Google Analytics and GDPR: Is GA4 Legal in the Netherlands?

Google Analytics 4 (GA4) is the world's most widely used web analytics platform. It is also the single most common source of GDPR violations on Dutch websites. Of 499 Dutch restaurant websites we scanned, 58.9% loaded Google Analytics before the visitor had given any consent.

Here is what you need to know about using GA4 legally in the Netherlands.

What Google Analytics Collects

When GA4 loads on your website, it collects:

• IP address — sent to Google's servers with every pageview
• Client ID — a unique pseudonymous identifier stored in the _ga cookie, linking multiple sessions and pageviews to one device
• Session ID — tracks individual visit sessions
• Device information — browser type, operating system, screen resolution
• Geographic location — derived from IP address (country, region, city)
• Engagement data — pages visited, scroll depth, time on page, events
• Referral source — where the visitor came from (Google search, direct, social media)

The client ID is the key issue. Unlike truly anonymised analytics, GA4 assigns a persistent identifier to each device. This makes it a tracking technology — it can recognise returning visitors across sessions. For this reason, GA4 does not qualify for the Dutch analytics exception in the Telecommunications Act.

The GDPR Legal Framework for GA4

For GA4 to be legally used on your website, you need:

1. A valid legal basis for processing visitors' personal data (IP address, client ID, behavioural data)
2. A data processing agreement with Google (available in your GA4 account settings — the "Data Processing Amendment")
3. Disclosure in your privacy policy of what data GA4 collects, what it's used for, and that data is sent to Google (and potentially Google's servers in the US)
4. A compliant cookie banner that obtains consent before GA4 scripts load

The legal basis for GA4 in most website contexts is consent (Article 6(1)(a) GDPR). This is because:

• The processing is not strictly necessary for the service
• It does not serve an immediate contractual need
• Legitimate interests are difficult to justify when the data goes to a third party (Google) for their own potential use

The Data Transfer Issue

Until July 2023, a major problem with GA4 was the transfer of personal data to US-based Google servers without adequate safeguards. Several European data protection authorities (Austria, France, Italy, Denmark) found that this transfer violated GDPR Article 44 because the US did not have an adequacy decision and Google could not guarantee Standard Contractual Clauses would be honoured given US surveillance laws.

Since July 2023, the EU-US Data Privacy Framework (DPF) provides an adequacy mechanism for certified US companies. Google LLC is certified under the DPF. This means the transfer to US servers is now covered by the DPF — resolving the primary legal basis issue for international transfers.

However: The DPF may face legal challenges. Schrems II (2020) invalidated the previous framework. A third challenge ("Schrems III") is possible. This remains a risk to monitor.

Consent Mode v2: What It Does and Does Not Fix

Google's Consent Mode v2, introduced in 2024, allows GA4 to operate in two modes depending on user consent:

When consent is given: Full tracking proceeds — client ID, behavioural data, all events.

When consent is denied: GA4 sends only minimal "pings" to Google — cookieless, with no client ID, and with IP anonymisation. Google then uses "behavioural modelling" to estimate traffic patterns based on users who did consent.

Consent Mode v2 improves compliance in the sense that it reduces data collection for non-consenting users. But:

• Even in denied-consent mode, some communication still occurs between your visitor's browser and Google's servers
• Consent Mode does not remove the requirement to obtain valid consent before GA4 loads
• Behavioural modelling data (modelled conversions) still influences Google Ads — for which users did not consent
• The AP's cookie enforcement focuses on whether consent is obtained before scripts load, not on Consent Mode configuration

Consent Mode v2 is not a substitute for a compliant cookie banner. It is a tool to reduce data loss when users reject cookies, while maintaining some analytics capability.

Dutch DPA Position on Google Analytics

The AP (Autoriteit Persoonsgegevens) has not issued a specific GA4 ruling analogous to those issued by the Austrian, French, or Italian data protection authorities (all of which found legacy Google Analytics illegal due to the data transfer issue, now partially resolved by the DPF).

The AP's cookie enforcement focuses on:

• Whether consent is obtained before analytics scripts load
• Whether the cookie banner is compliant (reject as easy as accept, no pre-ticked boxes)
• Whether the privacy policy accurately discloses GA4's use

The practical risk for Dutch website owners: if your website runs GA4 without a consent banner, or with a non-compliant banner, you are exposed to the AP's active enforcement programme.

Does GA4 Qualify for the Dutch Analytics Exception?

No. The Dutch Telecommunications Act's Article 11.7a(3) exception for privacy-friendly analytics requires:

• No cross-session tracking of individual visitors
• No data shared with third parties
• Only aggregate statistical data

GA4 fails all three criteria:

• It tracks individual visitors across sessions via the client ID
• Data is shared with Google (a third party)
• It collects individual-level data, not just aggregate statistics

GA4 with Consent: The Correct Setup

If you want to keep using GA4, the compliant setup is:

1. Install a compliant cookie consent management platform (CookieYes, Usercentrics, Complianz, or similar)
2. Block GA4 scripts from loading until the visitor accepts analytics cookies
3. Enable Consent Mode v2 in your GA4 and tag manager setup — this handles the state for users who reject while allowing full tracking for those who accept
4. Accept Google's Data Processing Amendment in your GA4 account settings
5. Update your privacy policy to disclose GA4's use, what data it collects, that it goes to Google (US, covered by DPF), and retention periods

Expected impact: typically 20–40% of visitors reject analytics cookies. Your GA4 data will show only consenting users, underrepresenting your actual traffic. For this reason, many businesses switch to privacy-friendly analytics.

Privacy-Friendly Alternatives to Google Analytics

If you want accurate data without a consent requirement for analytics, switch to a tool that qualifies for the Dutch analytics exception:

These tools provide:

• Pageviews, sessions, traffic sources, countries, device types
• No cookies, no personal data, no IP address storage
• Full data without the 20–40% gap from consent rejection

You lose: individual user journeys across multiple sessions, demographic data, and deep integration with Google Ads. For most small business websites, these are not significant losses.

Practical Decision Guide

Keep GA4 if:

• You run Google Ads and need conversion tracking that integrates with Google Ads
• You have a development team that can properly implement Consent Mode v2
• You have a compliant consent banner that blocks GA4 until consent is given
• You accept that your analytics data will be incomplete (consenting users only)

Switch to privacy-friendly analytics if:

• You primarily use analytics to understand your website's performance
• You want complete, accurate data without consent-induced gaps
• You want to avoid cookie banner complexity entirely
• You have no Google Ads dependency

To check whether GA4 is currently loading on your website before visitor consent, scan your website free.

---

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.