No, Google Analytics is not GDPR compliant by default. GA4 collects data the GDPR treats as personal, including IP addresses and the client IDs that follow a device around, so you cannot just drop the tag on an EU-facing site and be done. The more useful answer is what it takes to fix that: a properly configured GA4 can be run under the GDPR, and "properly configured" comes down to five things. One of them is where most sites quietly fail, even ones that already show a cookie banner.
Key Takeaways
- 01No. Google Analytics 4 is not GDPR compliant out of the box. It can be used lawfully in the EU, but only after you add consent, a contract with Google, and the right configuration.
- 02Five things have to be true: prior opt-in consent before GA loads, Google Consent Mode v2 wired up, Google's Data Processing Terms accepted, the EU-US Data Privacy Framework covering transfers, and GA4's retention and data-sharing settings tightened.
- 03The step most sites fail is the first one. GA has to stay off until the visitor agrees. Most banners either let it fire before consent (a leak) or block it completely (lost data and no Consent Mode modeling).
- 04ConsentStack holds GA until consent and ships Consent Mode v2 by default, so you stay compliant without losing measurement. The free scanner shows which side of that line your site is on.
Is Google Analytics GDPR compliant by default?
No, but it is not banned either. On its own, GA4 is just a tool that processes personal data, and the GDPR puts the responsibility on you. In the law's language you are the data controller and Google is your data processor, which means getting consent, signing Google's terms, and configuring the tool are your job, not something Google does for you. GA4 does help at the margins: it masks IP addresses by default and gives you privacy controls to switch on. But those defaults do not add up to consent, and consent is the part regulators actually enforce.
This is not theoretical. In 2022 several EU data protection authorities, in Austria, France, and Italy among them, ruled that sending Google Analytics data to US servers broke the GDPR. That specific problem eased in July 2023, when the EU-US Data Privacy Framework gave Google a valid way to handle those transfers again. Consent and configuration, though, were always the site owner's job, and they still are.
What a GDPR-compliant GA4 setup actually requires
Five requirements have to be met before GA4 is lawful on EU visitors. Miss any one and the whole setup is exposed.
| Requirement | What it means |
|---|---|
| Consent before GA fires | Get explicit, opt-in consent first. Analytics is not strictly necessary, so you cannot fall back on legitimate interest for EU visitors. |
| Google Consent Mode v2 | Connect your banner to Consent Mode v2 so GA respects each choice and can still model conversions when someone declines. |
| Google's data terms (DPA) | Accept Google's Data Processing Terms in your GA admin settings. This puts the controller-processor relationship in writing. |
| Lawful transfers (DPF) | Google self-certifies under the EU-US Data Privacy Framework, the current legal basis for moving EU data to US servers. |
| GA4 privacy settings | Shorten data retention, turn off the Google products and benchmarking data-sharing options, and keep IP masking and data redaction on. |
The step most sites get wrong: consent before GA fires
Notice that four of the five requirements are one-time settings. You accept the terms once, shorten retention once, confirm the transfer basis once. The first requirement is different, because it has to be true on every single page load, and it is the one most sites break. GA has to stay off until the visitor agrees. This is the exact question developers keep asking in public: does firing Google Analytics before consent count as a GDPR breach? The short answer is yes, and it is worth understanding why.
The moment GA loads, it sends a request to Google carrying the visitor's IP address and the page they are on. That happens before the person has agreed to anything, and the request itself is what the GDPR objects to. Setting Consent Mode to "denied" does not undo it, because the connection has already gone out. Holding the tag until consent is the only thing that actually prevents it.
Two ways banners get Google Analytics wrong
Having a cookie banner is not the same as consent working. Once you look at what the banner does to GA specifically, most fall into one of two failure modes, on opposite ends.
| Banner behavior | What happens | Result |
|---|---|---|
| Fires GA before consent | The GA request goes out as the page loads | The visitor's IP and page reach Google before they agree. This is the leak, and the most common failure. |
| Blocks GA completely | The tag is stripped out and never re-enabled | You lose analytics even from EU visitors who would have accepted, and you lose Consent Mode's modeled data. Compliant, but blind. |
| Holds GA until consent | GA loads only after Accept; Consent Mode v2 handles Reject | Compliant, and you keep your measurement. This is the target behavior. |
The third row is the whole game, and it is harder than it sounds, which is why so few banners actually do it. It is the difference between a banner that decorates the page and one that actually holds the tag until consent.
How to make Google Analytics GDPR compliant
Putting it together, here is the order that works:
- Add a consent banner that blocks Google Analytics until the visitor opts in, and make sure it genuinely holds the tag rather than just hiding a message.
- Connect the banner to Google Consent Mode v2 so a Reject still models conversions instead of going dark.
- Accept Google's Data Processing Terms in your GA4 admin, under Account Settings.
- Set data retention to the shortest window that works, and turn off the Google data-sharing options you do not need.
- Name Google Analytics in your privacy policy: what it collects, why, and how visitors can opt out.
Do those five and GA4 sits on the compliant side of the line for EU visitors. The first one is the only step that is ongoing, and the only one worth testing rather than trusting. For the full rulebook behind all of this, see our GDPR cookie consent requirements guide, and if Google Tag Assistant is warning you that a CMP may be blocking tags, here is what that means.
How ConsentStack handles Google Analytics
ConsentStack is a consent platform, so it does not replace Google Analytics, it governs it. It holds analytics and advertising tags until a visitor consents, keeps them off when someone clicks Reject, and ships Google Consent Mode v2 by default, so declines still model instead of leaving you blind. That covers the one requirement most banners miss and the one you would otherwise have to keep testing. Accepting Google's data terms and writing your privacy policy stay yours, since no consent tool can do those for you. Plans start at $29 a month, and if you would rather not touch the setup, we install and configure the banner for you.
Check what your site sends before consent
Before you change anything, see what your site does right now. Run it through our free compliance scanner and it will show you exactly which trackers, Google Analytics included, fire before and after someone clicks Reject. It takes about a minute and does not ask for an email. That report is the fastest way to find out whether your banner is holding GA back or just sitting on top of it.
Google Analytics and GDPR FAQ
Not by default. GA4 processes personal data like IP addresses and client IDs, so it is only compliant once you obtain prior consent, accept Google's data terms, rely on the EU-US Data Privacy Framework for transfers, and configure GA4's privacy settings.
Block GA until a visitor opts in, connect your banner to Google Consent Mode v2, accept Google's Data Processing Terms in the GA admin, shorten data retention and turn off unneeded data sharing, and disclose Google Analytics in your privacy policy.
Yes, when it is set up correctly. The 2022 rulings against Google Analytics were about US data transfers, and the EU-US Data Privacy Framework resolved that in July 2023. With consent and proper configuration, GA4 can be used lawfully on EU visitors.
Not for EU visitors. Analytics is not strictly necessary, so it needs opt-in consent, and that requires a banner or equivalent mechanism that holds GA until the visitor agrees.
Yes. Loading GA before consent sends the visitor's IP address and page to Google before they agree, and that request is the violation. Setting Consent Mode to denied does not fix it, because the connection has already been made.
Yes, GA4 masks IP addresses by default and does not log or store them. That helps, but it does not replace consent, so IP masking alone does not make GA4 GDPR compliant.
See what fires before anyone clicks Accept
Run a free compliance scan and see exactly which trackers, including Google Analytics, load before and after Reject. No signup.
Related Posts
GDPR Cookie Consent Requirements in 2026: A Developer Guide
What GDPR actually requires for cookie consent in 2026. What developers need to implement, what regulators enforce, and how to stay compliant.
How Cookie Consent Script Blocking Actually Works (And Why Most CMPs Fake It)
Most CMPs display a banner while tracking scripts fire freely. A technical breakdown of the three script blocking approaches and why only parse-time blocking actually works.
A Consent Management Platform (CMP) May Be Blocking Tags: What It Means and How to Fix It
Seeing "A Consent Management Platform (CMP) may be blocking tags" in Google Tag Assistant? It usually means your CMP is working correctly. Here is when it is a real problem, and how to fix it.