Privacy Hub

GDPR

ePrivacy

Is your website analytics GDPR-friendly?

Is Google Analytics 4 GDPR-compliant?

No, not out-of-the-box. Google Analytics 4 (GA4) uses cookies, collects identifiers that qualify as personal data under GDPR, and transfers data to Google’s US servers. You can make it compliant – but it requires a proper consent banner, configuration changes, and a signed Data Processing Agreement.

GA4 is the most widely used analytics tool on the web, and for good reason. It’s powerful, it’s free, and it integrates with the entire Google ecosystem. But none of that makes it automatically legal in Europe.

What GA4 collects

GA4 collects more data than most people realise. Here’s the full picture:

Data typeDetailsPersonal data?
Cookies_ga_ga_*_gid – cookies that assign a unique identifier to each visitorYes
Client IDA unique identifier stored in the _ga cookie, used to distinguish individual users across sessionsYes
IP addressesCollected during data transmission, even if Google says they’re anonymised laterYes
Device & browser dataScreen resolution, language, operating system, browser typeContributing factor
User behaviourPages visited, events triggered, time on site, conversionsWhen linked to Client ID
Google SignalsCross-device tracking using data from users signed into their Google accounts (optional, but commonly enabled)Yes
User-IDYour own user identifiers, linked to GA4 data (optional)Yes

Under GDPR, personal data is any information that can identify or single out an individual – even indirectly. The Client ID in the _ga cookie does exactly that. It assigns a unique string to each browser, making every visitor individually trackable. That’s personal data, full stop.

The combination of Client ID, IP address, and device data creates a profile that can single out an individual visitor. You don’t need to know someone’s name for it to count as personal data – you just need to be able to distinguish them from everyone else.

GA4 vs. EU regulators

Google Analytics has had a difficult few years in Europe. Here’s the timeline:

  • January 2022: The Austrian Data Protection Authority (DSB) ruled that a website’s use of Google Analytics violated GDPR, because personal data was being transferred to the US without adequate protection from US surveillance laws1.
  • February 2022: France’s CNIL followed with a similar ruling, finding that transfers to the US via Google Analytics were illegal under Article 44 of GDPR. The authority noted that Google’s additional safeguards were “not sufficient to exclude the accessibility of this data for US intelligence services”2.
  • June 2022: Italy’s Garante ruled that Google Analytics violated GDPR, explicitly identifying IP addresses as personal data and finding that Standard Contractual Clauses alone were insufficient. Website operators were given 90 days to comply3.
  • July 2023: The EU adopted the EU-US Data Privacy Framework (DPF), providing a new legal mechanism for transferring data to certified US companies – including Google4.
  • January 2025: Norway’s DPA published enforcement findings stating that EU residents’ data still lacked adequate protection when transferred to US-based services, and that unique user IDs, IP addresses, and browser parameters weren’t sufficiently protected by Google’s standard clauses5.
!

Watch out

The EU-US Data Privacy Framework currently provides the legal basis for GA4’s US data transfers, but this framework’s predecessors – Safe Harbor and Privacy Shield – were both struck down by the Court of Justice of the EU. Privacy activist Max Schrems and his organisation NOYB have signalled a potential ‘Schrems III’ challenge6

How to make GA4 compliant

Regardless of the data transfer debate, these eight steps are essential for running GA4 legally in the EU. Even if the Data Privacy Framework holds, you still need consent for cookies and proper configuration.

  1. Block GA4 until you have consent: This is non-negotiable. The ePrivacy Directive requires consent for any non-essential cookie – and GA4’s cookies are categorised as analytics cookies, not strictly necessary. Your consent banner must prevent the GA4 script from loading entirely until the user actively opts in. The script must not fire.
  2. Set up Google Consent Mode v2: Since March 2024, Consent Mode v2 has been required for websites using Google services with EEA and UK users. It communicates your visitors’ consent choices to Google’s tags so they adjust their behaviour accordingly.
  3. Disable Google Signals (unless you have specific consent): Google Signals enables cross-device tracking by linking analytics data to users who are signed into their Google accounts. This is an additional layer of personal data processing that goes well beyond standard analytics. Unless you explicitly disclose this in your privacy policy and have specific consent for cross-device tracking, turn it off.
  4. Set data retention limits: GA4 retains user-level and event-level data for 14 months by default. Under GDPR’s storage limitation principle, you shouldn’t keep data longer than you genuinely need it. Review whether 14 months is proportionate for your purposes. If you only look at the last 3 months of data, there’s no justification for keeping 14.
  5. Audit for PII in custom events: GA4 doesn’t stop you from sending names, email addresses, phone numbers, or other personally identifiable information through custom event parameters. It’s your responsibility to make sure this doesn’t happen. Common mistakes include passing email addresses as event properties, including user names in page titles, or sending form data as custom dimensions. Audit your GA4 implementation regularly – especially after you add new event tracking.
  6. Sign Google’s Data Processing Agreement: Under GDPR Article 28, you need a Data Processing Agreement (DPA) with any service that processes personal data on your behalf. Google provides one, but you have to actively accept it. Go to GA4 Admin → Account Settings → scroll to ‘Google Ads Data Processing Terms’ and accept them. This is a legal requirement, not an optional extra.[8]
  7. Verify IP handling: Google states that GA4 does not log or store IP addresses for properties using their latest measurement approach7. However, IP addresses are still collected during data transit for geolocation purposes before being discarded. Verify your setup: in GA4, go to Data Streams → select your stream → Configure Tag Settings. Check that no settings are overriding the default IP handling. If you use server-side tagging, ensure your server-side container isn’t forwarding raw IPs to Google.
  8. Update your privacy policy: Your privacy policy must mention GA4 by name and cover:
    • What data GA4 collects (cookies, Client ID, behavioural data)
    • Why you use it (website analytics, performance measurement)
    • Your legal basis (consent, obtained via your cookie banner)
    • Where data goes (US – under the EU-US Data Privacy Framework)
    • How long data is retained (your configured retention period)
    • A link to Google’s privacy policy
  1. Austrian Data Protection Authority (DSB), Decision D155.027, 22 December 2021. NOYB summary and full decision ↩︎
  2. Commission Nationale de l’Informatique et des Libertés (CNIL), February 2022. CNIL decision on Google Analytics. ↩︎
  3. Garante per la protezione dei dati personali, Decision of 9 June 2022. Garante ruling (Italian) ↩︎
  4. European Commission, Adequacy decision for the EU-US Data Privacy Framework, 10 July 2023. European Commission overview. ↩︎
  5. Norwegian Data Protection Authority (Datatilsynet), enforcement findings on Google Analytics, January 2025. Reported via OWOX analysis. ↩︎
  6. NOYB – European Centre for Digital Rights. Schrems III challenge to the EU-US Data Privacy Framework. NOYB. Analysis via Kennedys Law. ↩︎
  7. Google, ‘How Google uses information from sites or apps that use our services’. Google Privacy & Terms. GA4 IP handling details via GA4 documentation. ↩︎