Implementing PostHog with GDPR Consent in Next.js
Integrating analytics into web applications requires careful consideration of user privacy, especially in regions with strict data protection laws like the GDPR. For Next.js applications, particularly those using the App Router, implementing PostHog analytics while respecting user consent is crucial. This guide details how to achieve this using the c15t consent management platform and PostHog's EU-specific configurations.
The core principle is that your analytics code should align with your site's consent model. While a basic PostHog installation might suffice for internal tools, applications targeting users in the European Union must ensure PostHog does not load until the user explicitly grants consent for measurement. The c15t platform provides a robust solution for managing this boundary within a Next.js App Router project by tying the PostHog script's execution to the measurement consent category.
This approach leverages the c15t PostHog script helper. This method centralizes the management of PostHog loading, consent updates, user revocation of consent, and script removal. It also enables a more stringent EU configuration by setting region: 'eu' and loadMode: 'after-consent' directly within the PostHog script configuration.

Setting Up c15t and PostHog
To begin, you need to have c15t integrated into your Next.js project. c15t is a powerful consent management platform that allows granular control over third-party scripts and trackers. Once c15t is in place, you can configure PostHog.
Installation and Initialization
The integration involves adding the PostHog script to your Next.js application in a way that respects c15t's consent categories. The c15t PostHog script helper simplifies this process. It ensures that the PostHog JavaScript snippet is only injected into the DOM and initialized after the user has provided consent for the measurement category.
When using the helper, you'll typically configure PostHog with specific options tailored for privacy-conscious deployments. Key among these are:
api_host: The URL for your PostHog instance.token: Your PostHog project API key.region: 'eu': This directive ensures that all data is processed within PostHog's European data centers, adhering to GDPR requirements for data residency.loadMode: 'after-consent': This is the critical setting that instructs PostHog not to load or initialize until explicit user consent has been granted for the measurement category.
The c15t PostHog script helper abstracts away much of the direct DOM manipulation and event listening. It acts as a bridge, listening to c15t's consent state changes. When measurement consent is granted, the helper triggers the PostHog script's loading and initialization sequence. Conversely, if consent is revoked, it can handle the removal or deactivation of PostHog tracking.
Configuring Consent Categories
c15t operates on a system of consent categories. For analytics like PostHog, the measurement category is the most appropriate. Users should be presented with clear options to opt-in to this category. It's important that the language used to describe this category accurately reflects what data is being collected and why, aligning with GDPR's requirements for informed consent.
When a user visits your site, c15t's interface (typically a banner or modal) will present these categories. If the user accepts measurement consent, c15t signals this to the application. The c15t PostHog helper, which is monitoring these signals, then proceeds to load PostHog. If the user denies consent, or closes the consent manager without making a choice, PostHog remains unloaded.
Handling Consent Revocation
A critical aspect of GDPR compliance is the user's right to revoke consent. Your implementation must provide an easy way for users to change their minds. With c15t and the PostHog helper, this is managed seamlessly. If a user revokes consent for the measurement category, c15t will emit an event indicating this change. The PostHog helper will then detect this revocation and should ideally take action to stop tracking and potentially remove any PostHog-related data or cookies from the user's browser.
This ensures that if a user initially opts in but later decides against it, their tracking is immediately ceased, upholding their rights under GDPR. The helper can be configured to execute cleanup routines, such as deleting PostHog cookies or calling a PostHog API method to mark the user as opted-out.
Stricter EU Configuration
The use of region: 'eu' is not merely a technical setting; it's a statement of intent regarding data handling. By routing all data through PostHog's EU servers, you minimize the risks associated with international data transfers, which are a significant concern under GDPR. This configuration helps ensure that personal data processed by PostHog stays within the European Economic Area, simplifying compliance efforts.
Furthermore, loadMode: 'after-consent' is the linchpin of privacy-aware analytics. It prevents any client-side tracking from occurring until the user has actively agreed. This is a far more robust approach than simply disabling tracking after an opt-out, as it prevents any accidental collection of data before consent is given.
Legal Considerations
This article provides implementation guidance and technical information, not legal advice. It is imperative that you consult with legal counsel to review your specific consent copy, privacy notices, PostHog settings, and the behavior of your consent management system across different regions. Ensure that your consent mechanisms are transparent, easily understandable, and compliant with all applicable data protection laws.
Specifically, legal counsel should verify:
- The clarity and accuracy of the language used in your consent banner/modal for the
measurementcategory. - The content and accessibility of your privacy policy, detailing how PostHog data is collected, processed, and stored.
- The configuration of PostHog itself, including any custom event tracking, to ensure it aligns with the stated purposes for which consent was obtained.
- The behavior of the consent system in various jurisdictions, as GDPR is not the only regulation governing online privacy.
By combining a technically sound implementation with appropriate legal review, you can effectively integrate PostHog into your Next.js application while maintaining strong GDPR compliance.
