Updated: June 2026
Are you concerned about making your Google Analytics setup compliant with GDPR? This guide explains the key steps to align your data collection practices with GDPR, from obtaining user consent to configuring Google Analytics settings. Stay compliant and protect user privacy with these actionable insights.
• GDPR compliance in Google Analytics requires businesses to manage data collection actively, obtain explicit user consent, and implement privacy protection measures to avoid legal issues.
• Key steps for GDPR compliance in Google Analytics include setting up data retention policies and enabling Consent Mode v2 to manage user consent. GA4 now anonymises IP addresses by default, removing a previously manual configuration step.
• Multiple EU data protection authorities – including those in Austria, France, Italy, Denmark, and Norway – ruled Google Analytics non-compliant with GDPR between 2022 and 2023, citing unlawful data transfers to US servers. The legal framework for those transfers has since changed, but enforcement risk remains if organisations have not updated their setup.
• Businesses can consider GDPR-compliant alternatives to Google Analytics to reduce compliance complexity and protect user privacy.
The General Data Protection Regulation (GDPR), enacted by the EU on May 25, 2018, governs how businesses collect and process personal data of EU residents. Its requirements apply to any organisation using Google Analytics on a website accessible to EU users, regardless of where the organisation is based.
Google Analytics does not comply with GDPR on its own. Businesses must actively manage the data they collect and configure their systems to meet the regulation’s requirements. Proactive configuration is necessary to avoid fines and legal challenges.
Organisations must obtain explicit user consent and configure their Google Analytics settings appropriately. This means understanding what data Google Analytics collects and implementing the appropriate mechanisms for consent, retention, and data transfer.
Between January 2022 and early 2023, several EU data protection authorities investigated the use of Google Analytics following 101 coordinated complaints filed by the privacy advocacy group NOYB. The rulings were consistent: using Google Analytics without additional safeguards violated GDPR because the tool transfers personal data – including IP addresses and unique identifiers – to Google’s US servers, where US intelligence agencies could access them under FISA 702.
Austria’s DSB was first, issuing its decision on 22 December 2021 (published publicly on 13 January 2022). France’s CNIL followed on 10 February 2022, issuing formal notices to organisations using the tool and giving them one month to bring their setup into compliance. Italy’s Garante ruled the same way in June 2022. Denmark and Norway issued similar findings later that year and into 2023.
The enforcement landscape shifted in July 2023 when the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework, which Google has certified under. This provides a legal basis for the data transfers that previously triggered the rulings. Organisations that have not updated their configuration since 2022 should review whether they have taken advantage of the framework’s protections.
Google Analytics is a tool that collects data to provide insights into website user behaviour. This data includes pages viewed, time spent on the website, clicked links, and cookie data. Under GDPR, these data collection practices require a lawful basis and proper consent mechanisms.
Cookies play a central role in Google Analytics data collection, extracting types of personal data such as IP addresses, device information, user IDs, and transaction IDs. This data helps organisations understand user interactions but raises significant privacy obligations. Google Analytics requires explicit user consent to track personal data, particularly for EU users.
Obtaining valid user consent means clearly and specifically informing users about the data being collected and the purposes for which it is used. If a user denies consent or blocks cookies in their browser, Google Analytics will not collect data from that user’s session. Without this consent, businesses risk non-compliance and the associated legal consequences.
Three configuration steps are central to GDPR-compliant use of Google Analytics: confirming IP address handling, setting data retention policies, and enabling Consent Mode v2. Google Analytics 4 (GA4) addresses one of those steps automatically, but the others require deliberate configuration.
In Google Analytics 4, IP addresses are anonymised by default. Google does not log IP addresses at all in GA4 – they are used transiently to derive location data and then discarded. This is a change from Universal Analytics, where IP anonymisation required manual configuration of the tracking code.
If your organisation migrated from Universal Analytics to GA4, you no longer need to apply IP anonymisation settings. The protection is built in. Verify in your GA4 property settings that you are using the standard data collection configuration and have not enabled any extensions that restore full IP logging.
Data retention policies in Google Analytics are important for GDPR compliance. Website owners can manage how long user data is retained. Standard GA4 properties offer two options: 2 months or 14 months. This flexibility aligns with the GDPR’s storage limitation principle.
To schedule data deletion requests, navigate to Admin > Property > Data Deletion Requests to manage and cancel requests within 7 days. Changing data retention settings does not affect standard reporting but may affect ad hoc reports and historical data access.
Setting appropriate retention periods and managing data deletion requests helps ensure personal data is not kept longer than necessary – a core GDPR requirement.
Google Consent Mode v2 is Google’s mechanism for adjusting data collection based on user consent status. It works with third-party or custom consent management platforms, allowing organisations to configure flexible user consent experiences.
The March 2024 deadline for implementing Consent Mode v2 has passed. Organisations that have not yet implemented it are operating outside Google’s requirements for EU traffic and may be collecting and processing data without a valid consent signal. Consent Mode v2 controls user consent for advertising data and personalised advertising, ensuring that data is collected only with explicit user consent. Organisations that have not yet made the switch should treat this as an immediate compliance gap.
Integrating a Google-certified consent management platform (CMP) is necessary to use Consent Mode v2 and ensure comprehensive compliance. Google’s CMP partner list includes several certified providers that handle the technical integration.
Managing user consent is the practical centre of GDPR compliance for Google Analytics. Organisations need mechanisms that make it easy for users to grant or revoke consent, and systems that stop data collection when consent is not given.
A GDPR-compliant cookie banner must clearly state the types of cookies used and the purpose of data collection, and provide users with options to grant or revoke consent before any tracking begins. Transparency in this process is required to maintain user trust and comply with the GDPR. Pre-ticked boxes and consent obtained as a condition of access do not meet GDPR standards.
Tools like Cookiebot and Secure Privacy offer solutions for creating and managing cookie consent banners. These platforms automate the process of obtaining and storing user consent, helping businesses comply with GDPR requirements. In Germany, for example, organisations must obtain explicit user consent for data tracking, as required by local regulations.
Your privacy policy must disclose Google Analytics usage, detail data collection practices, provide cookie information, outline opt-out options, and explain data processing, including retention and sharing specifics.
Under GDPR, users must be informed about the specific purposes of data processing when they consent to cookies. Transparency in these practices is required to maintain user trust and comply with GDPR. Generic consent statements and vague descriptions of “analytics tools” rarely satisfy data protection authorities’ expectations.
Handling data transfers between the EU and the US is a central compliance question for Google Analytics, as the tool routes data through US-based servers.
The EU-US Data Privacy Framework, adopted by the European Commission in July 2023, provides the current legal basis for these transfers. Google is certified under the framework, which means organisations using Google Analytics can rely on that certification to satisfy GDPR’s cross-border transfer requirements – provided they also enter into a Data Processing Agreement (DPA) with Google and implement appropriate configuration.
The framework’s legal durability is not fully settled. A challenge at the EU General Court was dismissed in September 2025, but the claimant appealed to the Court of Justice of the EU in October 2025 (Case C-703/25 P). That appeal is pending. Organisations should continue relying on the DPF for now while monitoring whether the CJEU issues any ruling that would affect the adequacy decision. US surveillance laws remain a concern for European data protection authorities, and website operators should implement standard contractual clauses alongside DPF certification as a belt-and-braces approach.
Minimising data sharing and processing risks is important for GDPR compliance. The French CNIL has suggested using a properly configured proxy to control data flow and reduce data-sharing risks.
In Google Analytics, data sharing with third parties can be limited by unchecking relevant checkboxes under Data Sharing Settings in the admin panel. This may mean losing features like personalised retargeting and demographic data reports, but it reduces compliance risk.
Demographics and Interest reports cannot be shared unless user consent has been obtained for Google Analytics use. Limiting data-sharing settings helps protect user privacy and aligns with GDPR requirements.
Server-side tracking improves user privacy by processing data on the server before it reaches Google’s servers. This approach anonymises personally identifiable information before it is passed to analytics systems.
Server-side tracking uses a data capture platform to process user data on the server, pseudonymising it before forwarding it to tools like Google Analytics. This gives businesses more control over what data is collected and processed and reduces the risk of raw personal data being transmitted to third parties without adequate safeguards.
Businesses seeking GDPR-compliant analytics have several options. Tools like Matomo, Simple Analytics, and Plausible Analytics offer privacy-friendly options that prioritise GDPR compliance.
Matomo offers both cloud-hosted and self-hosted options, giving users complete control over data privacy and compliance. Simple Analytics delivers insights without collecting personal information, which removes most GDPR consent obligations. Plausible Analytics is lightweight and does not use cookies, meaning it typically does not require a consent banner. Fathom Analytics is another option that processes no personal data, aligning with GDPR standards.
Many organisations have adapted their Google Analytics setups to meet GDPR requirements. WPForms, for example, integrated GDPR enhancements into its WordPress forms to ensure compliance, demonstrating how standard tools can be adapted to meet regulatory requirements.
Best practices from successful implementations include regular audits, effective consent management, and data minimisation. Regular audits verify that consent signals flow correctly to GA4, that retention settings match documented policies, and that no unexpected data sharing has been enabled.
Google Analytics requires explicit consent from UK users under the Privacy and Electronic Communications Regulations (PECR). Using it is legal, but compliance with consent requirements is not optional.
Yes. Google Analytics collects personal data from website visitors and transmits it to US servers, where it may be accessible to US authorities. This prompted the enforcement rulings from multiple European DPAs in 2022 and 2023. The EU-US Data Privacy Framework provides a legal mechanism for data transfer. Still, the underlying concern about US surveillance access has not been resolved – it has been addressed through a legal framework whose durability depends on ongoing CJEU proceedings.
Google Analytics collects personal data through cookies and tracking user interactions, including pages viewed, time spent on the site, clicked links, IP addresses, device information, and user IDs. Explicit user consent for this data collection is required under GDPR.
The key steps are: verify GA4’s default IP anonymisation is in place, set appropriate data retention periods, implement Consent Mode v2 through a certified CMP, deploy a compliant cookie banner, update your privacy policy, and enter into a Data Processing Agreement with Google. Organisations that have not reviewed their setup since before the March 2024 Consent Mode v2 deadline should treat an audit as a priority.
About the Author
Ana Mishova
Sales and Business Development Consultant — GDPRLocal
Ana focuses on helping organisations understand their compliance obligations and find the right data protection solutions. At GDPRLocal she works closely with businesses of all sizes, making GDPR and privacy compliance clear, practical, and accessible.