All resources

Google Analytics GDPR Compliance: How to Ensure It in Europe

The rules of the data privacy game have shifted rapidly, affecting the ability of European businesses to accurately evaluate their performance and assess their marketing efforts. With the prohibitions that have emerged, the usual ways of working are no longer possible, resulting in the loss of valuable data that will never be recovered.

The tremendous change in digital analytics began with a ban on using Google Analytics in some European countries and culminated in the EU-U.S. Data Privacy Framework (DPF), formally adopted on  July 10, 2023. According to recent decisions by European data protection authorities, including the Norwegian Data Protection Authority and guidance from the European Data Protection Supervisor, Google Analytics has been declared non‑compliant with GDPR by multiple Data Protection Authorities (DPAs) such as Austria, France, Italy, Norway, and Denmark.  

The Data protection authorities (DPAs) play an important role in enforcing GDPR compliance and issuing rulings on such matters. Several DPAs interpret GA data transfers to the US as a potential breach of Chapter V when Standard Contractual Clauses (SCCs) and Transfer Impact Assessments (TIAs) are deemed inadequate. This has been particularly challenging for European businesses, which have been confronting a crisis due to the challenges of transferring personal data to the US. 

The Norwegian Data Protection Authority has also issued a final decision in January 2025 and continues to influence other DPAs, including Austria and France. Additionally, a Data Processing Agreement is required as a legally binding contract between website operators and Google, clarifying responsibilities and ensuring GDPR compliance when processing user data. 

March 2022 marked the announcement of a future deal; the real change arrived on 10 July 2023 when the DPF adequacy decision took effect.

Note: This article was originally published in April 2022 and has been updated in July 2025 to reflect the latest GDPR rulings, compliant tracking options, and best practices for using Google Analytics legally in the EU.

Understanding Google Analytics Restrictions in Europe

Over the last couple of years, a lot of events have happened in the field of data privacy and Google Analytics. For European businesses, these changes in gathering and applying data have meant the end of the golden era of tuned-up, advanced marketing analytics. Limitations and prohibitions in data use make it impossible to apply established workflows. We’ve gathered and mapped out all the information we have to see how all these changes started and where we’re at now.

The NOYB Complaints and the Legal Fallout

In 2020, the non-profit organization NOYB filed 101 complaints against European Economic Area (EEA) websites that applied Google Analytics or Facebook Connect. After this, EEA data protection authorities started issuing rulings forcing EEA website operators to stop using these services on the grounds that they do not comply with the General Data Protection Regulation (GDPR).

The problem was in the method of applying Google Analytics in Europe, as it stores gathered data about EU residents (user behavior data) on a US-based cloud service. The sticking point was, and still is, that the safeguards taken by Google are insufficient at preventing US intelligence services from accessing the personal data of EU residents.

According to European data protection authorities, these overseas data transfers violate the GDPR. After the invalidation of the Privacy Shield, several European Data Protection Authorities ruled that the use of Google Analytics was noncompliant with the GDPR due to U.S. surveillance laws.

Mandatory Consent Mode v2 and GA4’s Legal Risks

When setting up your Google Analytics account, review its GDPR settings, in particular, enable Google’s Consent Mode v2, which has been compulsory for sites receiving EEA traffic since March 2024. Consent Mode v2 passes two extra consent signals, ad_user_data and ad_personalization, allowing Google Analytics and Ads tags to honour a visitor’s GDPR choices while still modelling aggregated data.

By mid-2025, six national DPA enforcement cases against GA4 have been published, most recently in Norway (January 2025). The summary of these cases is that there is no adequate protection of EU residents’ data, along with illegal transfer of their data to US-based services. For example, unique user ID numbers, IP addresses, and browser parameters aren’t sufficiently protected by the standard protection clauses that Google offers.

Universal Analytics vs. GA4 – What’s Changed, What Hasn’t

In particular, Universal Analytics, the previous version of Google Analytics, relied heavily on cookies and data transfer practices that raised privacy concerns under GDPR. In contrast, Google Analytics 4 introduces updated privacy features and frameworks. Google Analytics 4 also introduced an event-based measurement model, unlike the session-based model of Universal Analytics.

GA4’s server‑side pathways and regional data hosting controls still require Standard Contractual Clauses (SCCs) or Data Privacy Framework (DPF) participation to legalize any residual U.S. transfers.

Similar cases across other European countries could have a domino effect in suppressing the use of Google Analytics (and similar services). As there are already modeled responses and reactions to these complaints on violating data privacy, it’s possible that more European authorities will soon follow suit, resulting in a complete ban on Google Analytics (and other tools) in Europe.

To enhance compliance, businesses should also adjust data sharing settings in the Google Analytics admin panel to limit the sharing of user data with Google.

The EU–U.S. Data Privacy Framework (DPF): Adoption and Uncertainty

Then, on March 25th, 2022, after more than a year of negotiations, the US and EU announced an “agreement in principle” on a new legal framework for GDPR-compliant transfers of personal data from the EU to the United States.

The Trans-Atlantic Data Privacy Framework addresses concerns raised by the Court of Justice of the European Union in the Schrems II decision of July 2020. It guarantees the highest standards of privacy and data protection. The EU-U.S. Data Privacy Framework was adopted by the European Commission in July 2023 to govern data transfers between the EU and the U.S.

In 2025, the European Data Protection Board published its first report, urging the Commission to re‑evaluate the adequacy decision within three years amid mounting court challenges.

Google LLC has been certified under the EU-U.S. Data Privacy Framework (DPF) since August 2023, but legal challenges to the DPF remain. Most details are now in force, but multiple NGOs (e.g., NOYB) have filed challenges; the Court of Justice of the European Union (CJEU) is expected to review the DPF’s validity by 2026.

Navigating a Fast-Changing Landscape as a Business

Nobody can predict the future, and as the digital landscape is fast-changing, businesses should be prepared to protect their data processing workflow.

What Problems Have Occurred?

Due to complaints by NOYB, many European Economic Area (EEA) data protection authorities want to force EEA website operators to stop using Google Analytics altogether. Those suffering from such decisions are European businesses that want to implement online technologies in order to grow their business revenue and improve their overall performance.

Right now, these businesses are in a weak position, as they’re waiting for the politically hot topic of international data transfers to be settled with some logical resolutions. Let’s not forget that despite data transfer issues, other dangerous risks to data privacy are present globally, such as cyberattacks and ransomware. In particular, the transfer of personally identifiable information (PII) raises significant privacy concerns, and businesses must take steps to protect this sensitive data.

At the moment, the problems that occur with the use of Google Analytics are as follows:

  • Websites that continue unlawful transfers face administrative fines up to €20 million or 4 % of global turnover under Article 83 GDPR. Businesses must ensure they do not collect personal data without proper safeguards in place.
  • Without applying Google Analytics, marketers are afraid they won’t be able to evaluate their marketing performance.
  • To change their marketing analytics solution, businesses will spend lots on learning and implementing a new product.

Also, when businesses use analytics tools to collect user data, they need to make sure they’re following all privacy rules and regulations properly. It is also necessary to obtain consent from users before collecting or processing their data, especially to comply with GDPR and respect user rights.

Let’s see what can be done to solve these issues and how companies can avoid even bigger problems in the future.

Note: The NOYB project provides guidelines for companies. Especially for smaller EU companies that are not certain about US surveillance laws or whose US partner falls under these laws, there are free guidelines and model requests on the noyb.eu website.

Data Collection and Consent in Google Analytics

Website analytics runs on data collection. Tools like Google Analytics pick up things like IP addresses, cookies, device details, and how users move through a site, all to help businesses understand what’s working and what’s not. Under the General Data Protection Regulation (GDPR), processing this type of personal data requires explicit user consent.

Because Google Analytics uses non-essential cookies, website owners need to get user consent before collecting any data. This typically involves cookie banners and clear privacy policies that explain what data is being collected, how it’s used, and what rights users have under GDPR.

To support compliance, Google offers Consent Mode, which adjusts how data is collected based on user permissions. If a user doesn’t give consent, data collection is limited, allowing businesses to respect privacy choices while still getting basic, aggregated insights.

Ultimately, securing informed and explicit consent isn’t just about legal compliance; it’s essential for maintaining user trust and using Google Analytics responsibly.

Steps To Save Your Marketing Analytics

For many businesses, the current legal landscape feels disruptive and undermines long-standing workflows. However, by choosing analytics tools carefully and configuring them correctly, you can continue to access critical marketing insights while staying compliant with privacy laws like GDPR.

When selecting a web analytics solution, it’s essential to ensure it supports privacy features and complies with GDPR. Even with Google Analytics, it’s possible to remain compliant—provided you make the necessary adjustments to data collection and consent settings.

Here’s how to maintain effective analytics while meeting legal requirements:

  1. Choose a GDPR-compliant analytics tool that supports user consent, data anonymisation, and privacy-first tracking methods.
  2. Disable advertising features in Google Analytics to limit data sharing and prevent behavioural profiling.
  3. Respect user consent for Google Ads by configuring consent preferences in line with GDPR and using Consent Mode v2.
  4. Review and adjust key GA4 settings to limit data retention, anonymise IP addresses, and reduce personal data exposure.
  5. Document your compliance steps to demonstrate that your analytics implementation respects both user privacy and legal obligations.

How to keep using Google Analytics with explicit user consent

First of all, we should start by mentioning that Google Analytics can be implemented in two ways. Accordingly, the way it’s implemented influences its compliance with the GDPR. The two methods are:

  1. Client-side mode: involves loading Google Analytics and tags directly in the user's browser. If you do this, just be sure those tags are configured to respect user consent and privacy settings to stay compliant with GDPR.
  2. Server-side mode: routes data through your own server before forwarding it to Google Analytics. This offers more control, including IP address anonymization and consent-based data sharing.

Remember, Google acts as a data processor under GDPR. You must set appropriate data retention periods and avoid storing IP addresses unnecessarily.

Also, update your privacy and cookie policy to list all tracking technologies and explain your analytics GDPR compliance measures.

Client-side mode

Client-side tagging process, where website tags collect and send data directly to marketing and analytics platforms.
Google Marketing Platform

Usually, websites apply the client-side mode, which means using JavaScript code on the website’s pages, setting cookies (including Google Analytics cookies), generating client IDs, and transferring the obtained data to Google Analytics for producing the website’s statistics. Client-side tagging works by collecting data through event-based tracking, allowing website owners to monitor user interactions while maintaining control over data collection and retention.

Let’s see what steps should be taken when using Google Analytics in client-side mode. There are both technical and legal things to check to ensure compliance with the GDPR.

  1. Start with proper user consent. You should inform users that their data (device information, tracking IDs, IP addresses, etc.) will not only be gathered but also transferred to US-based services. Moreover, it should be stated that users can withdraw their consent at any time. It is essential to obtain valid user consent before activating analytics tracking or setting Google Analytics cookies.
  2. Implement IP anonymization. (For Google Analytics 4 properties, IP anonymization is enabled by default.)
  3. Check that both the data sharing option and the signals option in Google Analytics are deactivated.
  4. If you’re using proprietary User IDs, ensure there’s no permission for user identification.

Such data collected through Google Analytics, after obtaining valid user consent, can be used for analytics, advertising, and remarketing purposes, provided all GDPR requirements are met.

Don’t forget to check the current legal status. Check all contracts you sign, as all contracts signed by companies in the EMEA region should be concluded with Google Ireland Limited and not Google LLC. Then, check the TIA covering data transfer between Google Ireland Limited and Google LLC.

Server-side mode

Server-side tagging, where data is collected on the advertiser's server before being securely processed and shared with platforms.
Google Marketing Platform

The second variant is implementing a server-side mode. It’s more discreet, as this mode allows you to move tags off the website (both advertising and measurement) and transfer them to a secure server container. Server-side tracking lets you capture detailed user interactions while still keeping privacy protections in place. It gives you richer analytics without compromising user trust.

By applying server‑side tracking, users’ IP addresses are automatically anonymized in your own server‑side container before you relay any event data to Google. The browser never contacts Google directly; instead, your server forwards pseudonymized events to GA4 using the Measurement Protocol. This setup keeps first‑party cookies on your domain, reduces exposure to ad‑blockers, and gives you tighter control over what data ultimately reaches Google’s servers.

You can also tweak your data sharing settings to keep exposure to a minimum and strengthen your privacy safeguards. Server-side tracking also offers the flexibility to enable more granular user interactions, allowing for a deeper understanding of user behavior across devices and platforms.

Managing Data Retention and Deletion in Google Analytics for GDPR Compliance

Controlling how long you store analytics data is essential for GDPR compliance. Google Analytics allows website owners to customise data retention settings to align with internal privacy policies and regulatory requirements.

By default, user and event data are stored for 26 months. However, businesses can reduce this period to 14 months or less to better support data minimisation principles under GDPR. Regularly reviewing your data retention settings helps lower risk by ensuring personal data isn't stored longer than necessary. It’s not just about legal compliance—it’s also about building user trust and reducing your exposure. In addition to managing data retention, GDPR gives users the right to request deletion of their personal information. Google Analytics includes a built-in feature for deleting individual user data when requested.

Here’s how to stay compliant by managing data retention and deletion in Google Analytics:

  • Customise data retention settings to match your company’s privacy policy—choose shorter durations like 14 months or less.
  • Review and update retention policies regularly to ensure they remain aligned with GDPR and current business needs.
  • Minimise stored data by only keeping what’s necessary for essential reporting and analysis.
  • Use Google’s user data deletion feature to erase specific user information upon request in a GDPR-compliant manner.
  • Implement a clear request-handling process to ensure personal data can be deleted promptly when users exercise their rights.
  • Demonstrate your commitment to privacy by actively managing data retention and honouring data deletion requests as required by law.

More ways of implementing marketing analytics and data collection (without Google Analytics)

Though many businesses may be under the impression that no Google Analytics means no analytics at all, that’s not true. There are other ways to implement advanced marketing analytics, and the OWOX BI team provides safe solutions for both collecting and storing data, including features to handle user requests related to data privacy and access.

OWOX BI

OWOX BI is a marketing analytics solution that automates the delivery of data from siloed sources to your analytics destination, ensuring your data is always accurate and up to date.

Among the main advantages of working with data using OWOX BI are the following:

  • All data is stored in Google BigQuery with full GDPR compliance. OWOX BI’s server-side tracking provides secure first-party data collection on your personal domain. The tracking process is compliant with Schrems II and the GDPR, and supports processing data deletion requests to help you meet user privacy rights.
  • Familiar Google Analytics data schema. You get the well-known Google Analytics Universal data schema for hits and session transformation. It takes just a few minutes to easily set up tracking using your current Google Analytics settings.
  • High-quality data collection. Remain unaffected by ad blockers and get complete raw data with explainable quality. Collect each hit in your Google BigQuery EU storage in near-real time and without sampling.
  • Effective marketing and data analysis. In 2023, a significant portion of information about the effectiveness of advertising channels will no longer be available due to the demise of third-party cookies and reduced cookie lifetimes.

    You can minimize losses with OWOX BI server-side tracking, collect first-party data, and merge it with marketing data in your storage.

What are the steps you can take with OWOX BI to save your marketing analytics?

As most businesses prefer to ensure that both data collection and storage are happening in the EU region, OWOX BI avoids using Google Analytics. In detail, the OWOX BI data flow looks like this:

  1. Collect data from the website in the classic Google Analytics format. Since this data format is familiar, it’s possible to reuse thousands of existing SQL queries.
  2. Collect raw data into Google BigQuery storage in real time. The obtained data belongs to you and is stored in the EU zone you’ve selected. OWOX BI also enables you to respond to user requests for data access or data deletion, supporting your compliance with privacy regulations.
OWOX BI collects and stores website data in Google BigQuery within the EU for analytics and reporting.

To sum up, OWOX BI allows every marketer and analyst to continue their work and apply analytics solutions that satisfy the company’s legal department:

  • Ensure compliance with the GDPR while working with sensitive data, including the ability to process data deletion requests and manage user requests for privacy.
  • Avoid losing time and resources on reprocessing data or learning and adopting a new tech stack.
  • Keep your website’s existing markup, as the implementation time alongside time to value periods are really short.

Complying with the Digital Markets Act When Using Google Analytics

Digital Markets Act (DMA) rules came into full force for major tech platforms on March 7, 2024. Website owners using Google Analytics must now ensure stricter consent, transparency, and user privacy compliance under both DMA and GDPR.

To continue using Google Analytics lawfully in the European digital space, website operators need to ensure that personal data is collected transparently and only after users have given clear consent. The Digital Markets Act strengthens user rights and increases the responsibilities of platforms like Alphabet (Google), Meta, Apple, Amazon, ByteDance, and Microsoft.

For website owners, this means taking proactive steps to make data usage more transparent and consent more explicit. Google’s Consent Mode is one tool that can support this, allowing website behaviour tracking only after user permissions are received and adjusting tracking accordingly.

Here’s how website owners can ensure they comply with the DMA while using Google Analytics:

  • Use Google Consent Mode to manage how and when user data is collected based on the individual’s consent preferences.
  • Ensure full transparency by clearly communicating what data is being collected, why it's being collected, and how it will be used.
  • Request explicit user consent before processing any personal data and provide users with a simple, accessible way to give or decline consent.
  • Allow users to withdraw consent at any time, and make the process as straightforward as giving consent.
  • Align privacy practices with both DMA and GDPR by updating your cookie banners, privacy policies, and consent management flows to reflect current legal standards.

Key takeaways

To stay compliant with evolving EU–U.S. data transfer laws and preserve analytics capabilities, organisations must take proactive steps. Here's what you need to prioritise:

  • The Data Privacy Framework (DPF) offers an adequacy route, but its legal future is uncertain—organisations should prepare fallback options.
  • Implement SCCs and Transfer Impact Assessments (TIA) to strengthen data transfer legality beyond the DPF.
  • Secure explicit user consent with Consent Mode v2 to ensure full GDPR and DMA compliance when using tools like Google Analytics.
  • Consider EU-based alternatives like Matomo, Plausible, or OWOX BI to avoid cross-border data transfer complications entirely.
  • Evaluate server-side GA4 with EU-only storage as a privacy-preserving solution that still delivers key marketing insights.
  • Use GDPR-compliant tools like OWOX BI for server-side tracking, which ensure secure first-party data collection and reduce reliance on third-party cookies.
  • Act now, regardless of Schrems III outcomes, to protect your marketing infrastructure and minimise data exposure risks.

Unlock Smarter Insights with the OWOX Reports Add-On for Google Sheets

Connect your Google Sheets directly to BigQuery using the OWOX Reports add-on. Run reusable data marts, automatically refresh reports on a schedule, and generate live charts and pivot tables—all managed within your spreadsheet.

Designed for self-service reporting across teams, it's trusted by over 165,000 users. Ready to streamline your workflow? Install it free today and empower your team with real-time data.

FAQ

Can I continue to use Google Analytics if I am not based in the EU?
Is it possible to track user behavior on my website without collecting personal data?
What steps can I take to ensure GDPR compliance for Google Analytics?

You might also like

2,000 companies rely on us

Oops! Something went wrong while submitting the form...