Is Google Analytics (GA4) Legal in the UK? UK GDPR 2026

Google Analytics 4 is the most widely deployed web-analytics tool on UK websites. Under UK law, loading it without prior consent is an infringement of PECR Regulation 6. Most UK installations are technically capable of being compliant. Most in practice are not.

This guide covers the current legal position as of 2026: the PECR consent requirement, the UK GDPR framework, the UK-US Data Bridge transfer mechanism (in force since October 2023), what Consent Mode v2 does and does not fix, the GA4 settings a compliant deployment must use and the cookieless alternatives that operate without a banner.

Want to see whether your site loads GA4 before consent? Run a free TrustYourWebsite scan.

The UK legal framework: PECR and UK GDPR together

Two separate instruments govern GA4 in the UK. They work together but address different things.

PECR (Privacy and Electronic Communications Regulations 2003) governs the act of placing or reading cookies on a user's device. Regulation 6 of PECR requires prior, informed consent before any non-essential cookie is set. The _ga cookie GA4 places is not necessary for the service the user requested. Consent is therefore required before the script loads, not after.

UK GDPR (the UK's retained version of the EU regulation, applied through the Data Protection Act 2018) governs the personal data processing that follows the cookie. IP address, the Client ID stored in _ga and behavioural event data are all personal data under UK GDPR. Consent under Article 6(1)(a) UK GDPR is the appropriate lawful basis for analytics processing.

PECR and UK GDPR are both enforced by the ICO (Information Commissioner's Office). They are dealt with together in any ICO investigation. Satisfying one without the other is not enough.

The older EU instrument -- Article 5(3) of the ePrivacy Directive -- is not directly applicable in UK law post-Brexit. PECR, which implemented that article before Brexit, is the operative UK statute.

What GA4 collects and why that matters

GA4 collects, at minimum, the following per visit:

• IP address (processed in transit for geolocation -- full IP is no longer logged by GA4 but is transmitted)
• Client ID, a persistent pseudonymous identifier stored in the _ga cookie
• Session ID
• Device characteristics (browser, OS, resolution, language)
• Approximate location derived from IP
• Page-level engagement events
• Traffic source attribution

The Client ID is the key issue. It persists across sessions, links multiple visits from the same browser and creates a longitudinal record of behaviour. Under UK GDPR, a pseudonymous identifier that can be reasonably linked back to an individual is personal data. The ICO's position, consistent with the EDPB reading on this point, is that persistent device-level identifiers are personal data.

Two consequences:

1. GA4 cannot rely on the strictly necessary exemption in PECR. Analytics is not necessary for the service the user explicitly requested.
2. GA4 cannot rely on legitimate interests as the UK GDPR Article 6 basis for analytics involving a third-party processor such as Google.

The combination means: consent banner required, before GA4 loads.

The UK-US Data Bridge: transfers to Google are covered

Before October 2023, the transfer of personal data from UK websites to Google's US servers was a live compliance risk. After the UK Supreme Court endorsed the Schrems II analysis and following the CJEU's C-311/18 ruling, Standard Contractual Clauses alone were insufficient for US transfers without supplementary measures. Several EU DPAs ruled that GA4 implementations failed this test in 2021 and 2022.

The position changed in two steps. First, the EU adopted the EU-US Data Privacy Framework on 10 July 2023 (Commission Implementing Decision (EU) 2023/1795). Second, the UK put its own equivalent in force: the UK Extension to the EU-US Data Privacy Framework, known as the UK-US Data Bridge, took effect on 12 October 2023 under the Data Protection (Adequacy) (United States of America) Regulations 2023.

The ICO published accompanying guidance confirming that the Data Bridge provides a valid adequacy mechanism for transfers to certified US organisations. Google LLC certified under both frameworks on day one.

What this means for GA4 in 2026:

• Transfers from UK controllers to Google's US servers are covered by the UK-US Data Bridge.
• No Standard Contractual Clauses or supplementary measures are needed for that transfer, as long as Google's certification is current.
• The 2021-2022 EU DPA decisions against GA4 turned on the transfer issue that is now addressed. Those decisions are not directly applicable to the UK post-Brexit position.

What has not changed is the PECR consent requirement. That is a separate, domestic UK obligation. The Data Bridge resolves the international transfer question. It does not remove the need for a banner.

The consent banner: what it must do

Three structural requirements derive from ICO guidance and the PECR standard.

1. Block GA4 until the user clicks Accept

The most common failure mode is GA4 initialising in the page head before the banner has rendered. The test is whether the network request to googletagmanager.com happens before or after the user's affirmative click. If before, the deployment is non-compliant regardless of how the banner looks.

The fix is a consent management platform (CMP) or a tag manager configuration that gates gtag.js on the consent event. Google Tag Manager, Cookiebot, OneTrust and similar tools support this. Some self-built consent layers also work if implemented correctly.

2. Reject equal to Accept

The Reject All option must be at the same visual level and click count as Accept All. The ICO has stated publicly that a site without a clearly accessible reject option on the first layer is "breaking the law". Burying the rejection path behind a "Manage preferences" link that requires additional clicks does not meet this standard.

For the full requirements of a compliant banner under UK law, see cookie banner rules in the UK.

3. Granular consent

Users must be able to accept analytics without accepting marketing cookies and vice versa. A single Accept All that bundles all categories is not specific consent under UK GDPR Article 4(11).

For whether a banner is required at all on your site, see do I need a cookie banner in the UK.

Consent Mode v2: what it does and does not fix

Google's Consent Mode v2 (launched 2024) changes GA4's behaviour based on the consent state.

With consent granted: Full tracking, Client ID set, behavioural events transmitted, attribution computed.

With consent denied: GA4 sends cookieless pings without Client ID, IP truncated, anonymous behavioural modelling fills report gaps.

Consent Mode v2 reduces data loss when users reject cookies, but it does not remove the consent requirement. Three points often misunderstood:

• Even in denied mode, pings reach Google servers. The ICO's position is that these pings involve processing requiring a legal basis. Consent Mode does not provide that basis on its own.
• The conversion modelling Google performs feeds Google Ads, which has its own consent obligations.
• ICO enforcement focuses on whether the banner captures consent properly before any GA4 activity. Consent Mode configuration is a downstream concern, not a substitute.

Consent Mode v2 is a useful data-quality tool. It is not a compliance shortcut.

The GA4 panel settings that compliance requires

Assuming the banner is correct, the GA4 account itself must be configured. The term "controller" means you (the business owner) and "processor" means Google. The "record of processing" is the internal log Article 30 UK GDPR requires you to keep.

1. Data Processing Amendment accepted

Under Article 28 UK GDPR, the relationship between a controller (you) and a processor (Google) requires a written contract. Google provides the Data Processing Amendment in the GA4 account under Administration > Account Details > Account Settings. The date of acceptance is recorded in the audit log. Without acceptance, Article 28 is violated regardless of any other configuration.

2. Data retention reduced to the minimum

Administration > Data Settings > Data Retention. The default in GA4 is 14 months for user and event data. 2 months is the technical minimum. 14 months is permissible but requires documented justification for why the longer period is operationally necessary. Document the choice in your record of processing.

3. UK-US Data Bridge declared as the transfer mechanism

Administration > Data Settings > Data Collection. The UK-US Data Bridge is the relevant adequacy mechanism for transfers to Google LLC from a UK controller. Note it explicitly in your privacy notice and your record of processing.

4. Google Signals disabled by default

Administration > Data Settings > Google Signals. Google Signals enables cross-device tracking by pooling data from signed-in Google users. It requires a separate, granular consent for advertising purposes. If the banner does not capture advertising consent specifically, leave Google Signals off.

5. Advertising features and personalisation off by default

Administration > Property Settings > Property Details > Advertising features. Same logic: if the banner does not capture advertising-specific consent, the corresponding GA4 features must remain disabled.

Privacy notice disclosure

The privacy notice must describe the GA4 processing. A standard clause for a UK controller:

We use Google Analytics 4, provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States. Google LLC is certified under the UK Extension to the EU-US Data Privacy Framework (the UK-US Data Bridge), which came into force on 12 October 2023. The legal basis for the processing is your consent under Article 6(1)(a) UK GDPR and PECR Regulation 6, given through the cookie banner. The retention period for data linked to the Client ID is [2/14] months. You can withdraw consent at any time from the cookie preferences link at the bottom of every page.

The Data (Use and Access) Act 2025 and analytics

The Data (Use and Access) Act 2025 passed into UK law and received Royal Assent in 2025. It introduced changes to the data protection framework including recognition provisions for digital identity schemes and changes to the ICO's enforcement structure. Notably, earlier draft versions of the legislation (as the Data Protection and Digital Information Bill) had proposed a "recognised legitimate interests" basis that could have reduced the consent requirement for analytics cookies. That provision did not survive into the final Act. PECR Regulation 6 continues to require consent for non-essential analytics cookies in 2026. The consent requirement is unchanged.

ICO enforcement: what UK businesses should know

The ICO has taken a progressively active position on cookie compliance.

In late 2023 the ICO wrote to 53 of the UK's top 100 websites, requiring them to address non-compliant cookie banners. The ICO's January 2024 follow-up report found that 38 had become compliant and 4 more had committed to changes. The ICO published guidance on tracking technologies confirming that analytics cookies require consent and that the reject path must be as accessible as accept. In January 2025 the ICO announced a sweep of the UK's top 1,000 websites using automated detection.

The practical enforcement pattern for SMBs is complaint-driven rather than proactive. A competitor or user complaint triggers an informal engagement letter. Non-response escalates. Five-figure fines under PECR are possible for persistent non-compliance. The ICO has issued fines up to £500,000 under PECR in serious cases (see ICO's published enforcement decisions). No GA4-specific fine has been published against a small UK business as of May 2026, but the ICO's position on the consent requirement is explicit and the risk is real.

GA4 is the most commonly detected tracking script in TrustYourWebsite scans of UK small-business websites. The overwhelming majority of violations are the same pattern: GA4 loading in the document head before any consent interaction.

For more on how the ICO investigates websites, see what the ICO checks on your website.

Cookieless alternatives that operate without a banner

Several analytics tools are designed not to set persistent identifiers and not to collect data that qualifies as personal under UK GDPR. They typically do not trigger PECR Regulation 6 because no cookie or equivalent identifier is placed on the device.

For analytics-without-consent to work in the UK, a tool must genuinely set no cookie or equivalent persistent identifier and retain no personal data. Verify the specific configuration of any tool you deploy. The ICO has not issued a formal safe-harbour list for specific tools. For a fuller analysis of the consent threshold for each approach, see analytics without consent in the UK.

Common failure modes

These appear consistently in TrustYourWebsite scans of UK small-business sites.

GA4 in the head, banner in the footer. GA4 has already initialised before the user sees the banner. The single most common failure mode.

Consent Mode treated as a banner substitute. "We use Consent Mode v2 so we do not need a banner" is wrong under PECR.

Data Processing Amendment never accepted. Account created years ago. Nobody accepted the DPA. Article 28 violation.

Retention set to 14 months without justification. Default left in place. The ICO expects active consideration of the retention period.

Google Signals on by default. Advertising features active without specific consent.

Privacy notice generic. Boilerplate that does not mention GA4, does not name Google LLC, does not cite the UK-US Data Bridge, does not state retention.

Final checklist

• The cookie banner blocks GA4 until the user actively clicks Accept
• Reject is at the same visual level and click count as Accept
• Granular consent: analytics separable from marketing
• Consent storage with documented expiry (typically 6-12 months)
• Withdrawal link in the persistent footer
• GA4 Data Processing Amendment accepted, date archived
• Data retention configured to the minimum operationally necessary
• UK-US Data Bridge declared in the privacy notice as the transfer mechanism
• Google Signals off unless advertising consent is granular and explicit
• Advertising and personalisation features off unless consented
• Privacy notice names Google LLC, the UK-US Data Bridge, the legal basis and the retention period
• Quarterly check that scripts actually load after consent and match the cookie policy

---

This is technical analysis, not legal advice. For complex multi-property setups, advertising integrations or active ICO investigations, consult a lawyer who specialises in data protection.

Sources

• UK GDPR (legislation.gov.uk)
• Data Protection Act 2018 (legislation.gov.uk)
• Privacy and Electronic Communications Regulations 2003 (legislation.gov.uk)
• PECR Regulation 6: storage of and access to information on terminal equipment (legislation.gov.uk)
• Data Protection (Adequacy) (United States of America) Regulations 2023 (legislation.gov.uk)
• ICO international transfers guidance (ico.org.uk)
• ICO guide to PECR cookies and similar technologies (ico.org.uk)
• ICO enforcement actions (ico.org.uk)