Google Analytics 4 is not GDPR-compliant by default. It processes personal data, including pseudonymous client IDs and behavioral events, and transfers that data to US-based servers. You can use GA4 compliantly by gating it behind consent, enabling Google Consent Mode v2, accepting Google's Data Processing Terms, and configuring GA4's privacy settings.
This article covers what GDPR requires from anyone running GA4. It walks the five-step configuration, where the EU-US data transfer issue stands in 2026, and the mistakes site owners make most.
Is Google Analytics GDPR Compliant? The Short Answer
GA4 is not compliant or non-compliant on its own. Compliance depends entirely on how you configure and deploy it.
Google's own documentation states the split plainly. "Google Analytics is a data processor under GDPR because Google Analytics collects and processes data on behalf of our clients, pursuant to their instructions. Our customers are data controllers who retain full rights over the collection, access, retention, and deletion of their data."
That distinction decides who is liable. Google handles the data on your behalf. You are the data controller: you determine why and how visitor data is collected, so every GDPR obligation falls on you, not Google.
Compliant GA4 use rests on two distinct duties. Consent is yours to collect (the CMP's job), and the lawful EU-to-US transfer runs on Google's Data Privacy Framework certification (Google's job). The five-step configuration below covers both: consent gating, Consent Mode v2, the Data Processing Terms, GA4's privacy settings, and policy disclosure.
What GDPR Requires From Anyone Using Google Analytics
Because you are the data controller, GDPR puts these obligations on your shoulders, not Google's. The rules apply whenever any of your visitors are located in the EEA or UK, regardless of where your business is based. A US company with any EEA visitors is in scope.
Here is what GDPR requires when you run GA4:
- A lawful basis for processing. GA4 sets non-essential analytics cookies and collects pseudonymous identifiers that count as personal data under GDPR. For analytics cookies, the only practical lawful basis for most sites is consent (freely given, specific, informed, and prior to data collection).
- Transparency. You must disclose that you run Google Analytics in your privacy policy and cookie policy: what it collects, why, how long you keep the data, and how visitors can withdraw.
- A data processing contract with Google. GDPR Article 28 requires a written agreement between you (the controller) and Google (the processor). Google provides this through its Data Processing Terms.
- A lawful EU-to-US transfer mechanism. GA4 sends data to Google's US servers. That transfer requires a legal basis under GDPR Article 45 or 46. Today that mechanism is the EU-US Data Privacy Framework, which Google is certified under.
- Data subject rights. You must be able to honor deletion requests. Google provides a User Deletion API for this purpose.
Google Analytics is one of many tools that need consent across your stack. The same consent rules apply to every other third-party tag or tracker you run.
How to Make Google Analytics GDPR Compliant (GA4)
Making GA4 compliant is a configuration job. Universal Analytics is retired, so older advice about enabling anonymizeIp no longer applies to GA4. The five steps below cover the current requirements.
- Block GA from loading until the visitor consents
- Enable Google Consent Mode v2
- Accept Google's Data Processing Terms
- Configure GA4's privacy settings
- Disclose GA in your privacy and cookie policies
Get Consent Before Google Analytics Loads
The single most common GDPR failure is loading GA before the visitor has consented to analytics cookies. Firing GA on page load without prior consent is a GDPR breach. GA sets its _ga cookie and processes personal data before any lawful basis exists.
The fix is a Consent Management Platform (CMP) or cookie banner. It blocks GA's script and prevents the _ga cookie from firing until the visitor actively opts in to analytics cookies. The gate must be real: not a notice-only banner, not a pre-checked checkbox.
For standard GA4 with EEA or UK visitors, there is no compliant alternative to prior consent. The jurisdiction of your visitors determines whether GDPR applies, not the jurisdiction of your company. WordPress sites typically load GA through a plugin or Google Tag Manager and must still wait for consent before any GA code fires.
Turn On Google Consent Mode v2
Google Consent Mode v2 is the mechanism Google uses to receive your visitors' consent choices and adjust GA4's behavior accordingly. Without it, GA4 either collects full data from non-consenting users (a breach) or collects nothing from them and leaves a gap in your reporting.
Consent Mode v2 communicates four consent states to Google via four parameters. analytics_storage controls whether GA4 may set analytics cookies, and ad_storage controls advertising cookies. ad_user_data controls whether user data may be sent to Google for advertising, and ad_personalization controls whether that data may fuel ad targeting.
Google enforced these four parameters for EEA and UK users from March 2024. Setups using only the original v1 parameters (analytics_storage and ad_storage) need updating to v2.
With consent denied, GA4 switches from cookie-based tracking to cookieless pings. Google uses those pings and its machine-learning models to estimate conversion behavior for users who declined. Google's documentation attributes "10% to 30%" data recovery to advanced Consent Mode. Practitioners caution that the figure varies widely by site, browser mix, and ad blocker usage.
The practical takeaway: you will see less data from users who decline, which is expected and correct. Consent Mode makes that absence compliant, not lossless.
Sign Google's Data Processing Terms
GDPR Article 28 requires a written data processing agreement between you and any processor handling personal data on your behalf. Google provides this through its Ads Data Processing Terms and the Google Analytics Data Processing Amendment.
To accept these terms, go to Admin, then Account Settings in your GA4 property. Accept the Data Processing Terms and the EU Data Transfer Addendum there. Without that acceptance, your use of GA4 lacks the required controller-processor contract, regardless of your consent setup.
Configure GA4's Privacy Settings (IP, Data Retention, Google Signals)
GA4 automatically drops IP addresses from EU, Swiss, and UK users before logging them, per Google's documentation. You do not need to enable a manual "anonymize IP" flag: that option was a Universal Analytics setting and does not exist in GA4. GA4 derives approximate location from the IP at collection time, then discards the raw IP before storage.
However, IP anonymization alone does not make GA4 compliant. GA4 still sets cookies and transfers the client ID, a pseudonymous unique identifier that qualifies as personal data under GDPR.
Two settings still need your review:
- Data Retention. GA4 offers 2-month and 14-month retention windows for user-level data. Set the shortest window that fits your reporting needs. Access this in Admin, then Data Settings, then Data Retention.
- Google Signals. Google Signals enables cross-device tracking by connecting signed-in Google accounts to your analytics. It is disabled by default in some setups but active in others. Review whether you have a legal basis for it, and disable it for EEA/UK users where you do not.
Disclose Google Analytics in Your Privacy and Cookie Policies
Your privacy policy and cookie policy must name Google Analytics as a processor. Describe what it collects: client ID, session data, event data, and approximate location. State your retention window and explain how visitors withdraw consent or opt out. Link your policy from the consent banner so visitors can read it before they choose.
Where Does the EU-US Data Transfer Issue Stand Now?
The EU DPA rulings against Google Analytics in 2021 and 2022 were triggered by one specific problem. The Court of Justice of the EU invalidated Privacy Shield in the Schrems II ruling (July 2020). After that, no valid legal mechanism existed for transferring EU personal data to US-based Google servers. The European Commission resolved this on July 10, 2023, by adopting an adequacy decision for the EU-US Data Privacy Framework.
Google LLC is a certified DPF participant. Its current status is Active, with re-certification due on September 13, 2026. The certification covers EU-US, UK Extension, and Swiss-US transfers. GA4 transfers to Google's US servers therefore fall under an adequacy decision and need no separate Standard Contractual Clauses.
The EDPB confirms the effect. An adequacy decision lets EU data flow to the United States with no further safeguard needed for DPF participants.
The DPF is a self-certification mechanism and remains open to legal challenge. Max Schrems and noyb have signaled they will challenge it (a potential Schrems III). The adequacy decision stands as of this article's date. If it is invalidated, GA4 transfers would again require separate SCCs.
The Austrian and French DPA rulings raise a separate question: whether Google Analytics is legal in the EU at all. That analysis is distinct from the compliance configuration this page covers.
Common Ways Sites Get Google Analytics GDPR Wrong
Most GDPR failures with GA4 trace to a short list of recurring mistakes. These six cause the bulk of them.
- Loading GA before consent. The most common breach. "It is just analytics" is not a legal argument. Any tag that sets cookies or collects personal data on EEA/UK visitors must wait for explicit consent.
- Assuming GA is compliant by default because Google is certified. Google's DPF certification handles the transfer mechanism. It does not grant you a lawful basis for processing, fulfill your consent obligation, or sign your DPA.
- Still using "anonymize IP" advice from the Universal Analytics era. That was a manual flag in UA. In GA4, EU/UK/CH IP anonymization is automatic. You do not need to enable it, but you still need consent: the client ID remains personal data.
- Skipping or misconfiguring Consent Mode v2. Sites that omit Consent Mode v2 either allow GA to run without a consent signal (breach) or lose all visibility into non-consenting users. Sites that configure only v1 parameters are missing the two v2 additions (
ad_user_dataandad_personalization) required for EEA/UK compliance since March 2024. - US-based sites assuming GDPR does not apply. GDPR's territorial scope turns on where your visitors are located, not where your business is registered. A US company with any EEA or UK visitors is in scope.
- Never accepting Google's Data Processing Terms. The controller-processor contract is a hard GDPR requirement. Running GA4 without accepted Data Processing Terms leaves this obligation unmet, regardless of your consent banner. The Meta Pixel has the same consent-before-load problem and also requires its own data processing terms. If you run Shopify stores, the same consent rules apply to GA there.
Is Google Analytics GDPR Compliant vs Legal? Two Different Questions
These are related but separate questions, and confusing them leads to wrong conclusions.
"Is GA4 GDPR-compliant?" asks about your configuration. Have you collected valid consent, signed the DPA, implemented Consent Mode v2, and set up your policies? That is what this page covers.
"Is GA legal in the EU?" asks whether GA can be used at all under EU data-transfer law. It turns on the 2021 to 2022 DPA enforcement wave and the risk of new legal challenges to the DPF. A common practitioner shorthand captures the split well: GA4 can be legal in the UK yet not compliant by default. Legal access and configuration compliance are different axes.
The DPF adequacy decision resolved the most acute version of the legality question. That broader question, including the Austrian and French DPA rulings and potential Schrems III challenges, belongs to a separate analysis covered elsewhere on this site.
How Consently Keeps Google Analytics Consent-Compliant
Consently puts a consent layer in front of Google Analytics, blocking GA until the visitor agrees and signalling their choice to Google automatically.
The step most sites get wrong is loading GA before consent is granted. Consently's cookie auto-blocking and script blocking hold GA's script and prevent the _ga cookie from firing until the visitor opts in to analytics cookies. That gate is what the GDPR and ePrivacy Directive require, and it is the step a notice-only banner or a pre-checked checkbox does not provide.
Consently's Google Consent Mode v2 support sends all four signals to Google automatically: analytics_storage, ad_storage, ad_user_data, and ad_personalization. These are enabled by default, with no manual gtag('consent') code required. When a visitor grants consent, Consently updates the consent state and GA4 begins tracking. When a visitor declines, GA4 switches to cookieless pings and Google's modeling fills the gap. The configuration lives at the CMP level, not in your GA4 setup or GTM container.
Consently also generates the privacy policy and cookie policy disclosures you need to document GA4 use. It keeps consent logs you can export for audit purposes. GDPR opt-in and US opt-out templates are included across all plans, starting with a 14-day free trial at no cost.
Start free with Consently and get your GA4 setup consent-ready today.
FAQs
Is Google Analytics GDPR compliant by default?
No. GA4 is not GDPR-compliant out of the box. The site operator makes it compliant. Consent-gate GA, enable Consent Mode v2, accept Google's Data Processing Terms, configure privacy settings, and disclose GA in your policies.
Can I use Google Analytics without a cookie banner?
Only if none of your visitors are in the EEA or UK, or if you switch to a consentless, cookieless analytics setup. Standard GA4 sets the _ga cookie and collects pseudonymous identifiers that qualify as personal data under GDPR. For EEA and UK visitors, prior consent collected through a banner is required.
Does Google Analytics 4 anonymize IP addresses?
GA4 does not log or store IP addresses from EU, Swiss, or UK users. It drops the IP before logging, at the data collection stage. This is automatic in GA4: there is no manual flag to enable, unlike in Universal Analytics where anonymizeIp: true was a required setting. IP anonymization does not eliminate the need for consent, because GA4 still sets cookies and transfers the client ID.
Is Google a data controller or data processor under GDPR?
Google is the data processor for Google Analytics. You, the site owner, are the data controller. As the controller, you carry the GDPR compliance obligations: lawful basis, consent, DPA acceptance, and data subject rights. Google processes the data on your behalf and per your configuration.
Do I need Google Consent Mode v2 for GDPR?
Yes, if you run Google Analytics or Google Ads for EEA or UK visitors. Consent Mode v2 is how you pass your visitors' consent choices to Google's tags. Without it, tags either fire without a consent signal or stop firing entirely, leaving your reporting and ad measurement broken. Google enforced v2 for EEA/UK users from March 2024.
Will Consent Mode v2 cause me to lose analytics data?
You will see less data from users who deny consent, which is expected. When consent is denied, GA4 sends cookieless behavioral pings instead of cookie-based tracking. Google uses those pings and machine-learning models to estimate conversions and behavior for non-consenting users. Google attributes some data recovery to advanced Consent Mode, though actual recovery varies by site, browser mix, and ad blocker usage. Less data from users who declined is a correct outcome, not a malfunction.
Is Google Analytics GDPR compliant in the UK?
The same rules apply under UK GDPR as under EU GDPR for most practical purposes. Google is certified under the UK Extension to the EU-US Data Privacy Framework, which covers UK personal data transfers to Google's US servers. You still need to consent-gate GA4, enable Consent Mode v2, and configure GA4 correctly for UK visitors. The configuration steps are identical to the EU requirements.

