The General Data Protection Regulation (GDPR) is a privacy and security law, drafted and passed by the European Union (EU). It imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.
We recommend that you read the full text of the GDPR and seek independent legal advice regarding your obligations. The consequences of violating GDPR are severe.
If you require robust GDPR compliance, we recommend using PostHog Cloud EU – a managed version of PostHog that's hosted on servers based in Frankfurt.
What data is protected under GDPR?
Personal data is protected under GDPR, which means any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data.
Features to manage PII
| Stage | Features |
|---|---|
| During collection | Autocapture controls |
| Masking PII | |
| Sanitizing events during capture | |
| Before ingestion | Anonymizing data before storage |
What is the impact of GDPR on product analytics?
The number one rule is don't collect, store or use any personal data without a good reason for it, such as:
The person gave you specific, unambiguous consent to process the data (e.g. they've opted in to your marketing email list). Learn more about opt out.
Processing is necessary to enter into a contract to someone (e.g. you need to do a background check)
You need to process it to comply with a legal obligation of yours (e.g. you receive an order from the court in your jurisdiction)
You need to process the data to save somebody's life (e.g. well, you'll probably know when this one applies)
Processing is necessary to perform a task in the public interest or to carry out some official function (e.g. you're a private garbage collection company)
You have a legitimate interest to process someone's personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it's a minor's data
You must acquire "Unambiguous Consent"
There are specific rules about what consent means; hiding it away on page 73 or of your terms and conditions is not good enough:
Consent must be “freely given, specific, informed and unambiguous”
Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language”
Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision
Children under 13 can only give consent with permission from their parent
You need to keep documentary evidence of consent
So, if you're tracking users in your product using PostHog to improve your product, you should explicitly ask for consent to use this data and explain exactly how you will use it when users sign up for your service. Learn more about opt out features.
If you use PostHog with cookies on your website (for logged out users), you should also use a cookie banner to enable people to give and withdraw their consent for using cookies. Learn about persistence and cookieless tracking.
Data must be handled securely
You're required to handle data securely by implementing “appropriate technical and organizational measures.” Learn more about access control features in PostHog.
This means both technical measures (like encrypting data) and organizational measures (like staff training and limiting access to personal data).
If you have a data breach, you have 72 hours to tell the data subjects or face penalties. (This notification requirement may be waived if you use technological safeguards, such as encryption, to render data useless to an attacker.)
You can learn more about PostHog's security and privacy guidelines in our handbook.
You should not transfer EU users' personal data outside the EU
If you are self-hosting PostHog on a server outside the EU and are collecting EU user data, you should anonymize any of those users' personal data.
If you are using PostHog Cloud US, we also recommend you anonymize any EU user data.
The PostHog's realtime transformations allows you to anonymize user data to ensure you stay compliant with GDPR in both cases. These transformations are run right before storage.
How to set PostHog up for GDPR compliance
GDPR requirements differ depending on how your business interacts with personal data. Companies can be data controllers, data processors, or both a controller and a processor. Data controllers collect their end users' data and decide why and how it is processed. Data processors are businesses instructed to process customer data on behalf of other businesses.
You will be using PostHog in one of two ways:
| Hosting Type | Description | Data Processor | Data Controller |
|---|---|---|---|
| PostHog Cloud | Hosted and managed by PostHog | PostHog | You |
| Self-hosted | Hosted on your private cloud or infrastructure | You | You |
Step 1: Choose a hosting provider
We recommend using PostHog Cloud EU for GDPR compliance, though you can use PostHog Cloud US if you follow additional steps to protect user data.
If self-hosting, the steps will depend on where you're hosting your data.
Step 2: Deploy PostHog
If using PostHog Cloud EU, simply follow the steps in the onboarding process to start sending events. Read our getting started guides for more information on sending events to PostHog.
Deploying PostHog onto your own infrastructure is straightforward but we do not provide support for self-hosted instances. You can follow our standard deployment guides to get started.
Step 3: Security configuration
When using PostHog Cloud, you can manage security and access control at the organization level, project level, and resource level.
When self-hosting, it is up to you to secure your instance. Minimally, we recommend using HTTPS to secure data in transmission and limiting access to PostHog and the infrastructure it is deployed on only to people who are authorized and need to access the data, including shared dashboard links.
We advise caution when installing, building, and enabling CDPs for your PostHog instance. CDPs are a great way to share and augment data from your instance with other systems, but it's essential to ensure you have the proper controls in place when sharing personal data outside of your self-hosted PostHog instance.
Step 4: Configure consent
Since PostHog automatically captures data which can be personal data, you must provide a mechanism for the consensual capturing of that data. In the GDPR, this is called the right to be informed.
Within the consent you should identify the types of personal data that are being processed and what tools are being used to process them:
- If you are using PostHog Cloud you should identify PostHog as a tool
- If you are self-hosting you can either not list a tool or provide a generic description such as "Product Analytics".
If a user opts out then you must stop all data capturing and processing. Explore PostHog features to implement opting out of data collection. It is up to you to ensure that your application logic either does not load PostHog SDKs or disables data capturing when a user opts out.
Step 5: Control what you collect and store
PostHog provides tools to control what data is collected and stored. These tools let you redact data before it is sent to PostHog servers and before it is stored by PostHog.
If you are self-hosting PostHog outside the EU, or are using PostHog Cloud US, and are capturing EU users' data, you should use the before storage realtime transformations to anonymize user data.
Step 6: Complying with 'right to be forgotten' requests
A user must be able to request that their data be removed from PostHog. How you facilitate that request is up to you. For example, you could accept requests via email or form submission.
PostHog provides data deletion features to help you comply with the right to be forgotten request. Learn more about data deletion.