Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Baidu Analytics (百度统计) is a free web analytics platform from the Chinese search engine Baidu that measures audience, traffic sources, and on-site behaviour through first party and third party cookies.
Baidu Analytics, known in Chinese as 百度统计 (Baidu Tongji), is the free web analytics service of the Chinese search engine Baidu. It is the Chinese market equivalent of Google Analytics and is widely used by businesses targeting the mainland Chinese audience. The script collects audience metrics, traffic sources, conversions, page performance, and visitor behaviour, sending the data to Baidu servers located in China.
Baidu Analytics provides reports on real time visitors, pageviews, sessions, bounce rate, conversion funnels, source and medium, geography, device, and search keywords from Baidu organic traffic. It supports event tracking, custom variables, and ecommerce reports. The implementation is a JavaScript snippet pasted before the closing body tag of every page, which loads hm.baidu.com/hm.js with a unique site identifier.
The script sets several first party cookies prefixed with Hm_, including Hm_lvt_ (last visit timestamp), Hm_lpvt_ (last pageview timestamp), and HMACCOUNT (cross site visitor identifier set on hm.baidu.com). It also reads the user agent, IP address, referrer, viewport, language, and the full URL of every page view. Combined, these elements allow Baidu to recognise returning visitors across sessions and across all sites running Baidu Analytics.
Baidu Analytics processes personal data within the meaning of Article 4(1) GDPR. The cookies it sets are not strictly necessary, so under Article 5(3) of the ePrivacy Directive they require prior, freely given, specific, informed, and unambiguous consent. Baidu also acts as an independent controller for its own purposes, including ad targeting on the Baidu network, which removes the typical processor relationship most European publishers expect from a tracking vendor.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
All data is sent to Baidu servers in mainland China. China is not on the European Commission adequacy list. Transfers therefore rely on Article 46 GDPR safeguards (Standard Contractual Clauses) combined with a Transfer Impact Assessment that takes into account Chinese state access powers under the Cybersecurity Law, the Data Security Law, and PIPL. Baidu has not published EU SCCs as of writing, which makes Baidu Analytics very difficult to deploy lawfully for European users.
Block the Baidu Analytics tag by default in your Consent Management Platform. Load hm.baidu.com/hm.js only after the visitor accepts the analytics category. Document Baidu Analytics in your record of processing activities and your privacy notice, with a clear mention of the China transfer. For European audiences, consider using a privacy friendly alternative such as Matomo, Plausible, or Piwik PRO instead, and keep Baidu Analytics enabled only on geographies where it adds real value.
Websites using Baidu Analytics must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended. Baidu Analytics combines large scale behavioural profiling with a systematic transfer to China, a country without an EU adequacy decision and subject to broad state access powers. Document the purposes, retention, SCCs, the Transfer Impact Assessment, and any supplementary measures such as IP truncation or pseudonymisation.
Sample consent text
We use Baidu Analytics to measure how our site is used. This service places cookies and transfers your data to Baidu servers in China. We only activate it after you click Accept in our cookie banner.
Third-party domains contacted
hm.baidu.comtongji.baidu.comeclick.baidu.compos.baidu.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| Hm_lvt_<site> | http_cookie | 6 months | Stores the timestamp of the user's last visit so that Baidu Analytics can compute unique and returning visitors. |
| Hm_lpvt_<site> | http_cookie | session | Stores the timestamp of the user's last pageview so that Baidu Analytics can compute session duration and bounce rate. |
| HMACCOUNT | http_cookie | 2 years | Cross site visitor identifier stored on hm.baidu.com that lets Baidu recognise the same user across all sites running Baidu Analytics. |
| HMVT | http_cookie | session | Visit tracking cookie used to consolidate the events sent within a single visit. |
| HMF_<site> | http_cookie | 1 year | Frequency capping cookie used by Baidu Analytics on some properties to detect repeated interactions. |
Baidu Analytics collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Baidu Analytics sets several first party cookies that start with the prefix Hm_, including Hm_lvt_ (last visit timestamp), Hm_lpvt_ (last pageview timestamp), HMACCOUNT (a cross site visitor identifier set on hm.baidu.com), and HMVT (visit tracking). The script also reads the IP address, user agent, viewport, referrer, and full page URL of every visit.
Yes. Baidu Analytics writes cookies that are not strictly necessary and processes personal data including IP and behavioural identifiers. Under Article 5(3) of the ePrivacy Directive and Article 6(1)(a) GDPR, you must obtain prior, freely given, specific, informed, and unambiguous consent before loading the hm.baidu.com script.
Consent under Article 6(1)(a) GDPR is the appropriate legal basis, combined with the consent requirement of Article 5(3) ePrivacy. Legitimate interest is not workable here because Baidu acts as an independent controller for its own targeting purposes and transfers data to a third country without an adequacy decision.
Yes. All Baidu Analytics data is transferred to Baidu servers in mainland China. China has no EU adequacy decision. Transfers require Article 46 safeguards such as Standard Contractual Clauses and a Transfer Impact Assessment, which is very difficult to pass given Chinese state access powers under the Cybersecurity Law, the Data Security Law, and PIPL.
A DPIA is strongly recommended. Baidu Analytics combines systematic monitoring of website visitors, transfers to a third country, and processing by a vendor that acts as an independent controller. These elements meet several criteria of the EDPB DPIA guidelines and justify a documented risk assessment.
Block the hm.baidu.com script by default in your Consent Management Platform. Load it only after the visitor accepts the analytics category. Disclose the China transfer in your cookie banner and privacy notice, list the cookies and their lifetime, and provide an easy way to withdraw consent. Sign Standard Contractual Clauses with Baidu and complete a Transfer Impact Assessment.
For European audiences, consider Matomo, Plausible, Piwik PRO, Fathom, or Umami. These platforms can host data in the EU, support cookieless modes, and are designed with GDPR in mind. Reserve Baidu Analytics for cases where measuring the Chinese mainland audience is a real business need.
Add a dedicated entry for Baidu Analytics in your cookie policy. List each Hm_ cookie, its purpose, its lifetime, and the fact that data is processed by Baidu in China. Explain the transfer mechanism (SCCs and TIA), name Baidu as joint or independent controller depending on your configuration, and link to the Baidu Analytics privacy statement.