Make Google Analytics GDPR Compliant in 2026
Step-by-step guide to make Google Analytics GDPR compliant. Configure GA4, enable Consent Mode v2, and reduce compliance risk.

, -
How to Make Google Analytics GDPR Compliant in 2026 (Step-by-Step)
What You Need Before You Start
Before you change a single setting, gather everything you need so the process runs without interruption. You will need GA4 property access with admin rights, either Google Tag Manager (GTM) or a direct gtag.js implementation on your site, and a Consent Management Platform (CMP) that supports Consent Mode v2.
These steps apply to you if your site receives visitors from the European Economic Area, the UK, or Switzerland. All three jurisdictions enforce GDPR or equivalent legislation, so any one of them triggers the obligations we cover here.
The reason this work is necessary comes down to what GA4 collects by default. GA4 collects IP addresses, user agents, device identifiers, and generates persistent user IDs, all of which qualify as personal data under GDPR Article 4. That means a standard GA4 installation creates a compliance exposure the moment your first EEA visitor lands on the page.
Configuration reduces your risk significantly, but it does not guarantee full compliance on its own. You still need a documented legal basis for processing, and that requires a legal assessment specific to your organisation. The steps below are a practical foundation, not a substitute for legal advice. That said, signing the Data Processing Amendment and adjusting your GA4 settings are non-negotiable starting points for any GDPR-compliant analytics setup.
Is Google Analytics 4 GDPR Compliant by Default?
No. GA4 is not GDPR compliant out of the box. By default, it sends personal data to Google's US servers, which creates direct conflicts with GDPR Chapter V transfer rules and the case law established by Schrems II (C-311/18, July 2020).
What personal data does GA4 collect?
The list is longer than most people expect. GA4 collects IP addresses, user agents, device identifiers, and generates persistent user IDs by default, all of which qualify as personal data under GDPR Article 4. On top of that, Google Signals can link behavioural data across devices, adding another layer of identifiability that most site owners never explicitly enable.
Simply installing the GA4 snippet and pointing it at your property puts you in a non-compliant position before a single visitor arrives. That is not a scare tactic; it reflects exactly what regulators found when they investigated.
What have EU regulators ruled?
Three separate supervisory authorities reached the same conclusion. The Austrian Datenschutzbehörde ruled against a standard GA4 installation in December 2021. The French CNIL issued formal orders to several website operators in February 2022, and the Italian Garante followed with an equivalent ruling in June 2022. All three decisions centred on the same problem: after Schrems II invalidated the previous EU-US transfer framework, Standard Contractual Clauses alone were not enough to protect data transferred to US controllers subject to US surveillance law.
The EU-US Data Privacy Framework (DPF), adopted on 10 July 2023, partially changed this picture. Google LLC certified under the DPF, which restored a legal transfer mechanism. The DPF covers transfer legality only. It does not eliminate your obligations around consent, data minimisation, or purpose limitation under GDPR Article 5. So while the transfer question has become less acute, the compliance burden has not disappeared.
Step 1: Audit Your Current GA4 Data Collection
Honestly, this is the step most teams skip. Before you change a single setting, you need a clear picture of what GA4 is actually sending right now. Run this audit first, and every subsequent step becomes much easier to execute with confidence.
Start With DebugView and Tag Assistant
Open GA4's DebugView (Configure > DebugView) while browsing your site in debug mode, and watch the event stream in real time. The Google Tag Assistant browser extension gives you a parallel view of which tags are firing and what parameters they carry. Together, these two tools reveal whether you are sending data you did not intend to, such as email addresses embedded in page URLs or custom event parameters that contain user names. GA4 collects IP addresses, user agents, device identifiers, and persistent user IDs by default, all of which qualify as personal data under GDPR, so the audit often surfaces more exposure than teams expect.
Check Google Signals and Custom Dimensions
Go to Admin > Data Settings > Data Collection and check whether Google Signals is active. If it is, GA4 is linking your analytics data to signed-in Google accounts for cross-device tracking, which creates a significant legal risk without explicit opt-in consent for personalisation. Document the current state before you disable anything.
While you are in the data streams view, scan every custom dimension for fields that could identify individuals directly. Google explicitly prohibits sending personally identifiable information into GA4, so any dimension capturing emails or names needs to be removed.
Finally, note your current data retention setting, which defaults to 2 months. Write it down now so you have a clear baseline when you reach Step 4.
Step 2: Enable IP Anonymisation in GA4
GA4 anonymises IP addresses by default at the collection layer, which is a meaningful improvement over Universal Analytics where you had to manually enable this setting. Unlike its predecessor, GA4 applies anonymisation before the IP address is written to any log, so the raw address never reaches Google's storage systems in full. "By default," though, comes with important caveats that teams often miss.
The default anonymisation only holds under specific conditions. As IP anonymisation in GA4 is enabled by default, it works reliably when you are running a standard client-side implementation without Google Signals or server-side data collection layers that might re-expose the full IP address. If you have Google Signals switched on, or if your server-side setup passes raw request data to GA4 before stripping identifiers, the default protection may not apply in the way you expect.
To verify that anonymisation is active for your property, follow this path: Admin > Data Streams > select your stream > Configure tag settings. Review each setting carefully, particularly any custom parameters that could be forwarding unmasked IP data.
IP anonymisation is one layer in a multi-step process, not a standalone compliance solution. GA4 still collects persistent user IDs, device identifiers, and user agents by default, all of which qualify as personal data under GDPR Article 4. Removing IP exposure reduces your risk profile, but the steps that follow are equally necessary to support GDPR-compliant analytics in practice.
Step 3: Implement Google Consent Mode v2
Google Consent Mode v2 is a Google API that adjusts how GA4 and Google Ads tags behave based on each user's consent status. It introduced two specific parameters, ad_user_data and ad_personalization, which control whether personal data can be sent to Google and whether ads can be personalised. Getting this right is not optional for EEA sites anymore; it is a foundational requirement.
Basic Mode vs. Advanced Mode: which should you choose?
The two operating modes serve different measurement philosophies.
Basic Mode holds all GA4 and Google Ads tags until a user grants consent. No data flows before that interaction. This is the simpler path and the safer one from a data minimisation standpoint, though it means you collect nothing from users who decline or ignore the banner entirely.
Advanced Mode fires tags immediately when a page loads, but in a cookieless, modelled state before consent is granted. GA4 uses behavioural modelling to fill in the gaps left by non-consenting users, which means you retain more measurement coverage. Published estimates suggest Advanced Mode can preserve roughly 60-70% of useful data even when users refuse analytics. The trade-off is a more complex setup that requires careful validation.
For most teams running Google Ads alongside GA4, Advanced Mode delivers better conversion modelling. For teams focused purely on site analytics with tighter legal caution, Basic Mode is a defensible choice.
How to configure Consent Mode v2 in Google Tag Manager
The recommended path runs through Google Tag Manager paired with a certified Consent Management Platform. Tools like Cookiebot, Usercentrics, and Axeptio each publish native GTM templates that push consent signals into the dataLayer automatically. The general steps are:
- Install your chosen CMP and activate its GTM integration template from the GTM Community Template Gallery.
- Set the default consent state in GTM using a Consent Initialization trigger so that tags start in a denied state before any user interaction.
- Map your CMP's consent categories to the relevant Consent Mode parameters:
analytics_storage,ad_storage,ad_user_data, andad_personalization. - Publish the GTM container and verify signals are reaching GA4 via Admin > Data Streams > Consent Settings.
Worth flagging clearly: without Consent Mode v2, Google blocks conversion modelling and audience features for EEA traffic as of March 2024. If you run Google Ads campaigns targeting European users and have not yet implemented this, your campaign reporting and remarketing audiences are already degraded. The longer this goes unconfigured, the more incomplete your historical data becomes.
Think of Consent Mode v2 as the connection point between each user's choice and how your measurement tags actually behave. It does not replace the need for a legal basis under GDPR, but it ensures your tags behave in a way that respects whatever consent decision a user makes.
Step 4: Adjust Data Retention and Minimisation Settings
Data minimisation is one of the core principles of GDPR. GA4 gives you several settings to put it into practice, and getting these right is part of demonstrating that your data collection is proportionate and purposeful.
Retention Period
Start with event data retention. GA4 offers two options: 2 months or 14 months. The 2-month setting is the GDPR-friendlier choice for most teams, because it limits how long personal data sits in Google's systems. If your reporting genuinely requires 14 months of user-level data, document the business justification clearly. Regulators expect you to explain why a shorter period was not sufficient, not simply accept the longer default because it is convenient.
Google Signals
Google Signals enables cross-device tracking by linking GA4 data across devices and sessions. This requires explicit consent for personalisation, and most sites do not collect that level of consent. If you cannot confirm that your users have opted in specifically for cross-device ad personalisation, disable Google Signals now. You find the toggle at Admin > Data Settings > Data Collection.
Data Sharing Settings
Next, review your data sharing options at Admin > Account Settings > Data Sharing Settings. GA4 shares data with Google products and services by default. Unless you have a documented legal basis for each sharing purpose, turn these off. Sharing data without a legal basis is a straightforward GDPR violation.
Document Every Change
Record every setting change with a timestamp and the name of the person responsible. GDPR Article 5(2) places the accountability burden on you as the controller. A simple spreadsheet or change log is enough; the point is that you can prove what was changed, when, and why. This habit also makes future audits significantly easier.
Step 5: Update Your Privacy Policy and Data Processing Agreement
Configuration changes alone will not make Google Analytics GDPR compliant. You also need the right legal documents in place, because without them, the controller-processor relationship between you and Google has no contractual foundation. Two tasks matter most here: signing the Data Processing Amendment and updating your privacy policy.
Sign the Data Processing Amendment
The Data Processing Amendment (DPA) must be signed inside your GA4 account at Admin > Account Settings > Data Processing Amendment. This is not optional. Without it, you have no formal contract with Google as a data processor, which is a direct GDPR violation under Article 28. The process takes about two minutes, so there is no excuse to skip it.
Update Your Privacy Policy
Your privacy policy needs to reflect the reality of how GA4 operates. Name Google LLC explicitly as a sub-processor, describe what data GA4 collects, and link to Google's data safeguarding page so users can investigate further if they choose.
You should also reference the EU-US Data Privacy Framework (DPF), under which Google LLC certified on 10 July 2023, as the legal transfer mechanism for data flowing to US servers. Explain to users what this means in plain language: their data is processed under an adequacy decision that the European Commission has approved, though that decision remains subject to future legal challenge.
A few additional points worth covering in your policy:
- State your data retention period (the one you set in Step 4).
- Describe how users can exercise their rights under GDPR Articles 15 to 22.
- If your site targets children under 16, disable all advertising features and remove Google Signals from your configuration entirely before publishing any policy language.
Keep this document current. Every time Google updates GA4's data collection behaviour, your privacy policy may need a revision to stay accurate.
Step 6: Validate Your Configuration with a Compliance Check
Configuration changes only matter if they actually work. Once you have completed Steps 1 through 5, a structured validation pass confirms that your GA4 property is behaving as intended and gives you documented evidence of due diligence.
Start inside GA4 itself. Go to Admin > Data Streams, select your stream, and open Consent Settings. This built-in verification tool shows whether Consent Mode v2 signals are being received correctly, including the ad_user_data and ad_personalization parameters introduced with the v2 update. If the tool reports missing signals, your CMP integration needs attention before you move on.
Next, open your browser's DevTools and switch to the Network tab. Simulate a page load without granting any consent, then filter requests by "google-analytics" or "gtag". In Advanced Mode, GA4 tags should fire immediately but in a state that sets no persistent identifiers. This is the practical proof that cookieless tracking is functioning as configured rather than simply assumed.
Cross-reference those network requests against your CMP's consent logs. The timestamps and consent states recorded by your CMP should match what you see firing in the network panel. Any mismatch is a signal that your dataLayer push sequence needs debugging.
Put a quarterly audit on the calendar. Google updates GA4 features and data collection behaviours regularly, so a configuration that passes today may need revisiting in three months. Brief recurring checks are far less costly than discovering a compliance gap during a supervisory authority inquiry.
What Are the Most Common GA4 GDPR Mistakes to Avoid?
Look, even teams who go through most of the configuration steps still leave themselves exposed through a handful of predictable errors. Knowing what these mistakes look like makes it far easier to catch them before a supervisory authority does.
Leaving Google Signals on without explicit opt-in. Google Signals enables cross-device tracking by linking GA4 data across devices and requires explicit consent for personalisation. If you have not collected that consent, leaving Signals active is a direct violation of data minimisation principles under GDPR Article 5. Disable it unless your users have actively opted in to personalised experiences.
Running Basic Consent Mode without a functional banner. Basic Mode means tags only fire after consent is granted. That setup only works if your consent banner is genuinely visible, records each user's choice, and stores those signals reliably. A broken or hidden banner paired with Basic Mode gives you none of the protections the mode promises, and your data collection is effectively uncontrolled for EEA users.
Sending PII through event parameters or URLs. Google prohibits customers from sending personally identifiable information to Google Analytics, yet email addresses in query strings remain one of the most common accidental violations teams encounter. Review every custom event and URL structure before you go live, and strip any identifiable parameters at the tag level.
Skipping the Data Processing Amendment. Without a signed DPA, the controller-processor relationship between you and Google is legally undefined. This is not a technicality. It is a clear GDPR violation that no amount of Consent Mode configuration can fix.
Assuming the EU-US Data Privacy Framework covers everything. The DPF addressed the legal basis for transferring data to US servers, but it did not remove your obligation to collect consent or minimise data. Teams that treat the DPF as a full compliance solution and skip consent collection entirely are still exposed to enforcement action.
These mistakes tend to cluster together. Fixing one while ignoring the others creates a false sense of security. A thorough audit covers all five.
Is There a Simpler, Privacy-First Alternative to GA4?
Yes, and the difference in compliance effort is significant. Privacy-first analytics platforms like Litlyx collect no personal data by design, which means you never need to configure Consent Mode v2, sign a Data Processing Amendment, or run quarterly audits to stay compliant.
The core reason GA4 requires so much configuration is structural. GA4 collects IP addresses, user agents, device identifiers, and persistent user IDs by default, all of which qualify as personal data under GDPR Article 4. Every step in this guide exists to constrain or mask that data collection after the fact. That is a procedural approach to compliance, and procedural approaches can fail when a setting changes or a new GA4 feature rolls out.
Cookieless tracking at the server layer works differently. When no personal data enters the system at collection time, there is nothing to anonymise, nothing to retain responsibly, and no cross-site data sharing to disclose. GDPR compliance becomes structural rather than a checklist you maintain.
Contrast the GA4 path with what a GDPR-compliant-by-default platform requires:
- No CMP integration to manage consent signals
- No Data Processing Amendment to locate and sign
- No Google Signals to disable
- No risk of conversion modelling being blocked for EEA traffic because your signals were misconfigured
Litlyx is EU-hosted, which means data never transfers to US servers under any framework. That removes the entire Schrems II and EU-US Data Privacy Framework analysis from your legal team's plate entirely.
For digital marketers and developers who need user-friendly insights without the legal overhead, this approach makes real sense. You still get the data-driven decisions your team needs, page views, referral sources, session behaviour, without any of the compliance risk that comes with a standard GA4 installation., -
Frequently asked questions
Is GA4 GDPR compliant in 2026?
No. GA4 is not GDPR compliant by default. It collects personal data (IP addresses, user agents, device IDs, persistent user IDs) and sends it to US servers, creating transfer and consent issues under GDPR. The EU-US Data Privacy Framework (adopted July 2023) restored a legal transfer mechanism, but this only addresses transfer legality—not your obligations around consent, data minimisation, or purpose limitation. Compliance requires: signing Google's Data Processing Amendment, implementing Consent Mode v2, anonymising IPs, disabling Google Signals, and documenting your legal basis. Configuration reduces risk significantly but does not guarantee full compliance without a legal assessment specific to your organisation.
Does GA4 anonymise IP addresses automatically?
Yes. GA4 anonymises IP addresses by default at the collection layer—before the raw address reaches Google's storage systems. This is a key improvement over Universal Analytics, where you had to manually enable IP anonymisation. However, "by default" does not mean fully compliant. You should still verify the setting is active in your GA4 property (Admin > Data Settings > Data Collection) and document it for your compliance records. IP anonymisation alone is not sufficient for GDPR compliance; you also need consent, a Data Processing Amendment, and Consent Mode v2 implementation.
What is Google Consent Mode v2 and is it mandatory?
Consent Mode v2 is Google's framework for signalling user consent status to Google services (Analytics, Ads, etc.) without requiring a CMP to block tags. It allows you to deploy GA4 before consent is granted, then adjust data collection based on user choices. Google requires Consent Mode v2 for EU users if you use Google Ads; for Analytics alone, it is not formally mandatory but is strongly recommended as best practice. It works by sending consent signals (analytics_storage, ad_storage, ad_user_data, ad_personalization) to Google's servers, which then restricts data use accordingly. Implementation requires a Consent Management Platform (CMP) that supports v2.
Can I use Google Analytics without a consent banner in the EU?
No. Under GDPR, processing personal data requires a lawful basis. For analytics, consent is the most common basis in the EU. GA4 collects personal data (IP addresses, user IDs, device identifiers) by default, so you must obtain explicit, informed consent before deploying it. A consent banner is the standard mechanism. Without one, you have no documented legal basis and expose yourself to regulatory action. The only exception is if you can demonstrate a compelling legitimate interest that outweighs user privacy rights—a high bar rarely met for analytics. Consent Mode v2 allows you to deploy GA4 before consent is given, but you still must obtain consent before processing occurs.
What is the Google Data Processing Amendment and where do I sign it?
The Data Processing Amendment (DPA) is a legal document that designates Google as a data processor on your behalf, establishing their obligations under GDPR Article 28. Without it, Google is treated as an independent controller, which creates serious compliance gaps. To sign: go to Google Analytics > Admin > Account Settings > scroll to "Data Processing Terms" and accept the amendment. You can also request it via Google Cloud's contract portal if you use Google Cloud services. Signing the DPA is non-negotiable for GDPR compliance. It formalises Google's commitment to process data only as you instruct and to implement required security measures.
What happens if I do not implement Consent Mode v2?
Without Consent Mode v2, you must block GA4 entirely until consent is obtained—which means no analytics data collection from EU users without explicit opt-in first. This creates a poor user experience and often results in very low consent rates. Alternatively, if you deploy GA4 without Consent Mode v2 and without prior consent, you violate GDPR Article 7 (lawful basis) and Article 5 (data minimisation). Regulators can issue fines up to €20 million or 4% of global revenue. Consent Mode v2 is the practical solution: it lets GA4 fire immediately while respecting user choices and adjusting data use based on consent signals sent to Google.
Does the EU-US Data Privacy Framework make GA4 legal in Europe?
The Data Privacy Framework (DPF), adopted July 2023, restored a legal transfer mechanism after Schrems II invalidated the previous framework. Google LLC certified under it, which means transfers to Google's US servers now have a lawful basis under GDPR Chapter V. However, the DPF only addresses transfer legality. It does not eliminate your obligations around consent, data minimisation, purpose limitation, or transparency under GDPR Articles 5–7. You still need: a documented legal basis (usually consent), a signed Data Processing Amendment, IP anonymisation, Consent Mode v2, and a privacy policy. The DPF is necessary but not sufficient for compliance.
What are the GDPR fines for using Google Analytics incorrectly?
GDPR fines are tiered by violation severity. Article 83(4) violations (unlawful processing, missing legal basis, no consent) carry fines up to €20 million or 4% of global annual revenue, whichever is higher. Article 83(5) violations (data subject rights breaches, security failures) reach up to €20 million or 4% of revenue. In practice, regulators have issued fines ranging from €50,000 (minor breaches) to €746 million (Meta, 2023). For GA4 specifically, Austrian, French, and Italian regulators found non-compliance and issued orders to cease or reconfigure. Fines depend on scale, intent, and harm, but the baseline risk is substantial. Compliance is far cheaper than remediation.
How long should I retain GA4 data under GDPR?
GDPR does not prescribe a specific retention period for analytics data; instead, it requires you to delete data when it is no longer necessary for your stated purpose (Article 5, storage limitation). For GA4, this typically means 2–26 months depending on your use case. GA4's default is 2 months; you can extend it to 14 months in settings (Admin > Data Settings > Data Retention). Document your retention policy in your privacy notice and justify it based on your analytics needs. Shorter retention (2–6 months) is safer and easier to defend. Longer retention (12+ months) requires a documented business reason. Implement automated deletion in GA4 or via BigQuery exports to ensure compliance.
What is a GDPR-compliant alternative to Google Analytics?
GDPR-compliant alternatives include Plausible, Fathom Analytics, Matomo (self-hosted), and Cabin. These platforms either process data in the EU, do not use cookies or persistent identifiers, or allow you to self-host. Plausible and Fathom are EU-based, cookieless, and do not require consent banners. Matomo (self-hosted on your own servers) gives you full control and avoids third-party transfers. Cabin is privacy-first and GDPR-native. Trade-offs: these tools offer fewer features than GA4 (no cross-device tracking, limited custom events) but eliminate transfer and consent complexity. For most sites, they are sufficient. If you need GA4's advanced features, configure it with Consent Mode v2, IP anonymisation, and a DPA—but accept that compliance requires ongoing effort.
What personal data does GA4 collect by default?
GA4 collects: IP addresses (anonymised at collection), user agents, device identifiers, persistent user IDs, page URLs, referrer data, and event parameters. If Google Signals is enabled, it links behavioural data across devices using signed-in Google accounts. If custom dimensions are misconfigured, it can capture emails, names, or other PII. All of this qualifies as personal data under GDPR Article 4. GA4 also generates a unique Client ID and Session ID for each user. This data is sent to Google's US servers by default. An audit using DebugView and Tag Assistant reveals exactly what your installation sends. Document findings before making changes.
Do I need to disable Google Signals for GDPR compliance?
Yes. Google Signals links analytics data to signed-in Google accounts for cross-device tracking, which creates significant legal risk without explicit opt-in consent for personalisation. Most sites cannot justify this processing under GDPR. Disable it: Admin > Data Settings > Data Collection > toggle off Google Signals. Document the change. This step is essential for compliance. Even with Consent Mode v2 and a valid legal basis for analytics, Google Signals requires a separate, explicit consent signal (ad_personalization) that most users will not grant. Disabling it simplifies compliance and reduces your legal exposure.