Is GA4 GDPR-compliant in 2026?
GA4 can be implemented in a GDPR-compliant manner in 2026, but compliance is not automatic and requires specific configuration choices. The core issue raised by national DPA rulings (Austria, France, Italy, Denmark between 2022–2023) was that GA4's default configuration transferred personal data — specifically IP addresses and persistent identifiers — to US servers without adequate GDPR safeguards under the old Privacy Shield framework.
The EU-US Data Privacy Framework (DPF), adopted July 2023, restored a legal transfer mechanism for US data transfers. Google LLC is certified under DPF. Practical implication: for most UK and EU businesses, GA4 is legally usable under DPF + standard contractual clauses + your privacy notice disclosures. The additional configuration steps below reduce residual exposure and demonstrate due diligence. This post is informational, not legal advice — consult a qualified privacy lawyer for your specific situation.
What the national DPA rulings actually said
Austrian DPA (DSB), January 2022
Finding: The specific implementation of Google Analytics being examined transferred IP addresses and persistent identifiers to the US without adequate safeguards (Privacy Shield had been invalidated by Schrems II in July 2020).
Practical change required: Use of standard contractual clauses (SCCs) with Google alone was deemed insufficient without supplementary measures. The DPF (adopted 2023) has since addressed the legal transfer mechanism issue.
French CNIL, January 2022
Similar finding. Also required that the data controller (the website owner) implement supplementary technical measures if relying on SCCs alone. The CNIL specifically mentioned that IP address anonymisation was not sufficient to make the transfer compliant because other identifiers (_ga, _gid cookies) were still transmitted.
Practical change: Full cookie consent before any GA4 data is sent. Hence Consent Mode V2 became essential for French compliance.
Italian Garante, June 2022
Found Google Analytics usage by specific websites non-compliant and issued stop-processing orders against those sites. Similar grounds to the Austrian and French decisions.
Where things stand in 2026
The EU-US Data Privacy Framework (DPF) adopted July 2023 provides the legal transfer mechanism that was missing during the Schrems II gap. Google LLC is DPF-certified. This resolves the legal transfer basis for most implementations. However:
- The DPF itself faces ongoing legal challenges (Max Schrems' organisation NOYB has filed new complaints)
- National DPAs vary in how strictly they interpret residual requirements
- UK data transfers operate under the UK GDPR and the UK-US Data Bridge (adopted October 2023), which is separate from the EU DPF
Current risk level by market (2026): Low-moderate for UK and EU businesses using GA4 with consent mode, full consent requirements, and documented DPF transfer basis. Higher risk for businesses operating without proper consent management, no documentation, or in sectors with heightened DPA scrutiny (healthcare, finance, children's services).
The GA4 settings that reduce GDPR exposure
1. Data redaction (URL-level PII removal)
GA4 has a built-in URL redaction feature that strips email addresses, phone numbers, and similar patterns from page URLs before they are sent to Google's servers:
Admin → Data Streams → Web stream → Configure tag settings → More settings → Redact data
Enable both:
- Redact page URL and page title — strips recognised PII patterns
- URL query parameter redaction — strips query parameters that may contain user-submitted data
Need to validate whether consent timing is distorting your GA4 data?
This prevents accidental PII leakage through page URLs (e.g., /checkout?email=user@example.com).
2. Server-side GTM for data control
Server-side GTM allows you to intercept GA4 hits before they reach Google, strip or hash identifiers, and control exactly what data leaves your infrastructure. For high-privacy-requirement implementations:
- Deploy sGTM on EU-based cloud infrastructure (Cloud Run, eu-west-1 or equivalent)
- Strip IP addresses in the sGTM server-side client before forwarding to GA4
- Hash or redact user identifiers that shouldn't be sent to Google
This gives you the strongest technical argument that personal data is not being transferred to the US — only pre-processed, anonymised events are forwarded.
3. Data Processing Terms with Google
Ensure you have accepted Google's Data Processing Terms under your GA4 account. This forms part of the controller-processor relationship required by GDPR Article 28:
Admin → Account → Account settings → Data Processing Amendment
Review and accept if not already done. This is a prerequisite for any legitimate GDPR claim that Google is acting as a processor under your instruction.
4. Data retention minimisation
Set GA4 data retention to the minimum your business genuinely needs:
Admin → Data Settings → Data Retention
If you only need 13 months for year-on-year comparison (which requires 14-month retention), set it to 14 months, not indefinitely. GDPR's data minimisation principle requires retaining personal data no longer than necessary.
5. Disable data sharing settings you don't need
Admin → Account → Account settings → Data Sharing settings
Review and disable:
- "Google products and services" — if you don't want GA4 data used for Google's cross-product improvement
- "Benchmarking" — if you don't want anonymised data shared with Google benchmarks
- "Technical support" — if your legal team doesn't want Google support accessing your data
Most privacy-conscious implementations disable all of these except the Google Ads linking required for conversion import.
Documenting your GA4 GDPR basis
Your privacy notice and Records of Processing Activities (ROPA) should document:
| Element | What to record |
|---|---|
| Data controller | Your company (the GA4 account holder) |
| Data processor | Google Ireland Limited (EU entity) / Google LLC (US entity) |
| Processing purpose | Website analytics, user behaviour measurement |
| Legal basis | Legitimate interests (if applicable) or Consent (recommended for UK/EU) |
| Data transfers | EU-US via DPF (Google LLC DPF-certified); UK-US via UK-US Data Bridge |
| Retention period | As configured in GA4 Data Retention settings |
| Supplementary measures | Consent Mode V2, URL redaction, data sharing restrictions |
Update this documentation whenever you change GA4 configuration or when legal frameworks change.
FAQ: GDPR and GA4 in 2026: What the Schrems II Rulings Mean for Your Implementation
Can gdpr and ga4 in 2026: what the schrems ii rulings mean for your implementation be caused by consent timing instead of a tag bug?
Should I test this only in GA4 reports?
What is the fastest way to prevent this from happening again?
Related guides for GDPR and GA4 in 2026: What the Schrems II Rulings Mean for Your Implementation
How to Test Consent Mode V2 in 5 Minutes: A DevTools Walkthrough (2026)
Open Chrome DevTools → Network tab → filter for collect → reject all on the cookie banner → confirm GA4 hits still fire with gcs=G100 (denied) and ad_user_data=denied. Then accept all → confirm gcs=G111 (granted). If hits don't fire at all in either state, Consent Mode is misconfigured. If gcs is missing entirely…
GCS Parameter Decoded: What G100, G110, G111 Mean in GA4 Hits
The gcs parameter in GA4 network requests encodes the user's consent state for two of the four Consent Mode signals. Format: G1xy where G1 is constant, x is ad_storage (0=denied, 1=granted), y is analytics_storage (0=denied, 1=granted)…
Validate GDPR and GA4 in 2026: What the Schrems II Rulings Mean for Your Implementation before it becomes a compliance and reporting problem
Run a free audit to check consent timing, browser behavior, and downstream GA4 impact in one workflow.