Between 2022 and 2023, data protection authorities in Austria, France, Italy, Denmark, Finland, and Norway all ruled that using Google Analytics violated GDPR. The reason: Google transferred EU user data to US servers, where it could be accessed by US intelligence agencies under FISA 702. The EU-US Privacy Shield (the previous legal framework) had been invalidated by the Schrems II ruling.
Then the EU-US Data Privacy Framework (DPF) was adopted in July 2023, creating a new legal basis for transatlantic data transfers. Google self-certified under the DPF. The regulatory landscape shifted again.
So where does that leave you in 2026? Can you use GA4 in Europe legally? The answer is: yes, with conditions.
The Current Legal Status
What Changed with the Data Privacy Framework
The DPF replaced the invalidated Privacy Shield as the legal mechanism for transferring personal data from the EU to the US. Key features:
- US companies self-certify to the DPF (Google has done so)
- New safeguards limit US intelligence access to EU data
- An independent Data Protection Review Court handles EU complaints
- EU citizens can seek redress if their data is misused
What this means for GA4: Google’s data transfers from the EU to the US now have a legal basis under the DPF. The earlier rulings against Google Analytics were based on the ABSENCE of such a framework — that gap is now filled.
Is GA4 Definitively “Legal” in Europe?
As of 2026, no EU data protection authority has issued a new ruling against Google Analytics since the DPF took effect. The previous rulings (Austria, France, Italy, etc.) were based on pre-DPF conditions.
However, three risks remain:
-
The DPF could be invalidated. Privacy advocate Max Schrems (the same person behind Schrems I and Schrems II) has already challenged the DPF. If the EU Court of Justice strikes it down (“Schrems III”), we’re back to the same situation — no legal basis for US data transfers. This could happen within 2-3 years.
-
Consent is still required. The DPF addresses data TRANSFERS, not data COLLECTION. GDPR still requires a legal basis for collecting personal data in the first place. For GA4, that means either consent or legitimate interest — and most EU regulators say analytics cookies require consent.
-
National enforcement varies. Some EU countries are stricter than others. Germany’s data protection authorities, for example, take a harder line on analytics tracking than the Netherlands.
What GDPR Actually Requires for GA4
Even with the DPF in place, you need to comply with GDPR’s data collection rules. Here’s what that means in practice.
Requirement 1: Consent for Analytics Cookies
GA4 sets cookies (_ga, _ga_*) that are classified as non-essential analytics cookies under GDPR and the ePrivacy Directive. You need user consent before setting these cookies.
In practice:
- Display a cookie consent banner
- Don’t load GA4 until the user clicks “Accept”
- OR implement Consent Mode v2 to load GA4 in restricted mode without cookies
Requirement 2: Consent Mode v2 (Google’s Requirement)
Since March 2024, Google requires Consent Mode v2 for any business running ads targeting the EEA. Without it, you lose:
- Remarketing audiences
- Customer Match
- Conversion modeling
- Enhanced conversions
Consent Mode v2 adds two signals: ad_user_data and ad_personalization. These must be explicitly set based on user consent.
The interaction with GDPR:
User arrives → Cookie banner displayed
├── User accepts → Consent Mode: all granted → Full GA4 tracking
├── User rejects → Consent Mode: all denied → Cookieless pings only (modeled data)
└── User ignores → Consent Mode: default denied → Cookieless pings onlyWith Consent Mode, GA4 still collects some data when consent is denied — but it does so without setting cookies or collecting personal identifiers. Google uses this for behavioral modeling (estimating the data you would have collected if consent had been granted).
Requirement 3: Data Processing Agreement
You need a Data Processing Agreement (DPA) with Google. GA4 includes this automatically through Google’s Data Processing Terms, which you accept when creating a GA4 property.
To verify: GA4 → Admin → Account → Account Settings → Data Processing Terms — ensure they’re accepted.
Requirement 4: Privacy Policy Disclosure
Your privacy policy must disclose:
- That you use Google Analytics
- What data GA4 collects
- How long data is retained
- That data is transferred to the US (under the DPF)
- How users can opt out
Requirement 5: Data Retention Configuration
GA4 lets you set data retention to 2 months or 14 months. While GDPR doesn’t specify a maximum retention period for analytics, the principle of data minimization suggests you shouldn’t retain data longer than necessary.
Recommendation: Set retention to 14 months for actionable reporting windows. See our GA4 data retention guide for configuration details.
Requirement 6: IP Anonymization
GA4 anonymizes IP addresses by default — IPs are not logged or stored. This was a major complaint against Universal Analytics (which logged full IPs). GA4 resolved this.
The Consent Banner Setup
What Your Banner Must Include
Under GDPR, a valid consent banner must:
| Requirement | Explanation |
|---|---|
| Prior consent | No cookies before user acts |
| Granular choices | Separate options for analytics, marketing, etc. |
| Easy rejection | ”Reject all” must be as easy as “Accept all” |
| No dark patterns | Can’t make “Accept” more prominent than “Reject” |
| Informed consent | Explain what each category does |
| Revocable | User can change their mind later |
Consent Mode Integration
Your cookie consent banner must integrate with Consent Mode. The flow:
- Banner loads → sets Consent Mode defaults to
denied - User clicks Accept → updates Consent Mode to
granted - User clicks Reject → Consent Mode stays
denied(GA4 sends cookieless pings)
Which CMPs support Consent Mode v2:
- Cookiebot
- OneTrust
- CookieYes
- Usercentrics
- Termly
- Osano
- Borlabs (WordPress)
- Complianz (WordPress)
What Happens If You Ignore This
Regulatory Risk
GDPR fines can reach 4% of global annual revenue or 20 million EUR, whichever is higher. In practice, fines for analytics violations are smaller but growing:
- Austrian DPA fined a company for UA usage (pre-DPF)
- Italian Garante issued cease orders for Google Analytics usage
- CNIL (France) issued formal notices to several organizations
These were all pre-DPF cases, but the principle remains: collecting analytics data without proper consent is a GDPR violation regardless of where the data is processed.
Practical Risk
More immediately:
- Cookie banners that don’t block GA4 pre-consent may be flagged by automated compliance scanners
- Competitor complaints to regulators are increasingly common
- Enterprise customers increasingly audit vendor privacy compliance
The “Nobody Gets Fined for GA4” Argument
It’s true that small businesses rarely face enforcement for analytics cookies specifically. But this is a poor long-term strategy because:
- Enforcement is increasing year over year
- Automated scanning makes violations easier to detect
- Class-action privacy suits are growing (especially in Austria and Germany)
- Your customers increasingly expect compliance
Alternatives If You Want to Avoid the Complexity
Option A: GA4 with Consent Mode (Recommended)
Use GA4 but implement it properly:
- Consent banner with reject option
- Consent Mode v2 for cookieless data when consent is denied
- DPA accepted
- Privacy policy updated
This is the standard approach for most businesses. You lose some data (from users who reject consent) but recover most of it through modeling.
Option B: EU-Only Analytics (Privacy-Focused)
Some businesses switch to EU-hosted, privacy-first analytics tools:
| Tool | Hosting | Cookies | GDPR Consent Needed? |
|---|---|---|---|
| Plausible | EU servers | None | Debatable (no cookies) |
| Fathom | Canadian company, EU processing option | None | Debatable |
| Matomo (self-hosted) | Your servers | Optional | If you set cookies, yes |
| Simple Analytics | EU servers | None | Debatable |
“Debatable” means: Some EU regulators accept that cookieless, aggregated analytics don’t require consent. Others disagree. The legal consensus is still forming.
Trade-offs: These tools provide basic traffic analytics but lack GA4’s audience building, conversion tracking, ad platform integration, and BigQuery export.
Option C: Server-Side GA4 with EU Processing
Configure server-side GTM to process data in the EU before sending to Google:
- Set up server-side GTM in a European GCP region
- Strip or hash PII before forwarding to GA4
- Limit data collection to non-personal analytics
This gives you GA4’s features while keeping data processing in the EU.
Practical Compliance Checklist
- Cookie consent banner installed with Accept/Reject options
- GA4 does NOT load before consent (or Consent Mode defaults set to denied)
- Consent Mode v2 implemented with all four signals
- Google Data Processing Terms accepted
- Privacy policy mentions Google Analytics, data retention, US transfers under DPF
- GA4 data retention set to 14 months (or less)
- IP anonymization confirmed (default in GA4)
- Google Signals disabled if not needed for advertising
- User-ID feature complies with your consent scope
- Data deletion requests process (GA4 supports user-level data deletion)
The Realistic Position
GA4 is legal to use in Europe in 2026, provided you:
- Have a consent banner that actually blocks cookies before consent
- Implement Consent Mode v2 correctly
- Accept Google’s DPA
- Disclose usage in your privacy policy
The DPF provides the legal basis for data transfers. Consent Mode provides the legal basis for data collection. Together, they cover the two halves of the GDPR compliance equation.
The risk that remains is political and legal — if the DPF is struck down, the entire transatlantic data flow landscape shifts again. But that’s not a reason to avoid GA4 today. It’s a reason to implement it properly and have a contingency plan.
Not sure if your GA4 setup is compliant with consent requirements? Run a free scan — we check your consent configuration, tag firing behavior, and Consent Mode implementation.