Google Analytics and GDPR: Is GA4 Legal in the EU? (2026)

Google Analytics 4 is the most widely deployed web-analytics tool on EU websites. It is also the most frequently cited source of GDPR cookie violations in supervisory authority decisions. The disconnect between deployment and compliance is the central feature of GA4 in the EU: most installations are technically capable of being compliant, most installations in practice are not.

This guide covers the current legal position as of 2026, with the EU-US Data Privacy Framework in force since 10 July 2023, the consent requirement under Article 5(3) of the ePrivacy Directive, Consent Mode v2 and what it actually does, the configuration settings that a compliant GA4 deployment must use, and the cookieless alternatives that operate without a banner under most national interpretations.

What changed in 2023, and why the 2021-2022 rulings matter less now

Three national supervisory authorities ruled against Google Analytics between December 2021 and June 2022:

• The Austrian Datenschutzbehörde found that the use of Google Analytics by an Austrian website transferring personal data to Google LLC in the US violated Chapter V GDPR (Schrems case, 22 December 2021).
• The French CNIL issued formal orders to several French website operators in February 2022 and published a position on Google Analytics confirming the analysis.
• The Italian Garante reached the equivalent conclusion in Resolution 9782890 of 9 June 2022.

All three decisions hinged on the same point: after Schrems II (C-311/18, July 2020) invalidated the previous EU-US transfer framework, Article 46 GDPR safeguards alone (typically Standard Contractual Clauses) were insufficient for transfers to US controllers subject to US surveillance laws, without supplementary technical measures. GA4 in its standard configuration did not provide those measures.

On 10 July 2023 the Commission adopted Implementing Decision (EU) 2023/1795, an adequacy decision under Article 45 GDPR for the EU-US Data Privacy Framework. Certified US importers can now receive personal data without additional safeguards. Google LLC certified on 10 July 2023. The transfer-to-US analysis that grounded the 2021-2022 rulings has therefore changed; those rulings are not directly transposable to the post-DPF era.

What has not changed is the consent requirement. The 2021-2022 decisions rested on two grounds: the transfer issue (now addressed by DPF) and the underlying need for consent before the tracking script loads (still in force). The current enforcement focus across member states has shifted toward the consent failure, which is more straightforward to inspect.

The Client ID makes GA4 a tracking technology

GA4 collects, at minimum, the following per visit:

• Dirección IP / IP address (used at least transiently for geolocation; full IP is no longer logged in GA4 but is processed in transit)
• Client ID, a persistent pseudonymous identifier stored in the _ga cookie
• Session ID
• Device characteristics (browser, OS, resolution, language)
• Approximate location derived from IP
• Page-level engagement events
• Traffic source attribution

The Client ID is the key. It persists across sessions, links multiple visits from the same browser, and creates a longitudinal record of behaviour. Under Recital 26 GDPR, a pseudonymous identifier that can be reasonably linked back to an individual is personal data. The EDPB has consistently treated persistent device-level identifiers as personal data.

Two consequences:

1. GA4 cannot rely on the strictly-necessary cookie exemption in Article 5(3) ePrivacy. Analytics is not necessary for the service the user explicitly requested.
2. GA4 cannot rely on legitimate interest as the GDPR Article 6 basis in most member states. The EDPB and most national authorities treat marketing and analytics that involve third-party processors as requiring Article 6(1)(a) consent.

The combination means: consent banner mandatory, before GA4 loads.

The consent banner: what it must do

Three structural requirements derive from EDPB Guidelines 05/2020 and the consistent enforcement practice across member states.

1. Block GA4 until the user clicks Accept

The most common failure mode is GA4 initialising in the page head before the banner has even rendered. The fix is a consent management platform (CMP) or a tag manager that gates gtag.js on the consent event. Tools like Google Tag Manager, Cookiebot, OneTrust and Iubenda support this; some self-built consent layers also work if implemented correctly.

The test is whether the network request to googletagmanager.com happens before or after the user's affirmative click. If before, the deployment is non-compliant regardless of what the banner looks like.

2. Reject equal to Accept

The Reject All option must be at the same visual level and click count as Accept All. CNIL fined Google €150 million in January 2022 specifically for asymmetric design; the same analysis applies to GA4 deployments by other operators. For the full requirements of a compliant banner, see cookie banner requirements under EU law.

3. Granular consent

Users must be able to accept analytics without accepting marketing, and vice versa. A single Accept that bundles all categories is not specific consent under Article 4(11) GDPR.

For deciding whether a banner is required at all (some pure-static sites are exempt), see do I need a cookie banner.

Consent Mode v2: what it does and does not fix

Google's Consent Mode v2 (launched 2024) changes GA4's behaviour based on the consent state.

With consent granted: Full tracking, Client ID set, behavioural events transmitted, attribution computed.

With consent denied: GA4 sends cookieless pings without Client ID, IP truncated, anonymous behavioural modelling fills the gaps in reports.

Consent Mode v2 reduces data loss when users reject cookies, but it does not remove the consent requirement. Three points often misunderstood:

• Even in denied mode, the pings reach Google servers. The EDPB-aligned reading is that these pings are processing requiring a legal basis. Consent Mode does not provide that basis on its own.
• The conversion modelling Google performs feeds back into Google Ads, which has its own consent obligations.
• Supervisory authority enforcement focuses on whether the banner captures consent properly before any GA4 activity. Consent Mode configuration is a downstream concern, not a substitute.

Consent Mode v2 is a useful data-quality tool. It is not a compliance shortcut.

The five GA4 panel settings that compliance requires

Assuming the banner is correct, the GA4 account itself must be configured.

1. Data Processing Amendment accepted

Under Article 28 GDPR, the relationship between a controller (your business) and a processor (Google) requires a written contract. Google provides the Data Processing Amendment in the GA4 account. Acceptance is recorded in the audit log; the date is your proof. Without acceptance, Article 28 is violated regardless of any other configuration.

2. Data retention reduced to the minimum

Administration > Data Settings > Data Retention. The default in GA4 is 14 months for user and event data. The EDPB and most national authorities expect this to be the minimum operationally necessary. 2 months is the technical minimum; 14 months is the maximum without explicit operational justification. Document the choice.

3. EU-US DPF declared as the transfer mechanism

Administration > Data Settings > Data Collection. The DPF is the relevant mechanism for transfers to Google LLC; SCCs may apply for additional safeguards. Document which is in use.

4. Google Signals disabled by default

Administration > Data Settings > Google Signals. Google Signals enables cross-device tracking and advertising features by pooling data from signed-in Google users. It requires a separate, granular consent for advertising purposes. If the banner does not capture advertising consent specifically, leave Google Signals off.

5. Advertising features and personalisation off by default

Administration > Property Settings > Property Details > Advertising features. Same logic: if the banner does not capture advertising-specific consent, the corresponding GA4 features must remain disabled.

Privacy notice disclosure

The privacy notice must include the GA4 processing. A standard clause:

We use Google Analytics 4, an analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States. Google LLC is certified under the EU-US Data Privacy Framework approved by Commission Implementing Decision (EU) 2023/1795. The legal basis for the processing is your consent under Article 6(1)(a) GDPR, given through the cookie banner. The retention period for data linked to the Client ID is [2/14] months. You can withdraw consent at any time from the cookie preferences link at the bottom of every page.

Cookieless alternatives that operate without a banner

Several analytics tools are designed not to set persistent identifiers and not to collect data that qualifies as personal under GDPR. They typically operate without a banner in most member states, though the exact threshold varies by national authority.

Three operational properties common to these tools when they operate without a banner:

• No persistent identifier in cookies or localStorage
• IP truncation or hashing in the request handler, before storage
• No cross-site or cross-device linking

Verify the configuration of each tool, and verify your own use of it. A Plausible installation that enables the optional Salt Rotation feature without proper configuration can still create identifiability problems. Default settings are usually exempt; non-default settings need a fresh analysis.

Enforcement landscape

Cookie-related fines from national supervisory authorities continue to grow. Patterns relevant to GA4:

• CNIL (France) fined Google €150M and Facebook €60M in January 2022 over the asymmetric Reject button; multiple smaller fines on websites running GA before consent have followed.
• Garante (Italy) has issued orders to local publishers and websites that load GA4 before consent.
• AEPD (Spain) runs mass advisory letter campaigns on cookie banner non-compliance; GA4 is the most cited script.
• DPC (Ireland) has pursued cross-border investigations involving Google's processing as part of broader cases.

Small businesses are not typically the target of the multi-million-euro fines, but are well within the scope of the advisory-letter campaigns and complaint-driven investigations that can convert into five-figure fines.

Common failure modes from audits

These appear in published decisions and in scans of small-business sites.

GA4 in the head, banner in the footer. GA4 has already initialised before the user sees the banner. The single most common failure mode.

Consent Mode treated as a banner substitute. "We use Consent Mode v2 so we do not need a banner" is technically and legally wrong.

Data Processing Amendment never accepted. Account created years ago; nobody clicked the acceptance. Article 28 violation.

Retention set to 14 months without justification. Default left in place. Inspections often probe whether the controller actively considered the period.

Google Signals on by default. Advertising features active without specific consent.

Privacy notice generic. Boilerplate that does not mention GA4, does not name Google LLC, does not name the DPF, does not state retention.

Final checklist

• The cookie banner blocks GA4 until the user actively clicks Accept
• Reject is at the same visual level and click count as Accept
• Granular consent: analytics separable from marketing
• Consent storage with documented expiry (typically 6-12 months)
• Withdrawal link in the persistent footer
• GA4 Data Processing Amendment accepted, date archived
• Data retention configured to the minimum operationally necessary
• EU-US DPF declared in the privacy notice as the transfer mechanism
• Google Signals off unless advertising consent is granular and explicit
• Advertising and personalisation features off unless consented
• Privacy notice names Google LLC, the DPF, the legal basis and the retention period
• Quarterly check that scripts actually loaded after consent match the cookie policy

---

This is technical analysis, not legal advice. For complex multi-property setups, advertising integrations or active supervisory authority investigations, consult a lawyer who specialises in data protection.