You've had Google Analytics installed since day one. But is it legally compliant — and have you ever actually asked your users for permission?

For most website owners, Google Analytics is as automatic as registering a domain. You launch a site, you install the tracking code, and you start collecting data. It's free, it's powerful, and it's been the default analytics choice for millions of websites for nearly two decades.

The problem is that "default" and "compliant" are not the same thing — and since 2022, data protection authorities across Europe have made clear that Google Analytics installed in its default configuration almost certainly violates GDPR.

This isn't a theoretical risk or a fringe regulatory interpretation. Austria, France, Italy, Denmark, Finland, and Norway have all issued formal rulings finding Google Analytics non-compliant. Websites have received enforcement notices. And the underlying issues that drove those rulings — analytics cookies processing personal data without consent, and user data being transferred to US servers without adequate safeguards — haven't disappeared, even with the changes Google introduced in GA4.

This article gives you a clear, honest answer to one of the most searched GDPR questions on the web: does Google Analytics require cookie consent? The short answer is yes, in almost all cases. The longer answer — which covers what regulators have actually ruled, what GA4 changes and doesn't change, and what a compliant setup actually looks like — follows below.

Section 1: What Does Google Analytics Actually Do With User Data?

To understand why Google Analytics raises GDPR issues, you need to understand what it actually does when someone visits your website.

When a user lands on a page with GA installed, the Analytics script sets cookies on their device — persistent identifiers that track their behaviour across sessions. GA records which pages they visit, how long they spend on each, what device and browser they're using, their approximate geographic location derived from their IP address, and how they arrived at your site. In GA4, this data is supplemented by event-based tracking that can capture granular user interactions — button clicks, scroll depth, form submissions, video plays.

The reason this matters under GDPR is that several of these data points constitute personal data. IP addresses are personal data under GDPR — they can identify an individual, directly or indirectly, and the Court of Justice of the European Union confirmed this definitively in its 2016 Breyer ruling. Persistent cookie identifiers are also personal data — they uniquely identify a device over time and can be used to build a profile of an individual's behaviour. The combination of IP address, cookie ID, device fingerprint, and behavioural data that GA collects is unambiguously within GDPR's scope.

GA4 vs. Universal Analytics — what changed and what didn't

When Google sunset Universal Analytics and moved to GA4, it introduced several privacy-related changes: IP anonymisation is enabled by default in new GA4 properties, data retention periods are shorter, and the measurement model is event-based rather than session-based. These are genuine improvements from a privacy standpoint. What didn't change is the fundamental reality: GA4 still sets cookies on users' devices, still processes personal data, and — until recently — still transferred that data to Google's servers in the United States under arrangements that EU regulators found problematic.

The data transfer issue

Separate from the consent question, every GA implementation involves transferring user data to Google's infrastructure in the US. Post-Schrems II, this transfer required adequate safeguards — Standard Contractual Clauses at minimum, and ideally certification under the EU-US Data Privacy Framework. The EU regulators who ruled against Google Analytics in 2022 focused heavily on this transfer issue, finding that SCCs alone were insufficient given US surveillance law. The introduction of the EU-US DPF in July 2023 has improved the legal position for transfers — but the consent requirement for analytics cookies exists independently of the transfer question, and it hasn't gone away.

Section 2: What GDPR Says About Analytics Cookies

The legal framework here involves two overlapping instruments: GDPR and the ePrivacy Directive (implemented in the UK as PECR — the Privacy and Electronic Communications Regulations).

The ePrivacy Directive — often called the Cookie Law — requires consent before storing or accessing information on a user's device, with a narrow exception for cookies that are strictly necessary for a service the user has explicitly requested. The key question for any cookie is therefore whether it falls within that strictly necessary exception.

Analytics cookies do not fall within the strictly necessary exception. Your website functions perfectly without Google Analytics — the user receives the service they came for whether or not their behaviour is being tracked. Analytics serve the website owner's interests, not the user's — and the strictly necessary exception exists to protect user experience, not business intelligence needs. This is not a contested interpretation: it's the consistent position of every data protection authority that has addressed the question.

Can you use legitimate interests as a legal basis for analytics?

This is the question many businesses raise when they discover that analytics cookies require consent — because consent comes with friction, and legitimate interests doesn't. The answer from regulators has been consistently negative. The Article 29 Working Party (now the EDPB) has stated that web analytics could, in principle, rely on legitimate interests under certain conditions — but those conditions are narrow, and the conditions require that the analytics data is used only for internal purposes, not shared with third parties, and that appropriate safeguards are in place. Standard Google Analytics, which transfers data to Google for its own purposes, does not meet those conditions.

The practical conclusion is clear: for standard Google Analytics implementations, consent is required. That consent must be freely given, specific, informed, and unambiguous — which means an active opt-in, no pre-ticked boxes, a genuine reject option, and clear information about what tracking will occur before the user makes their choice.

Section 3: What Regulators Have Actually Ruled

The enforcement record on Google Analytics is more extensive than most website owners realise — and it accelerated rapidly from 2022 onward.

Austria — January 2022. The Austrian Data Protection Authority (DSB) issued the first EU ruling finding Google Analytics non-compliant with GDPR. The case was brought by privacy activist organisation noyb (founded by Max Schrems) and focused on the transfer of personal data to US servers. The DSB found that the Standard Contractual Clauses used by Google were insufficient to protect EU user data given US surveillance law.

France — February 2022. France's CNIL ruled that the use of Google Analytics violated GDPR and issued formal notices to website operators to bring their analytics implementations into compliance within one month. CNIL's ruling highlighted both the transfer issue and the cookie consent mechanism.

Italy, Denmark, Finland, Norway — 2022–2023. Similar rulings followed across multiple EU member states, with national data protection authorities reaching consistent conclusions: Google Analytics in its default configuration was incompatible with GDPR requirements for EU user data.

The core issue in every ruling was the US data transfer rather than the cookie itself — specifically, the concern that US surveillance law (FISA Section 702) could compel Google to provide EU user data to US intelligence agencies in ways inconsistent with EU data protection standards. SCCs were found inadequate to address this risk.

Where does enforcement stand in 2026?

The introduction of the EU-US Data Privacy Framework in July 2023, under which Google is certified, has substantially improved the legal position for the data transfer dimension of Google Analytics compliance. The DPF provides a new adequacy mechanism that addresses the transfer concerns at the heart of the 2022 enforcement wave. However — and this is critical — the DPF resolves the transfer issue, not the consent issue. Analytics cookies still require consent under the ePrivacy Directive regardless of where the data goes. The two compliance obligations are separate, and resolving one doesn't resolve the other.

The practical position in 2026 is: Google Analytics with proper consent management and a DPF-certified Google as your data processor is legally defensible in a way that wasn't clearly available in 2022. But "proper consent management" is doing significant work in that sentence — and most GA implementations still don't meet the standard.

Section 4: Does GA4 Fix the Problem?

When Google launched GA4 and introduced Consent Mode, many website owners assumed the compliance problem had been solved. The reality is more nuanced.

What GA4 improved: IP anonymisation by default removes one personal data point from the picture, though it doesn't eliminate the personal data processing entirely — cookie IDs and behavioural data remain. Shorter default data retention periods reduce the privacy impact of data that is collected. The event-based measurement model gives website owners more granular control over what data is collected and when.

What GA4 doesn't fix: GA4 still sets cookies on users' devices. It still processes personal data. It still requires consent under the ePrivacy Directive before those cookies are placed. The fundamental consent requirement is unchanged regardless of which version of Google Analytics you're using.

Google Consent Mode explained

Consent Mode is Google's mechanism for adapting GA's behaviour based on the user's consent choices. When a user declines analytics cookies, Consent Mode allows GA to collect limited, non-cookie, non-personal signals and use machine learning to model aggregate traffic patterns — giving website owners some analytics continuity without requiring individual-level tracking of non-consenting users.

Consent Mode v2, introduced in early 2024, introduced two new consent signals — ad_personalization and ad_user_data — alongside the existing analytics_storage and ad_storage parameters. For websites using Google's advertising products, implementing Consent Mode v2 through a compatible CMP became a requirement for continued access to certain Google Ads features.

The honest assessment of GA4 + Consent Mode: this combination gets you significantly closer to a compliant analytics setup than anything available before 2023. But it requires correct implementation — a CMP that supports Consent Mode v2, GA tags configured to fire only after consent is granted, and a cookie policy that accurately discloses what GA cookies are placed and why. Done correctly, it's a genuinely defensible compliance position. Done incorrectly — which describes most implementations — it provides the appearance of compliance without the substance.

Section 5: Your Options — From Simplest to Most Private

Option 1: Keep GA4 With a Fully Compliant Consent Setup

This is the right choice for businesses that rely on GA's feature depth and are willing to accept some data loss from users who decline consent.

Implement a CMP that supports Google Consent Mode v2 — Cookiebot, Enzuzo, and Termly all provide native Consent Mode v2 integration. Configure your GA tags to fire only when analytics_storage consent is granted. Update your cookie policy with iubenda to accurately disclose GA cookies. Enable IP anonymisation in your GA4 property settings if it isn't already. Review your data retention settings and reduce them to the minimum necessary for your analytics purposes.

The trade-off is data gaps: users who decline analytics consent won't appear in your standard GA reports. Consent Mode's modelling partially compensates for this, but your reported user numbers will be lower than your actual traffic.

Option 2: Use GA4 in Consent Mode Only — Modelled Data

Some website owners configure GA4 to operate entirely through Consent Mode, relying on Google's modelling for traffic from non-consenting users rather than collecting individual-level data. This approach maintains some analytics continuity while limiting personal data collection to consenting users only.

The limitation is accuracy: modelled data is less precise than observed data, and the modelling is better in some contexts (high-traffic sites with consistent user patterns) than others (low-traffic sites or sites with highly variable traffic sources).

Option 3: Switch to a Privacy-First Analytics Alternative

For website owners where consent friction is a genuine business concern, or where simplicity matters more than feature depth, privacy-first analytics tools offer a genuinely good alternative. These tools are designed to collect aggregate traffic data without setting persistent cookies or processing personal data — meaning they don't require consent under GDPR or the ePrivacy Directive.

Plausible Analytics is lightweight, open source, and collects aggregate traffic data without any cookies or personal data. It provides the core metrics most websites actually need — pageviews, unique visitors, referral sources, top pages — without the compliance complexity. Pricing starts from €9/month.

Fathom Analytics takes a similar approach — cookieless, privacy-first, GDPR compliant by design. It's particularly popular with SaaS founders and content publishers who want clean analytics without compliance overhead.

Matomo offers a self-hosted option that gives you complete control over your data — no third-party transfers, all data stays on your own infrastructure. With cookieless tracking configured, Matomo can operate without consent requirements. The trade-off is the infrastructure overhead of self-hosting.

Simple Analytics is exactly what it sounds like — minimal, cookieless, privacy-first analytics with a clean interface and no consent requirement.

Option 4: Run Both — GA4 With Consent Plus a Cookieless Baseline Tool

This is the increasingly common approach for data-driven teams who need both compliance and continuity. A cookieless tool like Plausible or Fathom provides always-on baseline traffic data for all visitors regardless of consent choice. GA4 with full Consent Mode integration provides deeper analytics for the subset of users who consent. The two data sources complement each other: the cookieless tool tells you what's actually happening across your full audience; GA tells you why, in more detail, for consenting users.

Section 6: What a Compliant Google Analytics Setup Looks Like

If you're keeping GA4, here's the complete implementation checklist for a defensible compliance position:

Install a CMP that supports Google Consent Mode v2. Cookiebot, Enzuzo, and Termly all offer native Consent Mode v2 integration with straightforward setup guides for common website platforms.

Configure GA tags to fire only on analytics consent. In Google Tag Manager, set your GA4 Configuration tag to trigger only when analytics_storage consent is granted. Test this in GTM's preview mode and verify in your browser's developer tools that no GA cookies are set on initial page load before consent is obtained.

Categorise GA cookies correctly in your consent banner. Google Analytics cookies — _ga, _ga_[ID], and related cookies — should be categorised as Analytics or Performance cookies, not strictly necessary. They must appear in the manage preferences section with a genuine toggle that controls whether they're placed.

Update your cookie policy. Your cookie policy must accurately disclose every GA cookie placed on your site — the cookie name, its purpose, its provider (Google), and its duration. iubenda makes this straightforward with automated policy generation that stays current as your technology stack evolves.

Enable IP anonymisation. In GA4, IP anonymisation is on by default for new properties. Verify this in your GA4 property settings under Data Collection and Modification.

Review data retention settings. GA4's default retention period is two months for event data. Consider whether your analytics use cases require longer retention, and set the minimum period that meets your actual needs.

Document your consent records. Your CMP should be maintaining timestamped logs of consent interactions — when consent was given, what version of your cookie policy was in effect, and what categories were consented to. Verify that your CMP is generating and storing these records.

Test the complete flow. Use an incognito browser window to walk through your consent banner as a new visitor — verify that no GA cookies are set before you interact with the banner, that declining analytics actually prevents GA cookies from being placed, and that accepting analytics correctly fires the GA tag.

The Bottom Line

Google Analytics requires cookie consent under GDPR. This is not a grey area — it's the consistent position of multiple EU data protection authorities backed by formal enforcement action, and it applies to GA4 just as it applied to Universal Analytics before it.

The good news is that a compliant Google Analytics setup is achievable without enormous complexity. A properly configured CMP with Consent Mode v2 integration, GA tags that fire only after consent is granted, and accurate cookie policy disclosure gets you to a defensible position. If consent friction is a concern, privacy-first analytics alternatives like Plausible or Fathom provide a genuinely good option that sidesteps the consent requirement entirely.

The place to start is an audit of your current setup. Open your website in an incognito window, load your browser's developer tools, and check the Application tab for cookies before you interact with any consent banner. If you see _ga or _ga_[ID] cookies already present — before you've clicked anything — your GA implementation is non-compliant and you're collecting personal data without consent. That's the violation regulators look for first, and it's the one that's easiest to fix.

And if cookie consent violations result in a data breach or regulatory fine, having proper GDPR insurance coverage from providers like Hiscox, Chubb, Coalition, Beazley, or AXA can protect your business from the financial consequences of non-compliance.