Skip to main content
C
CookieBeam
Back to Guides
Compliance6 min read

Is Google Analytics GDPR Compliant? What Website Owners Need to Know

Google Analytics is not compliant by default, but it can be configured to meet GDPR requirements. This guide explains the legal concerns, what changed with GA4, and the concrete steps to run analytics lawfully in the EU.

The Short Answer

Google Analytics is not GDPR-compliant out of the box, but it can be made compliant with the right configuration. That nuance is the whole story. If you drop the default tag on your site and start collecting, you are very likely processing EU visitors' personal data without a valid legal basis. Configure it correctly — consent first, data minimized, transfers addressed — and Google Analytics can run lawfully for European audiences.

This question gained urgency after several European data protection authorities ruled, in 2022, that the then-current Universal Analytics violated the GDPR, primarily over data transfers to the United States — a position set out in coordinated decisions documented by the European Data Protection Board. Google's response was GA4 and a series of privacy controls. This guide explains what the legal concerns actually are, what GA4 changed, and the concrete steps to use it compliantly. For the underlying rules, see what is GDPR.

Why It Isn't Compliant by Default

Three issues make a default install problematic under the GDPR:

1. It processes personal data

Analytics identifiers, IP-derived location, and device data are personal data under the GDPR, even without a name attached. Collecting them requires a lawful basis. For analytics cookies, that basis is almost always consent — and the default tag fires before any consent is given.

2. It sets cookies before consent

The standard implementation drops analytics cookies on page load. Under the ePrivacy Directive, non-essential cookies need prior consent, so firing them immediately is a violation regardless of what GA4 does afterward.

3. International data transfers

Analytics data has historically been transferred to Google in the United States. The legality of EU-to-US transfers has been contested for years; it now hinges on specific transfer mechanisms being in place. We cover this in depth in EU-US data transfers and the Data Privacy Framework.

What GA4 Changed

GA4 was designed partly with privacy in mind, and it introduced several controls that help — though none make it automatically compliant:

  • IP addresses are not logged or stored in GA4 the way they were in Universal Analytics; Google uses them transiently for coarse geolocation and then discards them. This reduces (but does not eliminate) the data-protection footprint.
  • Consent Mode integration lets GA4 adjust its behavior based on the user's consent state, so tags can run in a restricted, cookieless mode when consent is denied. This is the bridge between GA4 and your consent banner.
  • Data retention controls and regional data options give you more say over how long data lives and where some processing occurs.
  • Granular data-deletion tools help you honor erasure requests.

The key point: these are tools, not a compliance guarantee. You still have to configure consent correctly, address transfers, and document your basis.

Consent Mode Is Not the Same as Consent

Enabling Consent Mode shapes how Google's tags behave when consent is granted or denied — but you still need a banner that actually collects valid consent and blocks the analytics cookies until it's given. Consent Mode adjusts behavior; it does not obtain permission for you.

How to Run Google Analytics Compliantly

A lawful GA4 setup for EU visitors comes down to a sequence of concrete steps:

1. Get consent before any analytics cookie fires

Deploy a consent banner that blocks GA4 until the visitor agrees to analytics. This is the single most important step — it addresses both the GDPR legal-basis requirement and the ePrivacy prior-consent rule. Technically, this means blocking the script until consent.

2. Implement Consent Mode v2

Wire your banner to GA4's consent signals so denied users are handled in restricted mode and granted users are measured fully. This preserves as much lawful measurement as possible — see how Consent Mode affects GA4 reporting.

3. Address international transfers

Confirm the transfer mechanism Google relies on covers your data flow, and reflect it in your records and privacy policy.

4. Configure data controls

Set appropriate data-retention periods, enable available regional options, and disable any data-sharing settings you don't need (such as sharing with Google for product improvement or advertising, unless you have a basis and disclosure for them).

5. Document and disclose

List GA4's cookies in your cookie policy, state the legal basis in your privacy policy, and keep a record of consents.

Firing GA4 Before Consent Is the Most Common Violation

Many sites add a consent banner but never actually block GA4 — the tag still loads on page view, setting analytics cookies before the visitor chooses. A banner that doesn't gate the tag is decoration. Verify with a scanner that no GA4 cookie appears until consent is granted.

What About Cookieless or Alternative Analytics?

Some organizations, wary of the transfer question or wanting to maximize measured traffic, supplement or replace cookie-based GA4 with privacy-first approaches: server-side measurement, first-party data strategies, or analytics that avoid personal data altogether. These don't make consent obligations vanish, but they can reduce the amount of personal data you process and lessen the share of traffic lost to refusals. Our guide on first-party cookieless tracking explores these options. They are a complement to compliant GA4, not a magic exemption from consent.

Compliant Google Analytics Checklist

  • Block GA4 from firing until the visitor consents to analytics

    Addresses both the GDPR legal-basis and ePrivacy prior-consent requirements.

  • Verify no GA4 cookie is set before consent

    Use a scanner to confirm the tag is genuinely gated, not just visually behind a banner.

  • Implement Consent Mode v2 wired to your banner

    Handle denied users in restricted mode and measure granted users fully.

  • Confirm your EU-to-US transfer mechanism is valid and documented

    Reflect the transfer basis in your records and privacy policy.

  • Set data retention and disable unnecessary data sharing

    Turn off Google data-sharing options you don't have a basis or disclosure for.

  • List GA4 cookies in your cookie policy and state the legal basis

    Transparency across both your cookie policy and privacy policy.

  • Keep records of consent

    Be able to demonstrate that analytics consent was obtained for the data you hold.

GA4 Can Be Compliant — If You Configure It That Way

Google Analytics isn't lawful by default, but a consent banner that genuinely blocks GA4 until consent, plus Consent Mode v2 and proper transfer handling, brings it within the GDPR. Pair it with first-party strategies to recover measurement lost to refusals — without cutting compliance corners.

Back to all guides
Is Google Analytics GDPR Compliant? How to Use GA4 Lawfully | CookieBeam | CookieBeam