Google Analytics + GDPR
Is Google Analytics GDPR-compliant?
Honest answer: it can be, currently, with work — and it's fragile. Here's what EU regulators actually ruled, what changed in 2023, and what your options look like today. (This is an operator's summary, not legal advice — talk to a lawyer for your specific situation.)
The short version
GA4 is not GDPR-compliant out of the box, but it's not illegal either. Since July 2023 the EU-US Data Privacy Framework gives Google a lawful basis for moving EU data to the US, which defused the problem that got Google Analytics ruled unlawful across Europe in 2022. What remains: you still need an opt-in cookie banner (a separate law — the ePrivacy Directive — covers cookies), you still need to tighten GA4's data-sharing and retention settings yourself, and the whole arrangement rests on an adequacy decision that's already being challenged in court.
So the real question isn't "is it legal?" — it's "is the ongoing compliance work and the 30–60% consent-decline data loss worth it, when cookieless analytics sidesteps the entire problem class?"
How Google Analytics got in trouble with GDPR
The story is really about data transfers, not analytics per se:
- July 2020 — Schrems II. The EU's top court struck down Privacy Shield, the agreement that made EU→US data transfers easy. Suddenly every US-hosted tool processing EU personal data was on shaky legal ground under GDPR Article 44.
- January 2022 — Austria. The Austrian DSB ruled that Universal Analytics, as deployed on an Austrian site, unlawfully transferred personal data to the US. First domino.
- February 2022 — France. The CNIL reached the same conclusion and ordered affected sites to stop using it or find compliant alternatives.
- June 2022 — Italy. The Garante followed with a matching decision; Denmark's Datatilsynet also declared Google Analytics unlawful without supplementary measures.
- July 2023 — the reprieve. The European Commission adopted the EU-US Data Privacy Framework, a new adequacy decision. Google LLC is certified under it, which restored a lawful transfer basis and substantially defused the 2022 rulings.
Two things worth keeping straight: the 2022 decisions concerned Universal Analytics, the product Google has since retired — not GA4 as such. And the DPF is the third EU-US transfer agreement; the previous two (Safe Harbor, Privacy Shield) were both struck down by the same court, and a challenge to this one — a likely "Schrems III" — is widely expected. Adequacy can also simply be revoked. GA4's legal footing is real, but it's rented.
The part the Data Privacy Framework didn't fix: cookies
Even with transfers sorted, GA4 sets cookies (_ga and friends) — and the ePrivacy Directive requires informed opt-in consent before any non-essential cookie is set. That's a separate law from GDPR and the DPF doesn't touch it. So you still need a consent banner with a working reject button, GA4 blocked until the visitor accepts, and a consent management platform wired into your stack. We cover that whole question in depth in Do you need cookie consent for Google Analytics?
The practical cost: EU consent-decline rates run 30–60% depending on the vertical, so a large slice of your traffic simply vanishes from your reports. Google's Consent Mode v2 papers over the gap with modeled data — statistical estimates of what declined visitors probably did — which is better than nothing but isn't measurement.
Your options, honestly compared
Option 1: Keep GA4 and do the compliance work. Deploy a CMP and block GA4 until opt-in, enable Consent Mode v2, disable Google Signals and ads data sharing, shorten data retention, sign Google's Data Processing Terms, and document everything in your privacy policy. This is a legitimate path — regulators currently accept it — and it's the right call if your revenue depends on Google Ads attribution or cross-device user stitching. The trade: ongoing CMP costs, the consent-decline data hole, and exposure if the DPF falls.
Option 2: Switch to cookieless analytics. Tools like Gizmo, Plausible, and Fathom set no cookies and store no personal data, so the ePrivacy consent requirement never triggers and the GDPR surface shrinks to nearly nothing. No banner, no CMP, no modeled data — you see 100% of your traffic, including the 30–60% who would have declined. And because no personal data crosses the Atlantic in identifiable form, the next Schrems ruling isn't your problem. The trade: you lose cross-device identity, long-window ad attribution, and remarketing audiences.
Many teams do both: cookieless as the always-on, banner-free site analytics, GA4 kept solely for paid-acquisition attribution behind the consent gate.
GDPR-friendly analytics without the banner
Gizmo is cookieless by design: a ~1KB one-line script, visitor IDs from a daily-rotating salted hash of IP + User-Agent, raw IP never stored, no fingerprinting. No consent banner needed. You still get sources (including AI assistants), events, funnels, and real-time — and your AI coding agent can install it in one prompt via our MCP server. Free forever for 10k events / month, unlimited sites.
FAQ
- Is Google Analytics 4 GDPR-compliant in 2026?
- It can be operated in a way most regulators currently accept, but it isn't compliant out of the box. You need: an opt-in cookie banner (ePrivacy requires consent before the _ga cookies are set), Google's data-sharing settings turned off, IP handling and retention tightened, a signed Data Processing Agreement, and the EU-US Data Privacy Framework holding up in court. Each of those is a moving part. Cookieless analytics tools avoid most of this surface entirely because they set no cookies and store no personal data.
- Was Google Analytics banned in Europe?
- Not formally 'banned', but in 2022 several EU data protection authorities ruled that Universal Analytics, as typically deployed, violated GDPR: Austria's DSB (January 2022), France's CNIL (February 2022), and Italy's Garante (June 2022) all found the US data transfers unlawful under Article 44; Denmark's Datatilsynet declared it unlawful without supplementary measures. Those decisions concerned Universal Analytics, not GA4 specifically, and the legal ground shifted again in July 2023 when the EU-US Data Privacy Framework restored a lawful transfer basis. So: rulings against the old product, an uneasy truce on the new one.
- Do I still need a cookie banner with GA4?
- Yes. This is separate from the data-transfer question. GA4 sets cookies (_ga and friends), and the EU ePrivacy Directive requires opt-in consent before any non-essential cookie is set — regardless of where the data ends up. The Data Privacy Framework fixed transfers, not cookies. In practice 30–60% of EU visitors decline, and Consent Mode v2 fills the gap with modeled (statistically estimated) data rather than real measurements.
- What is the EU-US Data Privacy Framework and can it be revoked?
- The DPF is the July 2023 adequacy decision that lets certified US companies (Google LLC is certified) receive EU personal data lawfully — it's the successor to Privacy Shield, which the CJEU struck down in the 2020 Schrems II ruling. It faces legal challenges already, and privacy advocates expect a 'Schrems III' case; the European Commission can also suspend or revoke adequacy. If the DPF falls the way its two predecessors did, GA4's transfer basis goes with it, and site owners are back to the 2022 situation overnight.
- What do I have to configure to run GA4 in a GDPR-acceptable way?
- At minimum: deploy a consent management platform and block GA4 until opt-in; enable Consent Mode v2; disable Google Signals and ads data sharing; turn off granular location and device data collection where you don't need it; set data retention to the shortest useful window (2 or 14 months); accept Google's Data Processing Terms; and document all of it in your privacy policy and records of processing. That's real ongoing work — and it still depends on the DPF remaining valid.
- What analytics doesn't need GDPR consent?
- Analytics that stores nothing on the visitor's device and keeps no personal data. Cookieless tools like Gizmo, Plausible, and Fathom set no cookies (no ePrivacy consent trigger) and derive visitor IDs from a daily-rotating salted hash of IP + User-Agent, discarding the raw IP — so there's no persistent identifier and minimal GDPR surface. France's CNIL has published guidance on consent-exempt analytics built exactly on this pattern. No banner, no consent-decline data loss, no dependence on US-adequacy politics.
- What does Gizmo Analytics do differently?
- Gizmo is cookieless web analytics built MCP-first. A ~1KB one-line script, no cookies, no fingerprinting; visitor IDs come from a daily-rotating salted hash of IP + User-Agent and the raw IP is never stored — so no consent banner is needed and the GDPR surface is minimal by design. You still get sources (including AI assistants like ChatGPT and Claude), events, funnels, and real-time visitors. The MCP server lets AI coding agents (Cursor, Claude, Codex) install and query it in one prompt. Free forever for 10k events / month, unlimited sites.
Keep reading
- Do you need cookie consent for Google Analytics?The legal answer, country by country — and how to skip the banner.
- Cookieless tracking, explainedWhat it is, how it works, and the tools that do it well.
- Privacy-friendly analyticsGDPR-safe analytics without consent banners.
- Google Analytics alternativeWhy operators are switching, and what the switch costs you.