Is Google Analytics GDPR compliant?

TL;DR

Google Analytics 4 is not GDPR compliant by default. The tool collects personal data (IP addresses, cookie identifiers, browsing data) and transfers it to the United States, which has led several European data protection authorities to declare its use non-compliant. It is possible to use GA4 in a compliant way, provided you block scripts before consent, configure Consent Mode v2 correctly, and document everything in your privacy policy. Without these measures, your website faces real legal risks.

Why this question still matters in 2026

Google Analytics remains the most widely used web analytics tool in the world. Yet its compliance with GDPR has been the subject of regulatory scrutiny and enforcement decisions for several years. This is not a theoretical issue: multiple data protection authorities across Europe have ruled against the use of Google Analytics.

The core problem is twofold. First, GA4 collects data that qualifies as personal data under the GDPR (unique identifiers, IP addresses, browsing data). Second, this data is transferred to the United States, a country whose level of data protection has been challenged repeatedly by European courts.

For website owners, the question is not whether Google Analytics is good or bad, but what needs to be configured to use it without legal risk, and when it makes more sense to consider an alternative.

What does the GDPR require for analytics tools?

The GDPR (General Data Protection Regulation) is the European legal framework governing the collection and processing of personal data since May 2018. It applies to any website that processes data of EU residents, regardless of where the site is hosted.

For analytics tools like Google Analytics, the GDPR imposes several concrete obligations.

A lawful basis is required. Processing personal data requires a legal basis. For analytics cookies, the most common basis is explicit user consent.

Scripts must be blocked before consent. Analytics scripts must not load until the user has given their agreement.

Clear information must be provided. Your privacy policy must explain what data is collected, why, and how users can exercise their rights.

Data transfers must be safeguarded. If data is transferred outside the EU, additional safeguards are required.

Does Google Analytics collect personal data?

Yes. Google Analytics collects several categories of data that qualify as personal data under the GDPR, including IP addresses, cookie identifiers, browsing data, technical information, and approximate location data.

Google acts as a data processor on behalf of the website owner, who remains the data controller. The website owner is legally responsible for the compliance of this data collection.

What European authorities have decided

Several European data protection authorities have ruled against the use of Google Analytics. Austria (DSB, January 2022), France (CNIL, February 2022), Italy (Garante, June 2022), Denmark and Norway all concluded that Google Analytics violated the GDPR due to data transfers to the United States.

Since July 2023, the EU-US Data Privacy Framework (DPF) provides a new legal basis for transatlantic transfers. Google is certified under this framework. However, the legal durability of the DPF remains uncertain.

How to use Google Analytics in a compliant way

It is possible to use GA4 in a GDPR-compliant way, but it requires active configuration. Installing GA4 with default settings is not enough.

Step 1: block GA4 before consent

The Google Analytics script must not load until the user has accepted analytics cookies through your cookie banner.

Step 2: configure Consent Mode v2

Consent Mode v2 is the mechanism Google provides to adjust the behavior of Google tags based on user consent. It has been mandatory since March 2024 to retain remarketing and measurement capabilities in the EEA.

Step 3: configure GA4 to minimize data

Enable IP anonymization, reduce data retention to the minimum needed, disable Google Signals if you do not need cross-device tracking, and disable granular location and device data collection if not necessary.

Step 4: update your privacy policy

Your policy must explicitly mention the use of Google Analytics, the data collected, the legal basis, the retention period, transfers to the United States, and user rights.

Step 5: use a compliant CMP

Your CMP must effectively block scripts before consent, transmit Consent Mode v2 signals, record consent proof, and allow withdrawal of consent. When choosing a CMP, verify that it handles technical script blocking.

Common mistakes (and how to avoid them)

Loading GA4 before consent. This is the most widespread error. Fix: configure your CMP to block the GA4 tag until consent is granted.

Relying solely on Consent Mode. Consent Mode does not block third-party scripts. Other trackers must be blocked separately by your CMP. To understand how different types of cookies work, see our dedicated guide.

Not testing after configuration. Use a cookie scanner to check the real behavior of your site.

Ignoring data transfers. The EU-US DPF covers transfers to Google, but its long-term validity is not guaranteed.

Using a banner without an equivalent reject option. The CNIL requires the Reject button to be as visible as the Accept button.

GDPR-compliant alternatives to Google Analytics

If configuring GA4 is too burdensome, several alternatives are available. Matomo (in a compliant configuration) is recognized by the CNIL. The consent exemption only applies if the tool produces anonymous, aggregated statistics with no data transfers outside the EU.

Google Analytics and GDPR compliance checklist

1. Verify that the GA4 script is blocked before user consent.
2. Configure Consent Mode v2 with all four parameters defaulting to denied for the EEA.
3. Use a CMP that effectively blocks scripts.
4. Enable IP anonymization in GA4.
5. Reduce data retention to the strict minimum.
6. Disable Google Signals if cross-device tracking is not essential.
7. Update your privacy policy with all required disclosures.
8. Test your site's real behavior with a cookie scanner.
9. Document your risk assessment for data transfers to the United States.
10. Establish a procedure for responding to data subject requests.

FAQ

Is Google Analytics illegal in Europe? Google Analytics is not banned as such. Several European authorities ruled that its use violated the GDPR. Since the Data Privacy Framework in July 2023, the legal framework has evolved, but challenges are pending before the CJEU.

Do I need a cookie banner if I use Google Analytics? Yes. Google Analytics sets cookies and collects personal data. The GDPR and ePrivacy Directive require explicit consent before setting non-essential cookies.

Does Consent Mode v2 make Google Analytics GDPR compliant? No, not on its own. Consent Mode v2 is not a complete compliance solution. You must still block scripts before consent and document your processing activities.

Does GA4 automatically anonymize IP addresses? GA4 truncates IP addresses by default, but this does not constitute full anonymization under the GDPR. Cookie identifiers and other collected data still qualify as personal data.

Can I use Google Analytics without cookies? GA4 uses first-party cookies by default. It is possible to configure GA4 in a cookieless mode via Consent Mode, but the data collected is very limited.

What are the penalties for non-compliance? The GDPR provides for fines of up to 20 million euros or 4% of global annual turnover. The CNIL issued formal notices to several French websites following noyb complaints.

Conclusion and next step

Google Analytics 4 can be used in a GDPR-compliant way, but it requires rigorous configuration. Start with a cookie audit to identify scripts loading before consent and undeclared cookies.