

      Implementation Options PostHog offers two main approaches for GDPR compliance:

      1. Cookieless Tracking:
      • PostHog can be configured not to use cookies (2)
      • Data is stored in a JavaScript object in memory that only lasts the duration of the pageview (2)
      1. EU Data Hosting:
      • PostHog Cloud EU, hosted in Frankfurt, Germany, ensures data stays within EU jurisdiction (2)
      • This is recommended as the best option for most users requiring GDPR compliance (2)

      For Initial Setup If you're not using cookies, you should:

      • Do not load the PostHog SDK until consent is given (1)
      • Or do not initialize the PostHog SDK via the call to init until consent is given (1)
      • Ensure your application logic always performs conditional checks regarding the initialization state of the PostHog SDK (1)

      For more detailed implementation guidance, I recommend checking out the tutorial you found on building a React cookie banner and the cookieless tracking documentation.

  • Florian    a year ago

    Delayed Initialization

    I am trying to setup the flutter SDK in a way where it does not run at all before explicit consent by the user was given, but fail to do so. It automatically tracks events like "Application installed", but at this point the user has not accepted the necessary cookie. How can we configure PostHog Flutter (or in native code for Android/iOS) to make it fully compliant?

    • Manoel(he/him)      a year agoSolution

      Sadly not yet, we'd need to address this issue first, which would require the optIn option implemented on the Flutter side first.

  • Michael    2 years ago

    Collecting data entirely anonymized/legal issues with anonymous user IDs?

    Hi! PostHog seems to be a great tool!
    We would like to collect and analyze some user behavior in a React Native app completely anonymously (within the meaning of the GDPR). Is that possible with PostHog, if self-hosted?

    Of course, we would filter all personal data, such as IP addresses or any device properties that we don't need and that could be used for fingerprinting methods.

    Your React Native SDK creates "anonymous" user IDs. Right now I'm not sure about the legal implications of these user IDs - is it possibly not really anonymous data we create, but pseudonymous? Do you know more about this?

    For us, it would be sufficient to associate events only with session IDs, ignoring User Profiles. Does it even make sense to use PostHog in that way? Does your SDK support this case?

    • Simon(he/him)      2 years agoSolution

      Hi Michael, the anonymous distinct are indeed anonymous and can't be traced back to a particular person given just the identifier. For PostHog to work correctly you do need some sort of user identifier in place, so in your case it's best to stick with the anonymous one.

Was this page useful?

Next article

PostHog & HIPAA compliance

Important: PostHog only offers Business Associate Agreements (BAAs) for PostHog Cloud to users on an Enterprise plan . To enquire about BAAs, HIPAA compliance, or an Enterprise plan, please contact us directly . HIPAA is the Health Insurance Portability and Accountability Act. It’s a piece of legislation that applies to certain covered entities operating in the United States of America (e.g. healthcare providers). A key goal of this legislation is to “assure that individuals’ health…

Read next article