Quick answer: Google Analytics 4 (GA4) is conditionally legal in most EU countries as of 2026, but only if you obtain valid opt-in consent before loading the tracking script and use IP anonymization. Several DPAs initially ruled Google Analytics (Universal Analytics) illegal, but the EU-US Data Privacy Framework adopted in July 2023 has largely resolved the data transfer issue for GA4 — though consent for cookies remains strictly required.
What Happened: The Google Analytics GDPR Timeline
| Date | Event | Impact |
|---|---|---|
| July 2020 | Schrems II ruling invalidates Privacy Shield | All US data transfers questioned |
| Jan 2022 | Austrian DPA rules Google Analytics illegal | First EU DPA to ban GA |
| Feb 2022 | French CNIL rules Google Analytics illegal | Gave sites 1 month to comply |
| Jun 2022 | Italian Garante rules Google Analytics illegal | 90-day compliance deadline |
| Jul 2023 | EU-US Data Privacy Framework adopted | Provides legal basis for US data transfers |
| Jul 2023 | Google sunsets Universal Analytics → GA4 | GA4 has improved privacy controls |
| 2024-2025 | DPAs update guidance recognizing DPF | GA4 with consent is generally accepted |
| 2026 | EU Commission proposes one-click cookie reject | Consent enforcement intensifies |
Is Google Analytics 4 Legal in the EU Right Now?
Yes, but with conditions. The EU-US Data Privacy Framework provides a legal mechanism for transferring data to certified US companies, including Google. However, two critical requirements remain:
- You must obtain consent before loading GA4. GA4 sets cookies (
_ga,_gid) that are classified as non-essential under the ePrivacy Directive. Loading GA4 before the user clicks "Accept" is a violation regardless of the data transfer question. - You must disclose GA4 in your privacy policy and cookie notice. Users must know what data is collected, where it goes, and how long it's retained.
Google Analytics GDPR Status by Country
| Country | DPA | Status (2026) | Notes |
|---|---|---|---|
| France | CNIL | Legal with consent + DPF | CNIL provides detailed GA4 guidance |
| Austria | DSB | Legal with consent + DPF | Original ban was pre-DPF |
| Italy | Garante | Legal with consent + DPF | Requires IP anonymization |
| Germany | State DPAs | Legal with consent + DPF | Some DPAs still recommend alternatives |
| Netherlands | AP | Legal with consent + DPF | Strict enforcement on consent timing |
| Denmark | Datatilsynet | Legal with consent + DPF | Previously issued correction orders |
| Norway | Datatilsynet | Legal with consent + DPF | Follows EU guidance |
| Sweden | IMY | Legal with consent + DPF | Fined companies for GA without consent |
| Finland | Ombudsman | Legal with consent + DPF | Emphasizes transparency |
How to Use GA4 Compliantly in 2026
- Get consent first: Configure your cookie consent banner to block GA4 until the user accepts analytics cookies
- Enable IP anonymization: GA4 includes this by default, but verify it's active in your configuration
- Set up Google Consent Mode V2: This sends cookieless pings when users decline consent, preserving aggregate data without violating GDPR
- Configure data retention: Set the shortest retention period (2 months) in GA4 settings
- Disable data sharing: Turn off "Google signals" and advertising features unless needed
- Sign a DPA: Accept Google's Data Processing Amendment in your GA4 admin settings
- Update your privacy policy: Disclose GA4 usage, cookie names, data exported to US, and retention periods
What If the EU-US Data Privacy Framework Fails?
Privacy activist Max Schrems has challenged the DPF through NOYB.eu. If the Court of Justice rules against it (a "Schrems III" scenario), websites would need to either:
- Stop using GA4 entirely
- Switch to a privacy-first analytics alternative that processes data within the EU
- Implement Standard Contractual Clauses with supplementary measures
Privacy-Friendly Alternatives to Google Analytics
| Tool | Cookie-Free? | EU Data Storage? | Consent Required? | Pricing |
|---|---|---|---|---|
| Plausible | Yes | Yes (EU-only) | No | From €9/mo |
| Fathom | Yes | Yes (EU option) | No | From $14/mo |
| Umami | Yes | Self-hosted | No | Free (open-source) |
| Matomo | Configurable | Self-hosted or EU cloud | Depends on config | Free self-hosted / from €19/mo cloud |
| Simple Analytics | Yes | Yes (EU-only) | No | From €9/mo |
For a detailed comparison, see our Cookie-Free Analytics guide.
Frequently Asked Questions
Is Google Analytics banned in Europe?
No, not anymore. Google Analytics was effectively banned by several DPAs in 2022 due to the lack of a legal framework for EU-US data transfers. Since the adoption of the EU-US Data Privacy Framework in July 2023, GA4 can be used legally — but only with proper cookie consent. The consent requirement is separate from the data transfer question and remains strictly enforced.
Do I need consent for GA4 if I enable IP anonymization?
Yes. IP anonymization addresses data protection concerns about identifiable data, but it does not remove the need for cookie consent. GA4 sets cookies (_ga, _gid) on the user's device, which requires opt-in consent under the ePrivacy Directive regardless of what happens to the IP address.
Can I use Google Analytics without a cookie banner?
No — not if EU visitors can access your website. The only way to track EU visitors without consent is to use a cookieless analytics tool that doesn't set cookies and processes data exclusively in the EU.
How do I check if GA4 loads before consent on my site?
Use PrivacyChecker to scan your website. It detects whether tracking scripts (including GA4) fire before the user interacts with the consent banner. You can also check manually by opening your site in an incognito window and inspecting cookies before clicking anything.