Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsent
Free plan · 10-min setup
Amplitude is a leading product analytics platform used by product and growth teams to analyse user behaviour, build funnels, measure retention, and run experiments. It tracks individual user events and journeys, making it a powerful but GDPR-significant tool. Consent is required for Amplitude tracking under the ePrivacy Directive. An EU data residency option is available. Amplitude provides a GDPR-compliant DPA and SCCs for US-hosted deployments.
Amplitude is a leading product analytics platform used by digital product teams to understand user behaviour, measure feature adoption, analyse conversion funnels, track retention cohorts, and run A/B experiments. Unlike session recording tools, Amplitude focuses on structured event tracking: developers instrument specific user actions (button clicks, page views, feature usage) that are then analysed in Amplitude''s dashboards. It is widely used in SaaS, mobile apps, and e-commerce for data-driven product development.
Amplitude collects user IDs or device IDs, event names and properties, session information, referrer data, device type, OS, and IP addresses (used for geolocation then optionally discarded). Developers control what event properties are sent, which means the privacy risk depends heavily on implementation choices. Sending usernames, email addresses, or other PII as event properties significantly increases GDPR risk and is not recommended.
Amplitude uses localStorage or cookies to persist user and device IDs. Under the ePrivacy Directive, storing identifiers on user devices for analytics purposes requires consent. Amplitude provides an opt-out API that can be integrated with a consent management platform to prevent tracking before consent is given. Load the Amplitude SDK only after analytics consent is obtained.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Amplitude offers an EU data residency option for organisations that need to keep analytics data within the EU. When configured, event data is processed and stored on EU infrastructure. This eliminates the need for US transfer mechanisms. For organisations using the standard US region, SCCs and a DPA with Amplitude are required. Amplitude provides both as standard in its enterprise contracts.
Integrate Amplitude with your CMP to load only after analytics consent. Use Amplitude''s EU region if available on your plan. Sign the Amplitude DPA. Avoid sending PII as event properties. Configure IP address anonymisation in Amplitude settings. Include Amplitude in your cookie policy and privacy policy. Implement user-level data deletion via the Amplitude User Privacy API to handle erasure requests.
Websites using Amplitude must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for Amplitude deployments processing large volumes of individual-level user behaviour data, particularly for applications with sensitive content (health, finance). The EU data residency option can simplify the transfer assessment.
Sample consent text
We use Amplitude to analyse how you use our product. Amplitude tracks your interactions and usage patterns to help us improve. You can opt out of analytics tracking in your account settings.
Third-party domains contacted
amplitude.comapi.amplitude.comapi2.amplitude.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| amplitude_id | persistent | 10 years | Amplitude device identifier stored in localStorage for user journey and behavioural analytics |
| amplitude_session | session | Session | Amplitude session identifier for grouping events within a single user session |
Amplitude collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Yes. Amplitude uses localStorage or cookies to persist user and device identifiers. Under the ePrivacy Directive, storing identifiers on user devices for analytics purposes requires consent. Integrate Amplitude loading with your CMP to block tracking before consent.
Amplitude primarily uses localStorage (amplitude_id key) to store a device ID and session data. It may also use cookies. Both localStorage and cookies on user devices require consent under the ePrivacy Directive.
Yes. Amplitude offers an EU data residency option for customers who need to keep analytics data within the EU. This eliminates US transfer requirements. EU residency is available on certain Amplitude plans — check with your account manager.
Consent (Art. 6(1)(a)) for analytics tracking via localStorage or cookies. Legitimate interest may apply for purely server-side, aggregate analytics without individual identification, but Amplitude's default SDK uses client-side storage requiring consent.
Use the Amplitude User Privacy API to delete user data by user ID or device ID. Submit deletion requests programmatically when users request erasure. Amplitude processes deletion requests and removes the data from its systems and backups within the applicable timeframe.
Yes. Amplitude does not require sending personally identifiable information. Use anonymous user IDs instead of email addresses. Avoid sending names, emails, or other PII as user properties or event properties. Implement server-side ID resolution if you need to link anonymous events to identified users only after consent.
Yes. Sign the Amplitude Data Processing Agreement before deploying Amplitude on EU-facing products. For US-hosted deployments, the DPA includes SCCs. For EU region deployments, the DPA covers EU-resident data processing.
EU-based product analytics alternatives include Mixpanel (with EU hosting), PostHog (self-hostable), and Piwik PRO (EU-based). For cookieless analytics, Plausible (EU) and Fathom provide aggregate-only statistics without requiring consent.