How to Make Google Analytics GDPR Compliant in 2026

Step-by-step guide to make GA4 GDPR compliant. Learn IP anonymization, Consent Mode v2, DPA setup, and cookieless tracking for privacy-first analytics.

Flat-lay conceptual still-life showing GDPR compliance documentation for Google Analytics: a Data Processing Agreement document with visible

, -

How to Make Google Analytics GDPR Compliant in 2026 (Step-by-Step)

Why GA4 Is Not GDPR Compliant Out of the Box

Installing GA4 and leaving it at default settings puts you in violation of GDPR before a single visitor arrives. The tool collects personal data at scale, ships it to US-based servers, and does all of this without any built-in mechanism to capture user agreement first. Every step in this guide exists because of the structural problems we cover here.

What Personal Data GA4 Collects by Default

GA4 is far more data-hungry than most people realize. By default, it collects IP addresses, user agents, device identifiers, and persistent user IDs, all of which qualify as personal data under GDPR Article 4. On top of those identifiers, GA4 stores client IDs, session-level behavioral data, traffic sources, and device characteristics, assembling a detailed profile of each visitor across sessions.

The persistent user ID piece is especially significant. It means GA4 can recognize returning visitors and stitch together their behavior over time. That is precisely the kind of processing that requires a clear legal basis under GDPR.

The Cross-Border Data Transfer Problem

Minimizing local data collection still leaves you with a second challenge: where that data actually goes. GA4 sends information to Google's US-based infrastructure, and multiple EU supervisory authorities, including the Austrian DSB, the French CNIL, and the Italian Garante, have ruled these transfers unlawful under Chapter V of GDPR.

The EU-US Data Privacy Framework, adopted in July 2023, created a new legal transfer mechanism and Google certified under it. Compliance obligations shrink but do not disappear. Some authorities still flag residual risk tied to US surveillance law, and the DPF itself faces ongoing legal challenges.

Ignoring all of this carries real financial exposure. Non-compliance can trigger fines of up to 4% of global annual turnover under GDPR Article 83. That number concentrates the mind quickly for any organization of meaningful size.

What You Need Before You Start

Before touching a single GA4 setting, gather the right tools and permissions. Rushing past this preparation stage is one of the fastest ways to end up with a configuration that looks compliant on the surface but falls apart under scrutiny.

Here is what you need in place:

  • Admin access to your GA4 property and your Google Tag Manager (GTM) account. Without editor-level permissions, you cannot make the changes that matter.
  • A signed Data Processing Agreement (DPA) with Google. A DPA is required under GDPR Article 28 whenever you share personal data with a processor, and Google is your data processor for GA4. Find it under GA4 Admin > Account Settings > Data Processing Amendment.
  • A Consent Management Platform (CMP) compatible with Consent Mode v2. Options like Cookiebot, Axeptio, and Usercentrics all support the required signal architecture. Your CMP must pass user choices to GTM before any GA4 tag fires.
  • An accurate, published Privacy Policy. GDPR Articles 13 and 14 require transparent disclosure of what data you collect, the legal basis, and which third parties receive it. GA4 must be named explicitly.
  • A record of processing activities (ROPA) entry for analytics. This supports the accountability principle under GDPR Article 5(2) and gives your legal team a clear audit trail.

Get these five elements ready before you change anything inside GA4. The steps that follow build directly on this foundation.

Step 1: Sign the Data Processing Agreement with Google

Signing a Data Processing Agreement (DPA) with Google is the first concrete action you must take. There is no skipping this one. A DPA is required under GDPR Article 28 whenever you share personal data with a processor, and Google acts as a data processor when it handles GA4 data on your behalf. Without this agreement in place, every data transfer you make to Google is a GDPR violation, regardless of every other setting you configure.

Finding and accepting the DPA is straightforward. Go to GA4 Admin, open Account Settings, then locate the Data Processing Amendment and accept it. The process takes only a few minutes. Once accepted, record the exact date and store it alongside your compliance documentation. This record supports your accountability obligations under GDPR Article 5(2).

A common misconception is that signing the DPA resolves your compliance picture. Signing it does not get you to the finish line. Think of the DPA as a prerequisite that opens the door to compliance, a necessary foundation rather than the structure itself. Google still receives personal data after you sign; the DPA simply establishes the legal framework governing how that data is handled.

Also verify that the account completing this step holds admin-level access, since a signature from a user without correct permissions will not be valid for your records. The acceptance must be completed by an account administrator. Treat this step as your compliance baseline and build every subsequent configuration on top of it.

Step 2: Enable IP Anonymization in GA4

GA4 anonymizes IP addresses by default at the collection layer, which is an improvement over Universal Analytics where you had to switch this on manually. That said, you still need to verify the setting is active and has not been overridden by a custom configuration somewhere in your implementation.

GA4 anonymizes IPs by removing the last octet of IPv4 addresses before storage, meaning an address like 192.168.1.100 becomes 192.168.1.0 by the time it reaches Google's servers. This reduces personal data exposure at the infrastructure level. To confirm the setting is in place, go to Admin, then Data Settings, and review any active data filters or custom dimensions that might be piping raw IP data elsewhere in your stack.

IP anonymization is just one safeguard inside a much larger compliance picture, and treating it as sufficient is a mistake we see regularly. GA4 also collects client identifiers, user agents, device data, and behavioral signals by default, none of which are addressed by anonymizing the IP alone.

Once you have confirmed the setting, document it in your Record of Processing Activities (ROPA) as a technical safeguard under your analytics processing entry. Regulators expect demonstrable accountability. A ROPA that references specific controls carries real weight if your practices are ever reviewed. Consider this step a required foundation, with more work still ahead.

Step 3: Configure Google Consent Mode v2

Honestly, this is where most implementations either hold together or quietly break down. Consent Mode v2 is the mechanism that tells GA4 how to behave based on what a user chooses in your consent interface. It became mandatory for EU/EEA visitors as of March 2024 under Google's Digital Markets Act compliance requirements, meaning any GA4 setup without it is already behind. Getting this right is one of the most consequential steps in the entire process.

At its core, Consent Mode v2 works by passing four signals to Google: analytics_storage, ad_storage, ad_user_data, and ad_personalization. The two new parameters, `ad_user_data` and `ad_personalization`, were introduced in v2 on top of the original pair, giving you finer control over how GA4 handles advertising-related data separately from analytics data. Each signal can be set to granted or denied depending on what the user selected.

When a user declines, GA4 does not simply go silent. It fires in a reduced, cookieless ping mode, collecting aggregated behavioral signals that feed into Google's conversion modeling. No individual is identified; the data contributes only to statistical estimates. This means you still recover some measurement value, even from users who decline, without processing their personal data in an identifiable way.

Basic Mode vs. Advanced Consent Mode

The difference between these two modes matters more than most teams realize.

Basic mode withholds all GA4 tags until the user grants consent. No data flows before a choice is made, and no cookieless pings are sent on denial. It is simpler to implement but produces gaps in your data that modeling cannot fill.

Advanced mode fires GA4 immediately on page load with consent signals pre-set to denied. If the user declines, GA4 sends those aggregated, non-identified pings for modeling purposes. If the user grants consent, full measurement resumes. Advanced mode is the recommended path for teams that want richer modeled data and more accurate reporting across their EU audience.

The tradeoff is implementation complexity. Advanced mode requires your Consent Management Platform to initialize the consent state before the GA4 tag fires, which demands careful sequencing in your tag setup.

Implementing via Google Tag Manager

Your CMP and Google Tag Manager need to work in a specific order. The CMP must load first, set the default consent state (all signals to denied for EU visitors), and then pass updated signals to GTM once the user makes a choice.

In GTM, you configure a Consent Initialization trigger that fires before all other tags. Your GA4 Configuration tag then listens to the analytics_storage signal before activating. Most major CMP providers (Cookiebot, Axeptio, Usercentrics) publish GTM templates that handle this sequencing automatically. Use those templates rather than building the integration from scratch. Manual implementations frequently fire tags in the wrong order, which defeats the purpose entirely.

Test your setup using GTM's Preview mode alongside your browser's network inspector. Confirm that GA4 does not fire before the CMP has rendered and that the correct signals are being passed with each user choice.

Step 4: Adjust Data Retention and Minimize Collection

Data minimization is not optional under GDPR. It is a core obligation. GDPR Article 5(1)(e) requires both data minimization and storage limitation, and GA4's default retention period of 14 months almost certainly exceeds what most analytics use cases actually need. Reducing that window, and cutting off unnecessary data flows, is one of the most direct ways to shrink your compliance exposure.

Shorten Your Retention Period

Go to Admin > Data Settings > Data Retention. You will see a dropdown that lets you set the period anywhere from 2 months up to the default 14 months. Pick the shortest window that still supports your regular reporting cycles. If you run monthly performance reviews and rarely look at year-over-year trends inside GA4 itself, two months is a defensible choice. Document whatever you select in your record of processing activities, along with a brief justification for the period chosen.

Disable Google Signals

This is the setting most teams overlook. Google Signals links GA4 data to signed-in Google accounts, building richer personal profiles across devices and sessions. Unless you have a specific, documented need for cross-device reporting, it should be off. Find it under Admin > Data Settings > Data Collection and toggle Google Signals off.

Cut Unnecessary Data Sharing

Head to Admin > Account Settings > Data Sharing Settings. By default, GA4 may share data with Google products and services for benchmarking and product improvement. Uncheck those options unless you have a clear legal basis and user disclosure for each one.

Review whether you have demographic and interest reports enabled. These rely on third-party signals that introduce additional personal data into your property. If your reporting does not depend on them, disabling them is a clean way to support your data-driven decisions without accumulating data you do not need.

Step 5: Update Your Privacy Policy and User Disclosures

Updating your privacy policy is not optional paperwork. It is a core legal requirement that must happen before you re-enable GA4 data collection. GDPR Articles 13 and 14 require transparent disclosure of what data you collect, the purpose, the legal basis, and every party who receives that data. If your policy does not reflect your current GA4 setup, you are non-compliant regardless of how well you have configured every other step.

Here is what the updated policy must cover:

  • Named processor: Identify Google LLC, or Google Ireland Limited for EEA-based entities, as a data processor and link directly to Google's privacy policy.
  • Legal basis for analytics: State clearly whether you are relying on legitimate interests or user consent, and make sure this matches your CMP configuration exactly.
  • International data transfers: Include a dedicated section referencing the EU-US Data Privacy Framework as the transfer mechanism, if applicable, along with any residual risks you have assessed.
  • Data categories collected: Describe the behavioral and technical data GA4 processes, such as page views, device information, and traffic sources.

One area teams frequently overlook is consistency. If your CMP is configured to request consent for analytics, but your privacy policy states legitimate interests as the legal basis, that conflict is itself a violation. Google's own guidance places compliance responsibility squarely on the customer, so regulators will look to your policy as the primary accountability document. Review it, publish it, then switch GA4 back on.

Is GA4 Fully GDPR Compliant Even After These Steps?

Completing all five steps significantly reduces your legal exposure, but it does not eliminate every risk. Several EU data protection authorities still maintain that GA4 transfers carry residual concern, and the legal landscape continues to shift.

The core issue is straightforward: Google LLC is a US company, subject to US law. Under FISA Section 702, US intelligence agencies can compel Google to disclose data about non-US persons, including EU users. No contractual arrangement between you and Google overrides that statutory authority. This is why multiple EU supervisory authorities, including the Austrian DSB, French CNIL, and Italian Garante, ruled GA4 data transfers unlawful in the 2021 to 2022 period, even when organizations had taken reasonable configuration steps.

The EU-US Data Privacy Framework (DPF), adopted in July 2023, provides a formal adequacy decision that changes the legal transfer analysis. Google certified under the DPF on the day it took effect. This gives organizations a recognized legal mechanism for the transfer. The DPF has already been challenged in the European Parliament, however, and privacy advocates have signaled they will pursue legal annulment in the Court of Justice of the EU, much as the previous Safe Harbor and Privacy Shield arrangements were struck down. Its long-term durability is genuinely contested.

So where does that leave you? Practical compliance is achievable. Running through our step-by-step process, signing the Data Processing Agreement, configuring Consent Mode v2, reducing data retention, and disabling Google Signals all demonstrate good-faith accountability. Under GDPR Article 5(1)(e), data minimization and storage limitation are themselves legal obligations, and meeting them is documented evidence that you take compliance seriously. That documentation matters: GDPR Article 5(2) places the burden of demonstrating compliance on the controller, and a clear compliance record is your strongest defense in any supervisory authority inquiry.

Organizations operating in healthcare, finance, or the public sector face a harder calculation. For them, the residual transfer risk may be unacceptable regardless of configurations, and a Privacy-first analytics alternative deserves serious evaluation.

When Should You Consider a Privacy-First Analytics Alternative?

If your legal team views the EU-US Data Privacy Framework risk as unacceptable, switching to a GDPR-compliant analytics tool removes the cross-border transfer problem entirely. This is especially true if your audience skews heavily EU-based, where every GA4 pageview carries a degree of regulatory exposure that configuration alone cannot fully eliminate.

Look, the honest answer is this: for many organizations, the steps in this guide bring GA4 to a workable compliance posture. For others, the residual risk simply does not fit their industry or risk appetite.

Litlyx as a GDPR-Compliant GA4 Alternative

Cookieless tracking tools that collect no personal data by design sidestep the consent banner problem entirely. When your analytics platform stores no IP addresses, no persistent user IDs, and no device fingerprints, there is no personal data to regulate under GDPR Article 4. Users see no interruption. You see no drop in data quality caused by banner friction.

Litlyx is built on exactly this model. It is a Privacy-first analytics platform that is fully EU-hosted and GDPR-compliant, collecting no personal information at the collection layer. No IPs stored, no third-party data sharing, no behavioral profiles linked to identifiable individuals. You get user-friendly insights and real-time reporting without asking users for anything. For teams that need developer API access, Litlyx provides that too, making data-driven decisions accessible without the compliance overhead GA4 requires.

When evaluating any GA4 alternative, check these criteria:

  • Data residency: Is data stored on EU servers?
  • Personal data scope: Does the tool store IPs, user IDs, or persistent identifiers?
  • Consent requirement: Does the tool require a banner to remain GDPR-compliant?
  • Real-time reporting: Are insights available immediately?
  • Developer access: Is there an API for custom integrations?

Hybrid Analytics Architecture

A hybrid approach works well for teams that still need GA4 for Google Ads conversion modeling. Keep GA4 active with Consent Mode v2 configured and fire it only with valid user consent. Run a privacy-first tool like Litlyx in parallel for core site analytics, capturing the full picture of your traffic without any consent dependency. This way, your paid media reporting stays intact while your baseline analytics remain clean, compliant, and complete.

Common Mistakes That Leave You Non-Compliant

Even after following every configuration step, a handful of recurring mistakes can quietly undo your compliance work. These are the errors we see most often, and each one creates real legal exposure under GDPR.

Firing the GA4 tag before the CMP loads. If your GA4 tag fires before a user has interacted with your consent interface, you are collecting data without a valid legal basis. This is arguably the most damaging mistake because it happens on every single page load for every new visitor. Your tag manager setup must block the GA4 tag until the CMP has both loaded and received explicit user input.

Assuming Basic Consent Mode equals full compliance. Basic mode is a starting point, not a finish line. When a user declines, Basic mode can still fire limited pings that some data protection authorities interpret as processing personal data. Consent Mode v2 introduces parameters like ad_user_data and ad_personalization precisely because the signal structure matters, and Basic mode does not give you the same coverage as Advanced mode.

Forgetting to disable Google Signals. This one slips through constantly. Google Signals links GA4 data to signed-in Google accounts, creating richer personal profiles that most site owners never intended to build. If you do not need cross-device reporting, turn it off in Admin > Data Settings > Data Collection.

Signing the DPA without updating your Privacy Policy. Both are required. GDPR Article 13 demands transparent disclosure of your data processors, your legal basis, and your transfer mechanisms. The DPA covers your relationship with Google; the Privacy Policy covers your obligation to users.

Treating compliance as a one-time task. GA4 evolves. New features, new data collection defaults, and shifting regulatory interpretations mean a configuration that was solid six months ago may have gaps today. Schedule a quarterly review, check your settings against any new supervisory authority guidance, and document each review in your compliance records., -

Frequently asked questions

Is Google Analytics 4 GDPR compliant by default?

No. GA4 collects personal data (IP addresses, user IDs, device identifiers) by default and sends it to US servers without built-in consent mechanisms. Multiple EU authorities have ruled these transfers unlawful under GDPR Chapter V. Compliance requires signing a Data Processing Agreement, implementing Consent Mode v2, IP anonymization, and obtaining explicit user consent before tracking. Default settings violate GDPR Article 28 and Article 5 accountability principles.

Do I need a consent banner to use GA4 in the EU?

Yes. GDPR requires explicit consent before collecting personal data for analytics. A consent banner must clearly disclose that GA4 collects IP addresses, user IDs, and behavioral data, explain the legal basis, and allow users to opt out. The banner must fire before any GA4 tag loads. Without it, you're processing personal data without lawful basis, risking fines up to 4% of global annual turnover.

What is Consent Mode v2 and is it mandatory?

Consent Mode v2 is Google's framework for passing user consent signals from your Consent Management Platform (CMP) to Google Tag Manager before GA4 fires. It distinguishes between analytics_storage (tracking consent) and ad_storage (advertising consent). While not legally mandatory, it's the industry standard for EU compliance. Without it, GA4 fires regardless of user choice, violating GDPR. Implement via CMP integration with GTM.

Does IP anonymization in GA4 make it GDPR compliant?

IP anonymization alone does not ensure compliance. GA4 still collects user IDs, device identifiers, and behavioral data—all personal data under GDPR. Anonymization of one data point doesn't address the broader processing. You still need: a signed DPA with Google, explicit user consent, a privacy policy disclosing GA4, and Consent Mode v2. IP anonymization is one necessary step, not a complete solution.

What happens to GA4 data when a user declines consent?

If you implement Consent Mode v2 correctly, GA4 should not fire when a user declines analytics consent. Google Tag Manager receives the consent signal from your CMP and blocks the GA4 tag from loading. No data is sent to Google. However, if your implementation is misconfigured, GA4 may still fire despite declined consent—a violation. Verify your GTM triggers respect consent signals before tag execution.

Is the EU-US Data Privacy Framework enough to make GA4 legal in Europe?

The DPF provides a legal transfer mechanism for GA4 data to US servers, but it's not sufficient alone. You still need: explicit user consent, a signed DPA, IP anonymization, and Consent Mode v2. Some EU authorities flag residual risks tied to US surveillance law, and the DPF faces ongoing legal challenges. The DPF addresses the cross-border transfer problem but doesn't resolve consent or data minimization requirements.

Can I use Google Analytics without storing personal data?

Not fully. GA4 automatically collects IP addresses and creates persistent user IDs—both personal data under GDPR. You can minimize collection by: anonymizing IPs (GA4 does this by default), disabling user ID tracking, excluding sensitive parameters, and using aggregated reporting. However, some personal data collection is unavoidable. To avoid personal data entirely, consider privacy-focused alternatives like Plausible or Fathom that don't require consent.

What are the fines for using non-compliant Google Analytics?

GDPR fines reach up to €20 million or 4% of global annual turnover—whichever is higher—for violations like processing without consent or lacking a DPA. Smaller violations (transparency, documentation failures) carry fines up to €10 million or 2% of turnover. Multiple EU authorities have issued warnings and fines against organizations using GA4 without proper consent. Compliance is far cheaper than enforcement action.

How does Litlyx compare to Google Analytics for GDPR compliance?

Litlyx is a privacy-first analytics tool that doesn't require consent because it doesn't collect personal data—no IP addresses, no persistent user IDs, no cross-site tracking. GA4 requires consent, a DPA, IP anonymization, and Consent Mode v2 to comply. Litlyx is simpler for GDPR but offers fewer features than GA4. Choose based on your compliance priorities and feature needs; both can be GDPR-compliant with proper setup.

How often should I review my GA4 GDPR configuration?

Review your GA4 setup at least quarterly or whenever: your privacy policy changes, you add new tracking parameters, your CMP updates, Google releases new features, or regulatory guidance shifts. After initial setup, a quarterly audit ensures Consent Mode v2 still fires correctly, the DPA remains valid, and no new personal data collection has been enabled. Document each review for accountability under GDPR Article 5(2).

What should be in my Privacy Policy regarding GA4?

Your Privacy Policy must disclose: GA4 is used for analytics, what personal data it collects (IP addresses, user IDs, device info, behavior), the legal basis (explicit consent), how long data is retained, that Google is a data processor, that data transfers to the US under the DPF, and users' rights (access, deletion, opt-out). Link to Google's privacy policy and explain how users can withdraw consent. GDPR Articles 13-14 require this transparency.

Do I need a Data Processing Agreement with Google for GA4?

Yes. GDPR Article 28 requires a DPA whenever you share personal data with a processor. Google processes GA4 data on your behalf, making it your processor. Sign Google's Data Processing Amendment in GA4 Admin > Account Settings. Without a signed DPA, every data transfer to Google is a GDPR violation. Record the acceptance date for your compliance documentation and accountability records.