What the GDPR means for your GA4 setup

IP anonymisation

GA4 anonymises IP addresses by default — the full IP address is never logged by Google. This is an improvement over Universal Analytics, where IP anonymisation had to be explicitly enabled. The Property Configuration module confirms this default behaviour is in place and flags any properties where it may have been altered via the Measurement Protocol.

Data retention settings

Under GDPR, you must not retain personal data for longer than necessary. GA4's data retention setting controls how long user-level data is kept before automatic deletion. The GDPR doesn't set a specific number, but your privacy policy must state the retention period, and GA4's setting must match. GA4 Audits checks that data retention is explicitly set (not left at the 2-month default), and recommends including a justification in your privacy documentation.

Consent gating

Article 6 of the GDPR requires a lawful basis for processing personal data. For analytics, the two most common bases are consent (requiring an opt-in) and legitimate interest (which is contested for analytics use under GDPR). Using Consent Mode v2 with a properly configured CMP that gates GA4 firing until consent is granted is the most defensible approach. GA4 Audits' consent checks directly test whether this gating is functioning.

Data Processing Agreement (DPA)

Under GDPR Article 28, when you use a third party to process personal data on your behalf (a "data processor"), you must have a Data Processing Agreement in place. Google Analytics is a data processor, and Google provides a standard DPA (called the Data Processing Terms) that activates automatically when you accept the GA4 Terms of Service. Make sure you can evidence acceptance of these terms.

If you're using GA4 Audits in a professional capacity and need a DPA between your organisation and GA4 Audits, this is available on Enterprise plans — see the article on our own DPA for details.

What GA4 Audits checks for GDPR

The audit covers: IP anonymisation status, data retention setting, consent mode implementation, consent signal timing, Google Signals configuration (which expands data collection), and whether cross-device tracking could be enabled without adequate disclosure. These checks together form a baseline GDPR technical compliance picture — they are not a substitute for legal advice.