Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Tencent Analytics (TA, formerly Mobile Analytics MTA) is a web and mobile analytics platform operated by Tencent Holdings Ltd from mainland China. It provides pageview, session, event, and funnel analytics integrated with the WeChat, QQ, and Tencent Cloud ecosystems. For European websites the deployment is unusually risky: tracking data is stored in China under the PIPL and Cybersecurity Law, which include broad government access provisions, and no EU, China data transfer framework is in place.
Tencent Analytics (TA), evolved from the older Mobile Analytics product (MTA), is the in, house web and mobile analytics platform of Tencent Holdings Ltd, the Shenzhen, headquartered company that also runs WeChat, QQ, and Tencent Cloud. The product is most commonly used by Chinese publishers and brands to measure traffic on their websites and mini, programs, with tight integrations to the WeChat ecosystem (mini, program analytics, official accounts, Mini Game tracking). Tencent Analytics offers the standard set of metrics (pageviews, unique visitors, sessions, events, funnels, retention, cohort analysis) plus China, specific dimensions such as WeChat acquisition channel and QQ user segments. The tracker is loaded from tajs.qq.com or, in legacy deployments, from hm.cnzz.com.
Tencent Analytics writes several first, party cookies on the publisher''s domain. qccr_fpa is the first, party anonymous identifier (typically 2 years), ta_distinct_id is the visitor identifier used by the latest TA SDK, and qccr_session captures the current session. Tencent also collects the visitor IP, user agent, referrer, page URL, scroll behaviour, custom events, and any user properties the publisher passes to the SDK. When the SDK is used inside a WeChat Mini Program, additional identifiers (openid, unionid) may be exchanged with the Tencent backend to link mini, program activity with web visits.
For European visitors, embedding Tencent Analytics raises three layered issues. First, the qccr_fpa and ta_distinct_id cookies fall under Article 5(3) ePrivacy and require prior consent. Second, the transfer of personal data to mainland China engages Chapter V GDPR; China is not on the Commission''s adequacy list, the PIPL is not deemed essentially equivalent to GDPR by the EDPB, and the Cybersecurity Law plus DSL grant broad access powers to Chinese authorities. Third, EDPB Recommendations 01/2020 require supplementary measures (typically end, to, end encryption with keys held in the EU) when transferring to a jurisdiction with such surveillance scope, and Tencent Analytics does not natively support that.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Prior, freely given, informed and specific consent is required before loading the Tencent Analytics SDK. The CMP banner must clearly disclose that the data is sent to mainland China and that local surveillance laws apply. Consent in the meaning of Article 49(1)(a) GDPR may be invoked as a derogation for transfers, but only for occasional and non, repetitive transfers; using consent to legitimise systematic transfer of all visitor traffic to China is generally rejected by EU DPAs. The CNIL and the BfDI have both warned against this pattern. Consent should therefore be paired with a serious Transfer Impact Assessment.
All Tencent Analytics data is hosted in mainland China by Tencent Holdings Ltd and its subsidiaries. There is no EU data residency option for the standard product. Standard Contractual Clauses can be signed in theory, but the Transfer Impact Assessment will need to address the Cybersecurity Law (Article 35 cross, border data review), the Data Security Law (Article 21 classified data categories), and the PIPL (Article 41, mandatory production order to Chinese authorities). The EDPB position after Schrems II makes it very difficult for a European publisher to demonstrate that essentially equivalent protection is achievable. For most use cases, the practical conclusion is to use Tencent Analytics only for content that explicitly targets mainland China, never for general European audience tracking.
If you must use Tencent Analytics for a website that addresses Chinese audiences (overseas Chinese, mainland China expansion, WeChat Mini Programs), keep the deployment isolated: serve the SDK only on the .cn version of the website or on the China, specific subdomain, gate it behind a strict CMP, never load it for visitors detected as EU/EEA, and document a full Transfer Impact Assessment. For European audience analytics, replace it with Matomo, Plausible, Umami, or another EU, hosted alternative. Document the decision in the record of processing activities and notify the DPO of the residual risk.
Websites using Tencent Analytics must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended and will typically conclude with a high residual risk for European websites. The combination of persistent tracking cookies, unencrypted IP transmission, and storage in mainland China under the PIPL, DSL, and Cybersecurity Law triggers multiple high, risk criteria of the EDPB list (transfer to a jurisdiction without adequacy, large, scale processing, systematic monitoring). Document the technical and contractual safeguards considered (SCCs, encryption with EU, held keys), the conclusion of the Transfer Impact Assessment, and the alternatives evaluated. For EU consumer audiences, deployment is rarely defensible.
Sample consent text
We use Tencent Analytics to measure website traffic. Tencent Analytics is operated by Tencent Holdings Ltd and stores all tracking data on servers in mainland China. Your IP address, a unique visitor identifier, and the pages you browse are transferred to China where they may be subject to local surveillance laws. Do you accept the use of Tencent Analytics?
Third-party domains contacted
tajs.qq.commta.qq.compingjs.qq.comhm.cnzz.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| qccr_fpa | first-party | 2 years | Anonymous first-party identifier set by the Tencent Analytics SDK to recognise returning visitors and aggregate them into unique-visitor metrics. |
| ta_distinct_id | first-party | 1 year | Visitor identifier used by the latest Tencent Analytics SDK to attribute events, sessions and conversions to a single browser. |
| qccr_session | first-party | Session | Session cookie used by Tencent Analytics to group page views and events that belong to the same visit. |
Tencent Analytics collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Tencent Analytics writes first, party cookies on the publisher's domain, including qccr_fpa (anonymous first, party identifier, around 2 years), ta_distinct_id (visitor identifier used by the current SDK), and qccr_session (session identifier). It also collects the visitor IP, user agent, referrer, page URL, scroll behaviour, custom events, and any user properties passed by the publisher.
Yes. The cookies require prior consent under Article 5(3) ePrivacy. More importantly, consent alone is not sufficient to legitimise the systematic transfer of European visitor data to mainland China; the EDPB has consistently rejected consent under Article 49(1)(a) GDPR for systematic and repetitive transfers. Most European DPAs would consider Tencent Analytics on a public website non, compliant for general EU audiences.
Consent (GDPR Article 6(1)(a)) is required, but it does not by itself solve the Chapter V transfer issue to China. SCCs can be signed but a Transfer Impact Assessment will typically conclude that the PIPL, Cybersecurity Law, and Data Security Law create a level of government access that is not essentially equivalent to GDPR protection.
Yes. All Tencent Analytics tracking data and dashboard activity is processed on Tencent infrastructure in mainland China (Shenzhen, Beijing, Shanghai). China is not on the EU adequacy list. The PIPL, the Cybersecurity Law, and the Data Security Law include broad provisions allowing Chinese authorities to access stored data, including data of foreign citizens, for national security and public order.
Yes, a DPIA is strongly recommended and will typically conclude with a high residual risk for European websites. The combination of persistent identifying cookies, full IP transmission, storage in a non, adequate jurisdiction with broad surveillance powers, and the lack of native end, to, end encryption with EU, held keys triggers multiple high, risk criteria.
For a website primarily targeting European audiences, the practical answer is not to use Tencent Analytics. If a deployment is unavoidable for the China, focused parts of your business, isolate the SDK to a .cn subdomain or a China, specific app, gate it behind strict consent, exclude EU/EEA traffic via geo, detection, and document a full Transfer Impact Assessment with the conclusion that the residual risk is accepted only for explicitly Chinese audiences.
For European audience analytics, EU, hosted alternatives include Matomo (self, hosted or EU cloud), Plausible (EU cloud), Umami (open source), Pirsch (Germany), and Fathom (EU cloud). For Chinese audiences, Baidu Analytics carries similar transfer concerns but is sometimes preferred for SEO with Baidu; cookieless server, side analytics on your own EU/CN infrastructure remains the safest pattern.
If you keep Tencent Analytics deployed for a China, focused subset, list it as a sub, processor with the cookies qccr_fpa (2 years), ta_distinct_id, and qccr_session, plus a clear statement that data is transferred to and stored in mainland China under the PIPL, Cybersecurity Law, and Data Security Law. Indicate that no EU adequacy decision applies and reference the SCCs plus Transfer Impact Assessment.