Google Analytics is legal to use under GDPR, but it is not compliant by default. You become compliant by getting explicit consent before it fires. You also need Google's signed Data Processing Terms and a disclosure in your privacy and cookie policies. Several EU regulators have ruled specific setups unlawful since 2022, but none has banned the tool itself.
Is Google Analytics Legal Under GDPR? The Short Answer
Google Analytics is legal to use in the EU and UK. It is not GDPR compliant out of the box, because it collects personal data and, without safeguards, sends it to US servers. Three laws decide whether your setup is lawful. They are the GDPR, the ePrivacy Directive that requires cookie consent, and US state rules like the CCPA. The 10 July 2023 EU-US Data Privacy Framework restored a lawful transfer path. You still have to configure consent, policies, and Google's data terms yourself.
| Legal to use | Compliant by default | |
|---|---|---|
| Verdict | Yes, no regulator has banned the tool | No, compliance depends on your setup |
| Why | Google is a GDPR data processor with a lawful transfer mechanism (the DPF) | GDPR requires consent, disclosure, and a signed Data Processing Agreement |
| Who is responsible | Google, for its role as processor | You, as the data controller running the site |
Legal vs GDPR Compliant: Why the Difference Matters
Legal means no blanket ban exists and a lawful EU-to-US transfer mechanism is currently in force. Compliant means your specific installation meets GDPR's consent, transparency, and data-minimization duties. Google Analytics can be both, or legal and still non-compliant, depending entirely on how you configure it.
The distinction matters because most site owners hear about the 2022 rulings and assume Google Analytics is off-limits everywhere. It is not. The rulings targeted specific unconsented setups that transferred EU visitor data to US servers without adequate safeguards, not the software itself.
Responsibility sits with you, not Google. Google supplies data-processor terms, IP-address handling, and consent-signaling tools. You decide whether visitors see a consent banner before tracking starts. You also decide whether your privacy policy discloses Google Analytics, and whether you have accepted Google's Data Processing Terms. Skip any of those three, and the setup is non-compliant regardless of the DPF's status.
What Data Does Google Analytics Collect That GDPR Cares About?
Google Analytics collects online identifiers that GDPR treats as personal data: IP addresses (used for geolocation, not stored), client IDs, cookie identifiers, and device IDs. GDPR classifies these as personal data because they can identify or single out an individual visitor, even without a name attached.
Google Analytics 4 collects and processes several identifier types:
-
Client ID
-
Cookie identifiers
-
IP address
-
Device and browser data
GDPR classifies pseudonymized identifiers like the client ID as personal data, not anonymous data. Google or a determined third party could still link them back to an individual with additional information. That is why consent, not just anonymization, is the legal requirement.
Why Was Google Analytics Ruled Illegal in Europe?
EU regulators did not ban Google Analytics by name. They ruled that transferring EU visitor data to US servers, where US surveillance law can reach it, lacked adequate safeguards after the Schrems II decision. Specific setups became unlawful as a result. Three national authorities issued the core 2022 rulings; several more followed with similar findings.
The EU-US Data Transfer Problem (Schrems II)
The 2020 Schrems II ruling invalidated the EU-US Privacy Shield, the transfer agreement companies relied on before it. The Court of Justice of the European Union found that US surveillance laws let American authorities access EU personal data without a comparable judicial remedy. Google Analytics sends visitor data to US servers, so it inherited this transfer problem the moment Privacy Shield fell.
The 2022 DPA Rulings: Austria, France, and Italy
Three national data protection authorities ruled Google Analytics transfers unlawful in 2022. Each cited the same Schrems II transfer gap. The table summarizes the three rulings.
| Regulator | Date | Finding |
|---|---|---|
| Austrian DSB | 13 January 2022 | Rejected Google's technical safeguards as ineffective against US surveillance; the first of 101 related complaints filed by noyb across the EU |
| French CNIL | 10 February 2022 | Found the transfers breached GDPR Article 44 and ordered a site operator to stop using Google Analytics within one month |
| Italian Garante | June 2022 | Banned Google Analytics use where no adequate transfer safeguard was in place |
Denmark and Norway's data protection authorities issued similar findings against the same era of Google Analytics setups shortly after. Sweden's IMY went further on 3 July 2023. It fined Tele2 roughly 1 million EUR and CDON 300,000 SEK for continued unlawful use. That was the first major monetary penalty tied directly to Google Analytics, not just a corrective order.
The 2023 Data Privacy Framework (and Why It Is Not the Final Word)
The EU-US Data Privacy Framework, adopted on 10 July 2023, restored a lawful transfer mechanism, and Google self-certified under it. That gave companies a legal basis to resume EU-to-US Google Analytics transfers that the 2022 rulings had cut off.
The framework is not settled law. Max Schrems and noyb challenged it from the start. The US Supreme Court ruled 6-3 in Trump v. Slaughter on 29 June 2026 that the Federal Trade Commission is no longer constitutionally independent. The European Commission's adequacy decision cites that FTC independence 259 times as its enforcement backbone. Noyb has formally asked the Commission to withdraw the adequacy decision and plans a fresh annulment case at the Court of Justice.
The Data Privacy Framework remains legally in force today. The European Commission has not repealed it and the Court has not annulled it, so no immediate change hits an existing Google Analytics setup. But it is the third EU-US transfer deal in a row, after Safe Harbour and Privacy Shield, to come under direct legal threat. Treating it as a permanent safe harbor is a mistake site owners keep making.
Is Google Analytics 4 Different from Universal Analytics?
Yes. The 2022 rulings targeted Universal Analytics, the version Google shut down in July 2023, not Google Analytics 4. GA4 uses an event-based data model and does not log or store IP addresses by default. It also added regional data processing, which narrows the transfer concern the 2022 rulings raised.
GA4's changes reduce risk without eliminating it. The platform still collects client IDs and cookie identifiers that count as personal data. It also still depends on the Data Privacy Framework for any EU-to-US transfer that does occur. A GA4 property with no consent banner and no Data Processing Agreement carries the same core violation the 2022 rulings targeted. It transfers EU personal data without a lawful basis or visitor consent.
How to Use Google Analytics Legally Under GDPR
Five actions make a Google Analytics setup GDPR compliant. The single most important rule leads: nothing should fire before consent.
Get Explicit Consent Before Any Tag Fires
Google Analytics needs opt-in consent before it loads or drops cookies on an EU or UK visitor. Legitimate interest does not work as a legal basis here. Regulators treat analytics cookies as non-essential, so the ePrivacy rules require prior opt-in, not a balancing test. A banner that appears on screen while tags have already fired is the most common compliance failure. The visitor never had a real chance to say no first. Use a consent management platform that blocks Google Analytics, along with every other non-essential script and iframe, until the visitor actively consents.
Set Up Google Consent Mode
Google Consent Mode v2 passes a visitor's consent choice to Google tags so Google Analytics adapts its behavior in real time. Basic mode blocks all Google tags entirely until consent is granted. Advanced mode lets tags load before consent but sends cookieless pings and uses modeled conversions to fill data gaps for visitors who decline.
Sign Google's Data Processing Terms
Accept Google's Data Processing Terms and the EU Data Transfer Addendum inside the Google Analytics Admin panel. This step binds Google as your data processor under a formal agreement, which GDPR requires whenever you outsource data processing to a third party.
Update Your Privacy and Cookie Policies
GDPR Article 13 requires you to disclose that you use Google Analytics, what data it collects, why, and how visitors can opt out. Name a concrete opt-out route, such as Google's own Analytics Opt-out Browser Add-on, alongside the consent controls on your own site. Your cookie policy must list the specific Google Analytics cookies your site sets. If you are unsure whether your site needs one at all, see do i need a cookie policy.
Tighten Your Data Settings
Inside Google Analytics, three settings reduce your exposure further:
-
Keep IP anonymization active; GA4 already avoids storing full EU IP addresses by default
-
Shorten your data retention window instead of leaving it at the maximum
-
Disable Google Signals and ad personalization if you do not use remarketing, since both add third-party profiling you likely do not need
What Happens If You Get It Wrong? Fines and Lawsuits
Two real exposures follow an unconsented Google Analytics setup. In the EU, data protection authorities can fine controllers directly for unlawful transfers or firing Google Analytics before consent, as Sweden's IMY did in 2023. In the US, tracking that fires before consent has fed a wave of statutory-damages lawsuits under wiretapping-style laws.
-
EU regulatory fines
-
US pixel and cookie lawsuits
-
Meta Pixel-style claims
One small e-commerce owner described the exact failure mode on Reddit. A plaintiff demanded 25,000 dollars because a couple of pixels fired before their cookie consent banner had fully loaded. The banner was visibly present in the plaintiff's own screenshots.
US plaintiffs bring these claims under wiretapping statutes like what is CIPA, seeking statutory damages per visit rather than proof of actual harm. The owner did not recognize two of the flagged pixels; they came from a long-deactivated app. That is a reminder that an unaudited script can create liability nobody remembers adding.
How Consently Keeps Your Google Analytics Setup Compliant
Consently blocks Google Analytics and every other non-essential tag until a visitor consents. It then signals Google Consent Mode v2 automatically so measurement resumes for anyone who accepts. That auto-blocking targets the exact failure mode behind both the EU DPA rulings and the US pixel lawsuits above. The problem is tags firing before consent, not the analytics tool itself.
Consently scans your site for every cookie, script, and iframe, then blocks the non-essential ones automatically until a visitor makes a choice. It handles the Google Consent Mode v2 signals, ad_storage, analytics_storage, ad_user_data, and ad_personalization, without you hand-coding gtag consent logic. Consently's cookie and privacy policy generators cover the disclosure requirement Article 13 imposes, so the policy update step above does not need a separate tool.
Site owners with visitors across regions can apply GDPR opt-in consent for the EU and a separate model for other regions from the same dashboard. Every visitor then sees the consent flow their jurisdiction actually requires. Start free to set up consent-gated Google Analytics tracking in one pass.
FAQs
Is Google Analytics illegal?
No. It is legal to use, but not GDPR compliant by default. Specific unconsented setups that transferred EU data to US servers were ruled unlawful by regulators in Austria, France, Italy, and Sweden, not the tool itself.
Do I need consent for Google Analytics under GDPR?
Yes. Google Analytics sets cookies and collects personal data such as client IDs. GDPR and the ePrivacy rules both require prior opt-in consent before it fires.
Is Google Analytics 4 GDPR compliant by default?
No. GA4 improved on Universal Analytics by not storing EU IP addresses and adding regional processing. It still needs consent, a signed Data Processing Agreement, and policy disclosure to be compliant.
Can I use Google Analytics without a cookie banner?
Not compliantly in the EU or UK. Without a consent banner, Google Analytics firing before a visitor's choice breaches both GDPR and ePrivacy consent requirements.
Is Google Analytics legal in the UK after Brexit?
Yes, under UK GDPR and PECR, the UK's ePrivacy-equivalent law. The same consent, disclosure, and data-terms requirements apply as in the EU.
Does Google Analytics anonymize IP addresses?
Google Analytics 4 does not log or store IP addresses during collection, which goes further than the IP anonymization setting Universal Analytics required. Other identifiers, like client IDs and cookie values, still count as personal data.
Is Google Signals GDPR compliant?
Only with consent and disclosure. If you do not use Google Signals for remarketing or cross-device reporting, disabling it removes an extra layer of third-party profiling. That reduces your compliance exposure.
What are the GDPR alternatives to Google Analytics?
Privacy-focused, EU-hosted analytics tools exist as alternatives. Whichever platform you choose, you still owe visitors consent and disclosure under GDPR; the compliance requirement follows the data you collect, not the vendor's headquarters.

