All resources
The rules of the data privacy game have shifted rapidly, affecting the ability of European businesses to accurately evaluate their performance and assess their marketing efforts. With the prohibitions that have emerged, the usual ways of working are no longer possible, resulting in the loss of valuable data that will never be recovered.
The tremendous change in digital analytics began with a ban on using Google Analytics in some European countries and culminated in the EU-U.S. Data Privacy Framework (DPF), formally adopted on July 10, 2023. According to recent decisions by European data protection authorities, including the Norwegian Data Protection Authority and guidance from the European Data Protection Supervisor, Google Analytics has been declared non‑compliant with GDPR by multiple Data Protection Authorities (DPAs) such as Austria, France, Italy, Norway, and Denmark.
The Data protection authorities (DPAs) play an important role in enforcing GDPR compliance and issuing rulings on such matters. Several DPAs interpret GA data transfers to the US as a potential breach of Chapter V when Standard Contractual Clauses (SCCs) and Transfer Impact Assessments (TIAs) are deemed inadequate. This has been particularly challenging for European businesses, which have been confronting a crisis due to the challenges of transferring personal data to the US.
The Norwegian Data Protection Authority has also issued a final decision in January 2025 and continues to influence other DPAs, including Austria and France. Additionally, a Data Processing Agreement is required as a legally binding contract between website operators and Google, clarifying responsibilities and ensuring GDPR compliance when processing user data.
March 2022 marked the announcement of a future deal; the real change arrived on 10 July 2023 when the DPF adequacy decision took effect.
Note: This article was originally published in April 2022 and has been updated in July 2025 to reflect the latest GDPR rulings, compliant tracking options, and best practices for using Google Analytics legally in the EU.
Over the last couple of years, a lot of events have happened in the field of data privacy and Google Analytics. For European businesses, these changes in gathering and applying data have meant the end of the golden era of tuned-up, advanced marketing analytics. Limitations and prohibitions in data use make it impossible to apply established workflows. We’ve gathered and mapped out all the information we have to see how all these changes started and where we’re at now.
In 2020, the non-profit organization NOYB filed 101 complaints against European Economic Area (EEA) websites that applied Google Analytics or Facebook Connect. After this, EEA data protection authorities started issuing rulings forcing EEA website operators to stop using these services on the grounds that they do not comply with the General Data Protection Regulation (GDPR).
The problem was in the method of applying Google Analytics in Europe, as it stores gathered data about EU residents (user behavior data) on a US-based cloud service. The sticking point was, and still is, that the safeguards taken by Google are insufficient at preventing US intelligence services from accessing the personal data of EU residents.
According to European data protection authorities, these overseas data transfers violate the GDPR. After the invalidation of the Privacy Shield, several European Data Protection Authorities ruled that the use of Google Analytics was noncompliant with the GDPR due to U.S. surveillance laws.
When setting up your Google Analytics account, review its GDPR settings, in particular, enable Google’s Consent Mode v2, which has been compulsory for sites receiving EEA traffic since March 2024. Consent Mode v2 passes two extra consent signals, ad_user_data and ad_personalization, allowing Google Analytics and Ads tags to honour a visitor’s GDPR choices while still modelling aggregated data.
By mid-2025, six national DPA enforcement cases against GA4 have been published, most recently in Norway (January 2025). The summary of these cases is that there is no adequate protection of EU residents’ data, along with illegal transfer of their data to US-based services. For example, unique user ID numbers, IP addresses, and browser parameters aren’t sufficiently protected by the standard protection clauses that Google offers.
In particular, Universal Analytics, the previous version of Google Analytics, relied heavily on cookies and data transfer practices that raised privacy concerns under GDPR. In contrast, Google Analytics 4 introduces updated privacy features and frameworks. Google Analytics 4 also introduced an event-based measurement model, unlike the session-based model of Universal Analytics.
GA4’s server‑side pathways and regional data hosting controls still require Standard Contractual Clauses (SCCs) or Data Privacy Framework (DPF) participation to legalize any residual U.S. transfers.
Similar cases across other European countries could have a domino effect in suppressing the use of Google Analytics (and similar services). As there are already modeled responses and reactions to these complaints on violating data privacy, it’s possible that more European authorities will soon follow suit, resulting in a complete ban on Google Analytics (and other tools) in Europe.
To enhance compliance, businesses should also adjust data sharing settings in the Google Analytics admin panel to limit the sharing of user data with Google.
Then, on March 25th, 2022, after more than a year of negotiations, the US and EU announced an “agreement in principle” on a new legal framework for GDPR-compliant transfers of personal data from the EU to the United States.
The Trans-Atlantic Data Privacy Framework addresses concerns raised by the Court of Justice of the European Union in the Schrems II decision of July 2020. It guarantees the highest standards of privacy and data protection. The EU-U.S. Data Privacy Framework was adopted by the European Commission in July 2023 to govern data transfers between the EU and the U.S.
In 2025, the European Data Protection Board published its first report, urging the Commission to re‑evaluate the adequacy decision within three years amid mounting court challenges.
Google LLC has been certified under the EU-U.S. Data Privacy Framework (DPF) since August 2023, but legal challenges to the DPF remain. Most details are now in force, but multiple NGOs (e.g., NOYB) have filed challenges; the Court of Justice of the European Union (CJEU) is expected to review the DPF’s validity by 2026.
Nobody can predict the future, and as the digital landscape is fast-changing, businesses should be prepared to protect their data processing workflow.
Due to complaints by NOYB, many European Economic Area (EEA) data protection authorities want to force EEA website operators to stop using Google Analytics altogether. Those suffering from such decisions are European businesses that want to implement online technologies in order to grow their business revenue and improve their overall performance.
Right now, these businesses are in a weak position, as they’re waiting for the politically hot topic of international data transfers to be settled with some logical resolutions. Let’s not forget that despite data transfer issues, other dangerous risks to data privacy are present globally, such as cyberattacks and ransomware. In particular, the transfer of personally identifiable information (PII) raises significant privacy concerns, and businesses must take steps to protect this sensitive data.
At the moment, the problems that occur with the use of Google Analytics are as follows:
Also, when businesses use analytics tools to collect user data, they need to make sure they’re following all privacy rules and regulations properly. It is also necessary to obtain consent from users before collecting or processing their data, especially to comply with GDPR and respect user rights.
Let’s see what can be done to solve these issues and how companies can avoid even bigger problems in the future.
Note: The NOYB project provides guidelines for companies. Especially for smaller EU companies that are not certain about US surveillance laws or whose US partner falls under these laws, there are free guidelines and model requests on the noyb.eu website.
Website analytics runs on data collection. Tools like Google Analytics pick up things like IP addresses, cookies, device details, and how users move through a site, all to help businesses understand what’s working and what’s not. Under the General Data Protection Regulation (GDPR), processing this type of personal data requires explicit user consent.
Because Google Analytics uses non-essential cookies, website owners need to get user consent before collecting any data. This typically involves cookie banners and clear privacy policies that explain what data is being collected, how it’s used, and what rights users have under GDPR.
To support compliance, Google offers Consent Mode, which adjusts how data is collected based on user permissions. If a user doesn’t give consent, data collection is limited, allowing businesses to respect privacy choices while still getting basic, aggregated insights.
Ultimately, securing informed and explicit consent isn’t just about legal compliance; it’s essential for maintaining user trust and using Google Analytics responsibly.
For many businesses, the current legal landscape feels disruptive and undermines long-standing workflows. However, by choosing analytics tools carefully and configuring them correctly, you can continue to access critical marketing insights while staying compliant with privacy laws like GDPR.
When selecting a web analytics solution, it’s essential to ensure it supports privacy features and complies with GDPR. Even with Google Analytics, it’s possible to remain compliant—provided you make the necessary adjustments to data collection and consent settings.
Here’s how to maintain effective analytics while meeting legal requirements:
First of all, we should start by mentioning that Google Analytics can be implemented in two ways. Accordingly, the way it’s implemented influences its compliance with the GDPR. The two methods are:
Remember, Google acts as a data processor under GDPR. You must set appropriate data retention periods and avoid storing IP addresses unnecessarily.
Also, update your privacy and cookie policy to list all tracking technologies and explain your analytics GDPR compliance measures.
Usually, websites apply the client-side mode, which means using JavaScript code on the website’s pages, setting cookies (including Google Analytics cookies), generating client IDs, and transferring the obtained data to Google Analytics for producing the website’s statistics. Client-side tagging works by collecting data through event-based tracking, allowing website owners to monitor user interactions while maintaining control over data collection and retention.
Let’s see what steps should be taken when using Google Analytics in client-side mode. There are both technical and legal things to check to ensure compliance with the GDPR.
Such data collected through Google Analytics, after obtaining valid user consent, can be used for analytics, advertising, and remarketing purposes, provided all GDPR requirements are met.
Don’t forget to check the current legal status. Check all contracts you sign, as all contracts signed by companies in the EMEA region should be concluded with Google Ireland Limited and not Google LLC. Then, check the TIA covering data transfer between Google Ireland Limited and Google LLC.
The second variant is implementing a server-side mode. It’s more discreet, as this mode allows you to move tags off the website (both advertising and measurement) and transfer them to a secure server container. Server-side tracking lets you capture detailed user interactions while still keeping privacy protections in place. It gives you richer analytics without compromising user trust.
By applying server‑side tracking, users’ IP addresses are automatically anonymized in your own server‑side container before you relay any event data to Google. The browser never contacts Google directly; instead, your server forwards pseudonymized events to GA4 using the Measurement Protocol. This setup keeps first‑party cookies on your domain, reduces exposure to ad‑blockers, and gives you tighter control over what data ultimately reaches Google’s servers.
You can also tweak your data sharing settings to keep exposure to a minimum and strengthen your privacy safeguards. Server-side tracking also offers the flexibility to enable more granular user interactions, allowing for a deeper understanding of user behavior across devices and platforms.
Controlling how long you store analytics data is essential for GDPR compliance. Google Analytics allows website owners to customise data retention settings to align with internal privacy policies and regulatory requirements.
By default, user and event data are stored for 26 months. However, businesses can reduce this period to 14 months or less to better support data minimisation principles under GDPR. Regularly reviewing your data retention settings helps lower risk by ensuring personal data isn't stored longer than necessary. It’s not just about legal compliance—it’s also about building user trust and reducing your exposure. In addition to managing data retention, GDPR gives users the right to request deletion of their personal information. Google Analytics includes a built-in feature for deleting individual user data when requested.
Here’s how to stay compliant by managing data retention and deletion in Google Analytics:
Though many businesses may be under the impression that no Google Analytics means no analytics at all, that’s not true. There are other ways to implement advanced marketing analytics, and the OWOX BI team provides safe solutions for both collecting and storing data, including features to handle user requests related to data privacy and access.
OWOX BI is a marketing analytics solution that automates the delivery of data from siloed sources to your analytics destination, ensuring your data is always accurate and up to date.
Among the main advantages of working with data using OWOX BI are the following:
As most businesses prefer to ensure that both data collection and storage are happening in the EU region, OWOX BI avoids using Google Analytics. In detail, the OWOX BI data flow looks like this:
To sum up, OWOX BI allows every marketer and analyst to continue their work and apply analytics solutions that satisfy the company’s legal department:
Digital Markets Act (DMA) rules came into full force for major tech platforms on March 7, 2024. Website owners using Google Analytics must now ensure stricter consent, transparency, and user privacy compliance under both DMA and GDPR.
To continue using Google Analytics lawfully in the European digital space, website operators need to ensure that personal data is collected transparently and only after users have given clear consent. The Digital Markets Act strengthens user rights and increases the responsibilities of platforms like Alphabet (Google), Meta, Apple, Amazon, ByteDance, and Microsoft.
For website owners, this means taking proactive steps to make data usage more transparent and consent more explicit. Google’s Consent Mode is one tool that can support this, allowing website behaviour tracking only after user permissions are received and adjusting tracking accordingly.
Here’s how website owners can ensure they comply with the DMA while using Google Analytics:
To stay compliant with evolving EU–U.S. data transfer laws and preserve analytics capabilities, organisations must take proactive steps. Here's what you need to prioritise:
Connect your Google Sheets directly to BigQuery using the OWOX Reports add-on. Run reusable data marts, automatically refresh reports on a schedule, and generate live charts and pivot tables—all managed within your spreadsheet.
Designed for self-service reporting across teams, it's trusted by over 165,000 users. Ready to streamline your workflow? Install it free today and empower your team with real-time data.
