Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Snowplow is an open source behavioural data platform used by data engineering teams who want full control over their event collection. Trackers send first party events to a publisher controlled collector that writes raw data to S3, Snowflake, BigQuery or Databricks. Self hosting on EU infrastructure makes Snowplow a strong GDPR compliant alternative to Google Analytics, especially for the public sector and regulated industries.
Snowplow is an open source behavioural data platform. Trackers running in browsers, mobile apps or servers send raw events to a Snowplow collector controlled by the operator. The events are then validated, enriched and loaded into the operator data warehouse (BigQuery, Snowflake, Redshift, Databricks). Snowplow is also available as a fully managed service called Snowplow BDP.
The Snowplow JavaScript tracker sets first party cookies _sp_id (domain user id) and _sp_ses (session) by default. It captures pageviews, events, custom self describing payloads, performance metrics and, when configured, click and form interaction events. The IP address is recorded by the collector unless an IP truncation enrichment is applied.
Snowplow processes personal data because cookie identifiers and IP addresses qualify the visitor. Article 5(3) of the ePrivacy Directive requires consent for any cookie that is not strictly necessary, and Snowplow product analytics are not. With the right configuration (no marketing use, IP truncation, anonymous session id), some authorities accept a legitimate interest based deployment.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The standard legal basis is article 6(1)(a) GDPR (consent), with Snowplow mentioned in the analytics category of the CMP. Legitimate interest under article 6(1)(f) can be defended for a strictly anonymous configuration: no marketing identifier, no advertising use case, IP truncated, retention limited and the balancing test documented.
Snowplow is self hosted, so the operator decides where the collector, enrichment pipeline and warehouse live. By default an EU based deployment on AWS Frankfurt or Ireland keeps all data inside the EEA. Snowplow BDP, the managed offering, lets the operator pick the AWS region; choose an EU region for European users.
Deploy Snowplow in an EU AWS region, sign a DPA with Snowplow Analytics for the BDP offering, configure the IP truncation enrichment, integrate the tracker with your CMP, document the event schema, retention and warehouse access in the record of processing and run regular data minimisation reviews on the Iglu schemas.
Websites using Snowplow Analytics must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Snowplow ingests detailed behavioural events for marketing or personalisation, when the warehouse contains direct identifiers, or when the operator combines Snowplow with cross device matching, scoring and AI models.
Sample consent text
We use Snowplow Analytics, an open source behavioural data platform that runs on our own servers. Snowplow stores cookies on your browser and records pages you visit and the events you trigger. Tracking only starts after you accept analytics cookies.
Third-party domains contacted
snowplowanalytics.comsnowplow.iosnplow.netiglucentral.comcollector.example.com (customer controlled)(publisher controlled collector domain)Cookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _sp_id | first_party | 2 years | Stores the Snowplow visitor identifier used to recognise returning users. |
| _sp_id | first_party | 13 months | Pseudonymous visitor identifier used to stitch sessions across visits. |
| _sp_ses | first_party | 30 minutes | Stores the Snowplow session identifier. |
| _sp_ses | first_party | 30 minutes | Session identifier used to group events into a single visit. |
Snowplow Analytics collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Snowplow sets _sp_id (visitor) and _sp_ses (session) first party cookies, plus any custom cookies declared in your schema.
Snowplow sets two first party cookies on the publisher domain: _sp_id (visitor identifier, 13 months) and _sp_ses (session identifier, 30 minutes). In cookieless mode neither cookie is set; visitor stitching is replaced by an in memory device fingerprint that is reset on every visit.
Yes by default because of the persistent identifier. Anonymous server side measurement without _sp_id can sometimes rely on legitimate interest.
Yes when Snowplow stores _sp_id or _sp_ses on the visitor terminal: prior consent under Art. 5(3) ePrivacy is required. In cookieless mode aligned with the CNIL R32 exemption (IP truncation, no fingerprinting, no cross site tracking, opt out exposed) Snowplow can be deployed without consent on legitimate interest grounds.
Consent for behavioural tracking. Legitimate interest for anonymous aggregate analytics with strict safeguards.
Consent (Art. 6(1)(a) GDPR) for the cookied mode. Legitimate interest (Art. 6(1)(f)) for the cookieless exempt mode. Either way the publisher is the sole data controller because Snowplow is self hosted.
Not for the pipeline if you deploy in an EU region. Snowplow BDP support in the UK or US may access infrastructure under SCCs.
No, when self hosted on AWS Frankfurt or Dublin or on Snowplow BDP managed with EU residency. The default open source deployment depends on the iglucentral schema registry hosted on Cloudfront, which only ships JSON schemas (no personal data) so it does not constitute a personal data transfer.
Recommended because Snowplow can record very granular user behaviour and is often integrated with other personal data.
A DPIA is recommended only when Snowplow combines clickstream events with personal identifiers (logged in users, CRM enrichment) at scale. Pure cookieless behavioural collection with IP truncation usually does not trigger the Art. 35 DPIA criteria.
Deploy in EU regions, define a clear schema, anonymise IPs, use cookieless mode, gate behind a CMP and pass the consent flag as a custom context.
Deploy the collector in an EU region, activate IP truncation, disable fingerprinting in the JavaScript tracker, wire the tracker to your CMP if you stay in cookied mode, document Snowplow in your Article 30 register and use schema versioning so every change in the data contract is traceable.
Other privacy first analytics include Matomo (PHP, EU hosted), Plausible Analytics (EU, cookieless), Fathom (cookieless), Umami (open source), Pirsch (Germany) and Simple Analytics (Netherlands). For high volume warehouse native data, RudderStack and Segment are the closest commercial competitors.
Matomo, PostHog, Plausible, Adobe Analytics, Google Analytics 4, mParticle. Open source alternatives reduce vendor risk.
Document _sp_id, _sp_ses and any custom cookies, their purpose and duration, and version the policy with each schema change.
List _sp_id and _sp_ses with their lifetime and purpose if you operate in cookied mode. State that the data is collected on first party infrastructure (no third country transfer). Update the policy when you change the IP truncation level, sampling, retention or schema versioning policy.