Is Google Analytics GDPR Compliant? (The Honest Answer)

The legal trouble for Google Analytics in Europe did not happen overnight. It was the result of a coordinated wave of complaints filed by the privacy advocacy group noyb (None of Your Business), founded by Max Schrems, who also brought down the EU-US Privacy Shield in the landmark Schrems II ruling of July 2020.

After the Court of Justice of the European Union (CJEU) invalidated Privacy Shield, noyb filed 101 identical complaints across every EU member state, targeting websites that continued using Google Analytics and Facebook Connect. The responses from national data protection authorities (DPAs) followed one by one — and the verdicts were unanimous.

The Rulings

• January 2022 — Austria (DSB): The Austrian DPA was the first to rule. It found that a health-focused website's use of Google Analytics violated GDPR because visitor data (including IP addresses and cookie identifiers) was transferred to Google servers in the United States without an adequate legal basis. IP anonymization was in place but was deemed insufficient.
• February 2022 — France (CNIL): The CNIL ruled that a major French website's use of Google Analytics was illegal. The CNIL explicitly stated that the supplementary measures implemented (including pseudonymization and encryption) were not effective enough to prevent US intelligence agencies from accessing the data. The website was given one month to comply.
• June 2022 — Italy (Garante): Italy's data protection authority ruled against a web publisher, echoing the Austrian and French decisions. The Garante gave a 90-day deadline to bring the website into compliance or stop using Google Analytics entirely.
• September 2022 — Denmark (Datatilsynet): The Danish DPA concluded that Google Analytics could not be used lawfully without effective supplementary measures to protect data transferred to the US. The authority went further, issuing guidance that Standard Contractual Clauses alone were insufficient.
• November 2022 — Finland (Tietosuojavaltuutettu): Finland joined the growing list, ruling that a Finnish website's use of Google Analytics constituted an unlawful transfer of personal data to a third country.
• 2023 — Norway (Datatilsynet): The Norwegian DPA issued a preliminary decision finding Google Analytics use non-compliant, adding Scandinavia to the list of jurisdictions where GA is on shaky legal ground.

These are not fringe opinions. They represent a pan-European consensus among independent regulatory bodies. The European Data Protection Board (EDPB) coordinated many of these investigations through a dedicated task force, ensuring consistency in their analysis.

Google replaced Universal Analytics with GA4 in July 2023, and one of the stated goals was to improve privacy. GA4 does offer some improvements — IP addresses are no longer logged by default, and there are more granular data controls. But the fundamental GDPR issues remain.

1. US Data Transfers

GA4 data is processed on Google's infrastructure, which is predominantly based in the United States. Even when Google claims to process EU data on European servers, the data is still accessible to the US-based parent company and, by extension, to US intelligence agencies under FISA Section 702 and Executive Order 12333.

Google now relies on the EU-US Data Privacy Framework (DPF), adopted in July 2023, as the legal basis for transatlantic data transfers. However, noyb and other privacy experts have already challenged the DPF, arguing it suffers from the same structural flaws that led the CJEU to strike down both Safe Harbor and Privacy Shield. A new CJEU challenge is widely expected, and many legal commentators predict the DPF will eventually be invalidated (“Schrems III”).

2. Cookies and Unique Identifiers

GA4 still sets first-party cookies by default (the _ga cookie, among others). Under the ePrivacy Directive — which works alongside GDPR — any non-essential cookie requires explicit, informed, freely-given consent before it is placed on a visitor's device. This means you need a fully GDPR-compliant consent banner that blocks GA4 until the user actively clicks “Accept.”

In practice, 30% to 70% of visitors decline or ignore consent banners, depending on geography and implementation. That means GA4 sees only a fraction of your actual traffic, creating a massive data gap that undermines the entire purpose of analytics.

3. Google Retains and Uses Your Data

Even with GA4's improved privacy settings, Google retains analytics data for its own purposes. Google's terms of service allow it to use aggregated analytics data for benchmarking, product improvement, and advertising insights. Under GDPR's principle of purpose limitation, data collected for your website analytics should not be repurposed by Google for its own commercial interests without separate, explicit consent from your visitors.

Furthermore, GDPR's concept of joint controllership means that if Google processes your visitors' data for its own purposes, both you and Google may be considered joint data controllers — increasing your legal exposure significantly.

Google and many marketing agencies will tell you that GA4 can be made GDPR-compliant with the right configuration. That is technically possible in theory, but the reality is far more complex. Here are the common approaches and why each falls short on its own.

Google Consent Mode v2

Consent Mode allows GA4 to adjust its behavior based on a visitor's consent status. When consent is denied, GA4 sends “cookieless pings” to Google instead of setting cookies. Google then uses machine learning to model the missing data and fill gaps in your reports.

The problems: First, the cookieless pings still transmit data to Google servers in the US, including the page URL, user agent, and screen resolution — which some DPAs have argued can constitute personal data in combination. Second, you are trusting Google's black-box modeling to accurately represent your real traffic, with no way to verify. Third, you still need a compliant consent banner for the users who do consent.

Server-Side Proxying

You can route GA4 data through your own EU-based server before it reaches Google. This allows you to strip identifiers, anonymize data, and control what Google sees. The CNIL specifically mentioned this as a potential supplementary measure.

In practice, server-side proxying is expensive, technically complex, and requires ongoing maintenance. You need to ensure the proxy truly removes all personal data before forwarding — and if you strip too much, GA4's reports become largely meaningless. You also need specialized DevOps expertise to set up and maintain the infrastructure.

Disabling Data Sharing and Signals

GA4 allows you to disable “Google Signals” and various data-sharing settings. This reduces the amount of data Google can use for its own purposes. But it does not eliminate the core transfer issue, and it does not prevent Google from retaining all the analytics data on its US infrastructure.

The Bottom Line

Each of these measures reduces risk. But none of them, individually or in combination, guarantees GDPR compliance. You are building a patchwork of workarounds on top of a tool that was not designed with EU privacy law in mind. Compliance depends on correct implementation, ongoing monitoring, and the assumption that the EU-US Data Privacy Framework survives legal challenge — which is far from certain.

GDPR enforcement is not just a concern for big tech companies. Regulators are increasingly going after small and medium-sized businesses, and analytics violations are a growing target. Here is what you face if a DPA investigates your Google Analytics usage.

Penalty Ranges

GDPR fines are tiered based on the nature of the violation:

• Lower tier (Article 83(4)): Up to 10 million euros or 2% of annual global turnover, whichever is higher. This applies to violations of data controller obligations, including failing to implement adequate technical measures.
• Upper tier (Article 83(5)): Up to 20 million euros or 4% of annual global turnover. This applies to violations of core principles, including unlawful data transfers to third countries — which is exactly what the Google Analytics rulings address.

For a small business with 500,000 euros in annual revenue, the upper-tier maximum would be 20 million euros. In practice, fines for SMEs have ranged from a few thousand to several hundred thousand euros. But the fine itself is often not the worst part.

Beyond the Fine

• Cease processing orders: Regulators can order you to stop using Google Analytics immediately, with a deadline as short as 30 days. This means losing all your analytics data and dashboards overnight.
• Public disclosure: Many DPA decisions are published publicly, naming the company. The reputational damage, especially for B2B companies that handle client data, can far exceed the financial penalty.
• Litigation risk: GDPR gives individuals the right to claim compensation for privacy violations. Class-action-style claims are becoming more common in Europe, particularly in countries like the Netherlands and Germany.
• Ongoing compliance costs: Once flagged by a DPA, you may face heightened scrutiny, mandatory audits, and the requirement to appoint a Data Protection Officer.

If the compliance burden of GA4 is too high — or if you simply want to eliminate the legal risk entirely — several analytics tools are designed from the ground up for GDPR compliance. Here are the leading options.

Copper Analytics

Copper Analytics is built for privacy-first analytics with zero configuration needed for GDPR compliance. No cookies, no IP storage, no personal data processing of any kind. Because no personal data is collected, no consent banner is required — which means you see 100% of your traffic, not just the visitors who click “Accept.”

• Cookies: None
• IP addresses: Never stored (country derived, then discarded)
• Consent banner: Not required
• Data hosting: EU infrastructure
• Unique features: AI crawler tracking, Web Vitals monitoring, real-time dashboard
• Pricing: Free tier available, paid plans from $9/month

Learn more in our Google Analytics vs Copper Analytics comparison.

Plausible Analytics

Plausible is open-source, cookieless, and hosted in the EU on Hetzner servers in Germany. It provides a single-page dashboard with essential metrics. No personal data is collected, so no consent is needed. Pricing starts at $9/month for 10K pageviews. Self-hosting is free but requires your own infrastructure.

• Cookies: None
• Consent banner: Not required
• Data hosting: EU (Germany)
• Pricing: From $9/month

Fathom Analytics

Fathom is a privacy-focused tool from Canada that processes EU data in EU data centers via an “Intelligent Router.” No cookies, no personal data collection. The dashboard is polished and simple. It includes email reports and uptime monitoring. Pricing starts at $14/month for 100K pageviews.

• Cookies: None
• Consent banner: Not required
• Data hosting: EU routing for EU visitors
• Pricing: From $14/month

Matomo (Self-Hosted)

Matomo self-hosted gives you full control over your data. However, the default configuration uses cookies and collects IP addresses, so you must manually enable cookieless tracking and IP anonymization. You are also responsible for securing the server infrastructure and ensuring it meets GDPR requirements. It is a viable option for teams with strong DevOps resources, but it is not GDPR-compliant out of the box.

• Cookies: Yes (by default; can be disabled)
• Consent banner: Required unless cookieless mode is enabled
• Data hosting: Your own servers
• Pricing: Free (self-hosted), cloud from $19/month

We built Copper Analytics because we believe website owners should not need a privacy lawyer to run basic analytics. Every design decision — from the cookieless architecture to the EU-hosted infrastructure — was made so that GDPR compliance is automatic, not aspirational.

Here is what you get:

• No cookies — nothing is stored on the visitor's device, ever.
• No IP addresses stored — country is derived on the fly, the IP is immediately discarded.
• No consent banner needed — no personal data means no consent required.
• EU-hosted infrastructure — your data never leaves the European Union.
• 100% of visitors tracked — no consent rejection means zero data gaps.
• Lightweight script (under 5 KB) — loads instantly, not blocked by ad blockers.
• AI crawler tracking — see which AI bots crawl your site and how often.
• Core Web Vitals — monitor performance without Google tools.

Switching takes about two minutes: add a single script tag, and your analytics are GDPR-compliant from the first pageview. No configuration wizards, no legal review, no ongoing maintenance.

Read our step-by-step migration guide or explore our complete GDPR analytics guide for a deeper dive into compliance requirements.