Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Yandex.Metrica is the Russian equivalent of Google Analytics, offering free web analytics, heatmaps, click maps, and session replays. It is operated by Yandex LLC in Russia, and all data is stored on Russian infrastructure. Deploying Yandex.Metrica on EU traffic raises severe GDPR concerns: there is no EU adequacy decision for Russia, transfers must rely on SCCs plus a TIA that is extremely difficult to support, and the EU sanctions framework since 2022 adds further commercial and reputational risk.
Yandex.Metrica is a free web analytics platform operated by Yandex LLC, the largest Russian search and technology company. It offers traffic analytics, conversion tracking, heatmaps, click maps, scroll maps, form analytics, and full session replays. Functionally it is closer to Google Analytics combined with Hotjar in a single product.
On a website, Yandex.Metrica is deployed via a JavaScript tag served from mc.yandex.ru. All data flows back to Yandex servers in the Russian Federation, primarily in Moscow region data centers.
Yandex.Metrica processes the visitor IP, browser User Agent, screen resolution, current page URL, referrer, click and scroll positions, time on page, form interactions, and (when session replay is enabled) full DOM mutations reconstructing the page state. Custom events and ecommerce parameters can also be transmitted.
Cookies set on yandex.ru and the publisher domain include _ym_uid (visitor ID, 1 year), _ym_d (first visit date, 1 year), _ym_isad (ad block detection, 1 day), _ym_visorc_<counter id> (session reconstruction, 30 minutes), and yabs sid (advertising session). None of these are strictly necessary.
Russia has no European Commission adequacy decision. EU to Russia transfers therefore require SCCs plus a Transfer Impact Assessment. The TIA must consider Russian Federal Law N 152 FZ on personal data localisation, FSB and other state access rights under SORM, and the lack of effective judicial remedy for EU data subjects in Russian courts. After the CJEU Schrems II ruling, this analysis is hard to conclude favourably.
Several EU DPAs and lawyers have effectively recommended against using Yandex.Metrica for EU traffic since 2022, citing both Schrems II and the EU sanctions context. For comparison, the CNIL, the Austrian DPA, and the Italian Garante issued formal warnings against Google Analytics for similar transfer concerns, and Yandex.Metrica presents a stronger case for prohibition.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Since 2022, the EU sanctions framework against Russia (Council Regulation 833/2014 as amended) has restricted various commercial dealings with Russian entities and certain Russian state owned media. Yandex itself has come under scrutiny and Yandex N.V. (the former Dutch holding) was forced to divest its Russian business. The Russian operating entity Yandex LLC is now ring fenced from the international Nebius group, but data processing for Yandex.Metrica still happens in Russia.
In addition to legal compliance, EU controllers face reputational risk by sending visitor data to a Russian processor in the current geopolitical environment.
For most EU controllers, the practical recommendation is to migrate away from Yandex.Metrica to a GDPR friendly alternative such as Matomo (self hosted or EU cloud), Piwik PRO (Germany), Plausible (Estonia), Fathom (Canada with EU adequacy), or Simple Analytics (Netherlands).
If you must keep Yandex.Metrica (for example to track a Russian language website targeting Russian users), strictly geofence the tag so that it only loads for visitors clearly outside the EU, sign the most recent Yandex DPA, capture explicit consent in any remaining EU traffic, and document the residual risk in the DPIA.
Document why Yandex.Metrica is necessary and why no EU alternative is acceptable. Sign the Yandex DPA and SCCs. Conduct and document a thorough TIA that explicitly addresses Russian Federal Law N 152 FZ, SORM, and the absence of effective EU data subject remedies. Defer the tag until explicit consent. List Yandex LLC as a processor in your privacy notice with the Russian transfer flag prominently.
Monitor EU DPA guidance and sanctions updates regularly. Be ready to migrate quickly if a DPA issues a formal warning against Yandex.Metrica similar to past Google Analytics decisions.
Websites using Yandex.Metrica must obtain user consent under GDPR regulations.
DPIA considerations
Yandex.Metrica is one of the highest risk analytics tools to deploy on EU traffic. Key DPIA considerations: (1) all data is processed on Russian Federation servers with no EU adequacy decision; (2) Russian Federal Law N 152 FZ requires personal data of Russian citizens to be stored in Russia, but also gives broad access to FSB and other state agencies under SORM rules; (3) since the Russian invasion of Ukraine in 2022, the EU sanctions framework (Council Regulation 833/2014 as amended) restricts certain commercial dealings with Russian entities; (4) Yandex.Metrica also captures full session replays with click maps and form analytics, increasing the personal data footprint dramatically; (5) the cookies (_ym_uid, _ym_d, _ym_isad, _ym_visorc) include a persistent visitor ID with a 1 year lifetime; (6) for most EU controllers, a TIA cannot conclude that adequate protection is in place, so continued use risks GDPR non compliance and DPA enforcement. Migration to a GDPR friendly analytics tool is strongly recommended.
Sample consent text
We use Yandex.Metrica (Yandex LLC, Russian Federation) for web analytics, heatmaps, and session recordings. With your explicit consent, Yandex.Metrica sets cookies on your device and transfers data to Yandex servers in Russia under Standard Contractual Clauses. Please note that Russia has no EU adequacy decision and that this transfer carries additional legal risk. You can refuse this tracking and we recommend doing so if you are concerned about data transfers outside the EU.
Third-party domains contacted
mc.yandex.rumetrika.yandex.ruyandex.rumc.yandex.commc.yandex.com.trCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _ym_uid | Analytics | 1 year | Persistent visitor identifier set by Yandex.Metrica. Used to recognise returning visitors across sessions and to power all subsequent analytics, heatmaps, and session replays. |
| _ym_d | Analytics | 1 year | Stores the date of the visitor first visit, used to calculate new vs returning visitor rates. |
| _ym_isad | Analytics | 1 day | Detects whether the visitor uses an ad blocker, used to apply different tracking strategies. |
| _ym_visorc_<counter_id> | Analytics | 30 minutes | Used by the Yandex.Metrica session replay feature (Webvisor) to reconstruct the visitor session for later playback. |
| yabs-sid | Marketing | Session | Yandex advertising session identifier, used for cross site advertising attribution when Yandex.Direct is also enabled. |
Yandex.Metrica collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Yandex.Metrica sets multiple first party cookies: _ym_uid (visitor ID, 1 year), _ym_d (first visit date, 1 year), _ym_isad (adblock detection, 1 day), _ym_visorc_<counter_id> (session reconstruction, 30 minutes), yabs sid (session identifier for advertising). All are non essential and require consent.
Yes, twice over. First, Art. 5(3) ePrivacy and §25 TTDSG require consent for the non essential cookies. Second, the cross border transfer to Russia is itself problematic and consent alone does not legitimise the transfer under GDPR. For ongoing EU deployments, an explicit consent is the minimum; for many DPAs, even with consent the transfer would still not pass a Schrems II assessment.
Only consent (Art. 6(1)(a) GDPR) is conceivable, but legal basis is not the only constraint: the international transfer chapter (Art. 44 et seq.) must also be satisfied. After Schrems II, an EU to Russia transfer is extremely difficult to support, even with consent and SCCs.
Yes, to the Russian Federation, which has no EU adequacy decision. Transfers rely on SCCs and require a TIA that explicitly addresses Russian Federal Law N 152 FZ, SORM, and the absence of effective EU data subject remedies. This assessment will rarely conclude that adequate protection is in place.
Yes. Yandex.Metrica meets multiple EDPB criteria for mandatory DPIA: systematic monitoring, profile building, cross border transfer to a third country with no adequacy, and innovative use of technology (session replay). The DPIA must address all of these and the sanctions context.
In most cases, do not implement it on EU traffic. If absolutely necessary (Russian language site targeting Russian users): geofence the tag, sign the most recent Yandex DPA and SCCs, capture explicit consent for any EU traffic, run a thorough DPIA, document the residual risk, and prepare a migration plan in case of DPA enforcement.
GDPR friendly analytics with similar feature scope: Matomo (self-hosted or EU cloud) with the Heatmaps and Session Recording premium feature, Piwik PRO (Germany) with EU residency, Plausible (Estonia, simple analytics only), Fathom (Canada), Simple Analytics (Netherlands). For session replay: Mouseflow (Denmark), Smartlook (Czech Republic), Hotjar with EU data residency.
List all Yandex.Metrica cookies (_ym_uid, _ym_d, _ym_isad, _ym_visorc) with provider (Yandex LLC, Russian Federation), purpose, lifetime, and category (Analytics). Disclose prominently the transfer to the Russian Federation and the residual risk for the data subject. Link the Yandex privacy policy. If you can migrate away, that is the strongest GDPR position.