Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Google Analytics 4 (GA4) is Google's latest analytics platform, replacing Universal Analytics. It uses an event-based data model, cross-device measurement, and machine learning to provide insights into user behaviour across web and app. Multiple European data protection authorities have ruled that standard GA4 deployments violate GDPR due to unlawful US data transfers. Consent is required before GA4 loads, Consent Mode v2 must be implemented, and a DPA with Google must be signed. The EU Data Processing addendum and careful configuration are essential.
Google Analytics 4 is Google''s current web and app analytics platform, replacing the deprecated Universal Analytics (GA3). GA4 uses an event-based data model where all interactions are tracked as events (page_view, scroll, click, purchase, etc.) rather than pageviews and sessions. It offers cross-device measurement via User ID and Google Signals, machine learning-powered insights, predictive metrics, and native integration with Google Ads for conversion measurement and audience building.
Between 2022 and 2023, data protection authorities in Austria (DSB), France (CNIL), Italy (Garante), Belgium (APD), Denmark (Datatilsynet), Greece (HDPA), Norway (Datatilsynet), and the Netherlands (AP) issued decisions ruling that standard GA4 deployments violate GDPR. The core issue: GA4 transfers IP addresses and other identifiers to Google''s US servers, where they can be accessed by US intelligence agencies under FISA 702 — a transfer with no adequate protection under Schrems II.
Google Consent Mode v2 (mandatory for EU/EEA from March 2024) allows GA4 to operate in a privacy-preserving mode when users decline consent: it uses cookieless pings and modelled conversions rather than tracking individuals. Enable IP anonymisation. Set data retention to the minimum (2 months). Disable Google Signals for EU traffic. Sign the Google Measurement Controller-Controller Data Protection Terms and the EU Data Processing addendum.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
EU-based analytics alternatives include Matomo (self-hostable, EU cloud), Plausible (Estonia, cookieless, no consent required), Fathom Analytics (Canada, GDPR-compliant), Piano Analytics (France), and Piwik PRO (EU-hosted). These provide web analytics without the US transfer issues inherent to GA4.
Implement a GDPR-compliant CMP. Block GA4 until analytics consent is given. Implement Consent Mode v2. Enable IP anonymisation and set minimum data retention. Disable Google Signals for EU. Sign the Google DPA and EU Data Processing addendum. Add GA4 to your cookie policy and privacy policy disclosing US transfers and SCCs.
Websites using Google Analytics 4 must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for GA4 deployments combining cross-device tracking, Google Signals, and demographic reporting. The combination of individual-level event tracking, US data transfer, and linkage with Google's advertising ecosystem warrants documented risk assessment.
Sample consent text
We use Google Analytics 4 to understand how visitors use this website. GA4 uses cookies and transfers data to Google servers in the US. You can accept analytics cookies below or manage your preferences. Without your consent, GA4 will not be loaded.
Third-party domains contacted
www.google-analytics.comgoogle-analytics.comanalytics.google.comanalytics.google.comwww.googletagmanager.comwww.googletagmanager.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _ga | Analytics | 2 years | Distinguishes unique users |
| _ga | persistent | 2 years | Google Analytics 4 unique client identifier for distinguishing individual users across sessions |
| _ga_<container-id> | Analytics | 2 years | Maintains session state |
| _ga_XXXXXXXX | persistent | 2 years | Google Analytics 4 session state identifier specific to the GA4 property |
| _gid | persistent | 24 hours | Google Analytics 4 24-hour session identifier for grouping interactions within a session |
Google Analytics 4 collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Yes. GA4 processes personal data (IP addresses, cookies, device identifiers) and transfers it to Google servers. Under GDPR, you must obtain explicit user consent before loading the GA4 tracking script.
Standard GA4 has been ruled non-compliant by multiple EU DPAs due to unlawful US data transfers. Compliant use requires consent, Consent Mode v2, the EU Data Processing addendum with Google, and careful configuration to minimise data transfers. Consider EU-based analytics alternatives for simpler compliance.
Austria (DSB, January 2022 decision), France (CNIL, June 2022), Italy (Garante, June 2022), Belgium (APD, June 2022), Denmark (Datatilsynet, September 2022), Greece (HDPA, October 2022), Norway (Datatilsynet, November 2022), and the Netherlands (AP, 2023) have all issued guidance or decisions ruling standard GA4 transfers to the US unlawful under GDPR.
GA4 sets _ga (unique client ID, 2 years), _ga_XXXXXX (session ID, 2 years), and _gid (session, 24 hours). These require consent under the ePrivacy Directive. GA4 must not load until analytics consent is obtained.
Google's Measurement Controller-Controller Data Protection Terms and the EU Data Processing addendum govern the data controller relationship for GA4. Sign these via your Google Analytics Admin settings. They are required before using GA4 for EU users but do not resolve the transfer compliance issue on their own.
Disabling Google Signals prevents linking GA4 data to Google account profiles. It reduces risk but does not fully resolve the US transfer issue that EU DPAs have identified. A comprehensive compliant deployment requires: consent, Consent Mode v2, IP anonymisation, minimal retention, Signals disabled, and the DPA signed.
Plausible Analytics (Estonia, cookieless, no consent required, EU-hosted), Matomo (self-hostable or EU cloud), Fathom Analytics, Piano Analytics (France), and Piwik PRO (EU-hosted) are established GDPR-compliant alternatives.
Consent Mode v2 helps by reducing data collection when consent is declined. However, it does not fully resolve the underlying US transfer issue that EU DPAs identified — GA4 still sends some data to Google even in consent-declined mode. It is a necessary but not sufficient condition for full GDPR compliance.
In GA4 Admin, go to Data Settings, Data Retention, and set Event data retention to 2 months (the minimum). This reduces the volume of individual-level data stored in GA4. The default is 14 months — reducing it demonstrates data minimisation.
GA4 sets _ga (2 years) and _ga_<container-id> (2 years) cookies to distinguish unique users and maintain session state.
GA4 supports consent mode which allows basic measurement without cookies. However, some data collection still occurs, and legal guidance on whether consent is still required varies by jurisdiction.