Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentGoogle Analytics is Google's free web analytics platform, used on over 50% of websites worldwide. It tracks visitor behaviour, traffic sources, conversions, and audience demographics via a JavaScript tag. Data is processed on Google's servers in the United States and requires prior user consent under the GDPR and the ePrivacy Directive.
Google Analytics is a free web analytics service developed by Google. It allows website owners, marketers, and developers to track visitor behaviour, measure traffic sources, monitor conversion funnels, and generate detailed audience reports. First launched in 2005, it is now the world's most widely deployed analytics tool, present on more than 50% of all websites globally.
Google Analytics collects data via a JavaScript snippet (gtag.js) embedded in the website HTML. When a visitor loads a page, the snippet fires and sends event data, page URL, referrer, browser, device type, language, and approximate geolocation, to Google's servers. It also sets cookies in the visitor's browser to assign a unique Client ID, distinguish individual users, and persist session state across multiple page views and visits.
Google Analytics processes personal data (IP addresses, unique device identifiers, and behavioural data) and transfers it to Google LLC servers in the United States. Under the GDPR and the ePrivacy Directive, this requires freely given, specific, informed, and unambiguous prior consent before the tracking tag may fire. The transfer to the US is covered by Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR. Organisations are advised to conduct a Transfer Impact Assessment (TIA) to verify the adequacy of those safeguards in light of US surveillance law (FISA 702, EO 12333).
Google Analytics 4 (GA4) is the current version of the platform. It uses an event-based data model and integrates with Google Consent Mode v2. When consent is denied, GA4 can operate in a cookieless mode, sending anonymised pings without setting persistent cookies or collecting personal identifiers. Google then uses statistical modelling to fill data gaps. Even in cookieless mode, network requests are still sent to Google infrastructure, so organisations must assess whether this residual data transmission requires its own legal basis under applicable regulations.
Websites using Google Analytics must obtain user consent under GDPR regulations.
DPIA considerations
Google Analytics collects IP addresses (even when truncated), assigns persistent Client IDs via the _ga cookie (2-year lifetime), and tracks cross-session behaviour. All data is transferred to Google LLC in the United States. Key DPIA considerations: (1) cross-border data transfer risk, SCCs and US adequacy must be assessed via a Transfer Impact Assessment; (2) Google acts as data processor under the DPA but may also process data as an independent controller for its own purposes (ads, product improvement); (3) potential browser fingerprinting via User-Agent, screen resolution, and language headers; (4) persistent identifiers enabling long-term user profiling across multiple visits; (5) IP address processing even with IP anonymisation enabled (partial truncation only). A DPIA is recommended for any large-scale or sensitive-context deployment, and may be mandatory under GDPR Art. 35.
Sample consent text
We use Google Analytics to measure website traffic and understand how visitors interact with our content. Google Analytics places cookies on your device to collect anonymised usage data (pages visited, session duration, device type, traffic source). This data is transferred to and processed by Google LLC in the United States. You may withdraw your consent at any time via our cookie settings.
Third-party domains contacted
google-analytics.comanalytics.google.comstats.g.doubleclick.netwww.google.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _ga | Analytics | 2 years | Assigns a unique Client ID to distinguish individual users. Used to calculate sessions and user counts in reports. |
| _gid | Analytics | 24 hours | Stores and updates a unique value for each page visited. Used to distinguish users within a single day. |
| _ga_<MEASUREMENT_ID> | Analytics | 2 years | Persists GA4 session state, including session count and campaign source data, across page views. |
| _gac_<ID> | Analytics / Advertising | 90 days | Stores campaign-related information (Google Ads click IDs). Used to attribute conversions to ad campaigns. |
Google Analytics collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Get started freeGoogle Analytics can be used in a GDPR-compliant way, but it is not compliant by default. You must obtain valid prior consent from visitors before loading the analytics tag, sign a Data Processing Agreement (DPA) with Google, and ensure that data transfers to the US are covered by appropriate safeguards such as Standard Contractual Clauses (SCCs). Simply enabling IP anonymisation is not sufficient for GDPR compliance.
Yes. Google Analytics sets persistent cookies (_ga, _gid, _ga_<ID>) that constitute personal data under the GDPR and the ePrivacy Directive. Under EU law, you must obtain freely given, specific, informed, and unambiguous prior consent from the visitor before setting these cookies. This must be implemented via a compliant Consent Management Platform (CMP).
Google Analytics sets four main cookies: _ga (2-year lifetime) to distinguish unique users by storing a Client ID; _gid (24-hour lifetime) to distinguish users within a session; _ga_<MEASUREMENT_ID> (2-year lifetime) to persist GA4 session state; and _gac_<ID> (90-day lifetime) to store campaign-related data. These cookies are classified as Analytics / Performance cookies and require prior consent.
Yes. All data collected by Google Analytics is processed on Google LLC servers located in the United States, which constitutes a restricted transfer under GDPR Chapter V. Google covers this transfer via Standard Contractual Clauses (SCCs). However, organisations are advised to conduct a Transfer Impact Assessment (TIA) to verify the adequacy of those safeguards in light of US surveillance law (FISA 702, Executive Order 12333).
Partially. Google Analytics 4 (GA4) with Consent Mode v2 enabled can operate in a cookieless mode when consent has not been granted. In this mode, no persistent cookies are set, and only anonymised, aggregated pings are sent to Google. However, network requests are still made to Google servers, and Google uses statistical modelling to estimate traffic. This mode does not eliminate the data transfer to Google entirely.
Universal Analytics (UA) was the previous version of Google Analytics. It used a session-based data model and was permanently discontinued on 1 July 2023. Google Analytics 4 (GA4) is the current version. It uses an event-based data model, offers cross-platform tracking (web and app), integrates natively with Google Ads and BigQuery, and supports Consent Mode v2 for privacy-compliant measurement.
By default, Google Analytics 4 stores event-level data for 2 months, which can be extended to 14 months in the property settings. The _ga cookie itself has a 2-year lifetime in the visitor browser. All data is stored on Google servers in the United States and is subject to Google own data retention policies. You can also configure data deletion requests via the GA4 admin panel.
A Data Protection Impact Assessment (DPIA) is required under GDPR Article 35 when processing is likely to result in a high risk to individuals. Given that Google Analytics involves cross-border data transfers, persistent user profiling, and large-scale processing, a DPIA is strongly recommended and may be mandatory. Several European Data Protection Authorities, including the French CNIL and the Austrian DSB, have ruled that the standard deployment of Google Analytics is non-compliant without additional technical and organisational measures.