Is Google Analytics 4 GDPR Compliant? (The Honest Answer)

What the DPA Rulings Actually Said

In January 2022, Austria's DSB became the first European DPA to rule that using Google Analytics violated GDPR. France's CNIL followed in February 2022, then Denmark's Datatilsynet in September 2022. Italy's Garante issued a formal warning in June 2022. These weren't vague guidance documents — they were binding decisions against specific website operators.

The core issue isn't Google Analytics itself. It's where the data goes. Google Analytics sends visitor data — including IP addresses and unique identifiers — to Google's servers in the United States. Post-Schrems II (the 2020 CJEU ruling that invalidated Privacy Shield), there's no valid legal mechanism for most of these transfers. The US lacks "essentially equivalent" data protection to the EU, and US intelligence law (FISA 702 in particular) means Google can be compelled to hand data over to US authorities without the user ever knowing.

The Austrian DSB was blunt: standard contractual clauses (SCCs) don't fix this because the underlying US surveillance laws haven't changed. The data transfer itself is the problem.

What About GA4 Specifically?

Google launched GA4 partly as a response to privacy pressure. It does fewer things by default — no cross-device tracking without explicit configuration, shorter data retention by default, and more consent signals support. But it still sends data to US servers. The underlying legal problem that caused the Austrian, French, and Danish rulings hasn't been solved.

Google has added a "data residency" option for EU customers to keep processed data in the EU. But the raw data still transits through Google's infrastructure, and the question of US government access to that data remains legally unresolved for GDPR purposes.

If You Must Keep GA4: The Minimum Requirements

This doesn't guarantee compliance — no one can currently guarantee that — but it reduces your exposure significantly:

• →Only fire GA4 after explicit consent. Use Google Consent Mode v2 with a proper CMP (Cookiebot, Axeptio, Usercentrics). Don't use the default "denied" state as a workaround — that still sends pings.
• →Disable advertising features. Turn off Google Signals, disable advertising personalisation, and don't link to Google Ads. These integrations significantly expand the data transfer scope.
• →IP anonymisation. In GA4 this is on by default, but verify it's not been turned off in your property settings.
• →Set data retention to 2 months. Go to Admin → Data Settings → Data Retention and set user and event data to 2 months rather than 14 months.
• →Sign Google's DPA. Accept the Data Processing Amendment in your GA4 account settings. Without this, there's no Article 28 processor agreement in place at all.

The Compliant Alternatives

The cleanest solution is to switch to an analytics tool that doesn't transfer data to the US and doesn't track individuals. These aren't compromise choices — for most sites they provide everything you actually need.

• →Plausible Analytics — EU-hosted (Falkenstein, Germany), no cookies, no cross-site tracking, no personal data collected. €9/mo for small sites. Doesn't require a cookie banner at all.
• →Fathom Analytics — Canadian company with EU isolation option, no cookies, privacy-first. Simple pricing from $15/mo.
• →Matomo self-hosted — Open source, you host it on your own EU server, full data ownership. Free but requires maintenance. Their cloud version is hosted in the EU.
• →Cabin — Carbon-neutral, privacy-preserving analytics. EU data processing available.

For most content sites and SaaS products, Plausible or Fathom give you everything that matters: page views, referrers, countries, devices, top pages, conversion goals. The only things you lose are the Google-specific advertising attribution features — which you shouldn't be relying on for compliance anyway.