Consentify Blog

Is Google Analytics 4 GDPR Compliant? What You Need to Know in 2026

TL;DR GA4 is not GDPR compliant by default. Installing it without a consent gate is a violation. With the right setup — blocking the script before consent, configuring Consent Mode v2, and signing Google's DPA — you can use GA4 legally in the EU. This guide explains exactly what that requires.

Is Google Analytics 4 GDPR Compliant? What You Need to Know in 2026

GA4 is not GDPR compliant by default. Installing it and walking away is a violation. But with the right setup, you can use Google Analytics legally in the EU. This guide explains exactly what that setup requires, what regulators have said, and how to check your own site without guessing.

Is GA4 Actually Legal in the EU?

Yes, conditionally. GA4 is conditionally legal in most EU countries as of 2026, but only if you block the script before consent, configure IP anonymization, and sign a Data Processing Agreement with Google. Loading GA4 by default, without a consent gate, is a violation of both GDPR and the ePrivacy Directive.

Multiple data protection authorities have already acted on this. Austria, France, Italy, Denmark, and Norway all ruled that Google Analytics violated GDPR due to data transfers to the US without adequate protection. The EU-US Data Privacy Framework adopted in 2023 resolved the transfer question for most use cases, but the consent requirement remains fully in force.

What Does GA4 Actually Collect?

GA4 collects IP addresses, device identifiers, behavioral data, and session information. All of this qualifies as personal data under GDPR. GA4 does truncate IP addresses by default, but IP truncation isn't full anonymization under the law. The cookies GA4 sets, including _ga and _gid, still qualify as non-essential under the ePrivacy Directive and require explicit consent before being placed.

The Most Common Mistake: Loading GA4 Before Consent

Most sites get this wrong in the same way. GA4 is added to the site during setup, often via Google Tag Manager, and a consent banner is added later as a separate step. The banner shows. GA4 loads underneath it. No tracking is actually blocked.

Pre-consent tracking is a recurring compliance issue in real-world implementations, and regulators have moved from warnings to enforcement. The fix is straightforward: GA4 must not initialize until the visitor has accepted analytics cookies. That means blocking the script entirely, not deferring it or lazy-loading it.

What Is Google Consent Mode v2 and Do You Need It?

Google Consent Mode v2 is a system that tells Google what data it can collect based on the visitor's consent choice. It does not replace the need to block GA4 before consent. It sits on top of a consent-gated setup and lets Google use anonymized, cookieless signals for modeling when users decline. Consent Mode has been mandatory for EU advertisers since March 2024.

There are two versions: Basic and Advanced. Basic blocks all tags until consent. Advanced loads tags immediately but sends cookieless pings when users decline. Advanced mode is a legal grey area in the EU since you're still processing signals from non-consented users. For most small sites, Basic mode is the safer choice. For larger sites running Google Ads, Advanced mode recovers more conversion data. Consult your legal team before choosing Advanced.

How to Set Up GA4 in a GDPR-Compliant Way

Here's the minimum setup required:

  • Block GA4 before consent. The script must not load until the visitor actively accepts analytics cookies. A cookie banner that just displays while GA4 runs is non-compliant.
  • Enable IP anonymization. GA4 does this by default, but verify it's active in your configuration.
  • Configure Google Consent Mode v2. Set default consent states to denied and update them based on user choice.
  • Set data retention to the minimum. GA4's shortest retention period is two months. Set it in your GA4 admin under Data Settings.
  • Disable Google Signals unless you specifically need cross-device tracking and have documented a legal basis for it.
  • Sign the Data Processing Amendment. Accept Google's DPA in your GA4 admin settings under Account Settings.
  • Update your privacy policy. Disclose that you use GA4, what data it collects, and how users can opt out.

You can check how Consentify handles the GA4 integration in the documentation. The integration blocks GA4 until consent is confirmed, then activates it automatically when the visitor accepts analytics.

How to Test That GA4 Is Actually Blocked Before Consent

Open your site in an incognito window. Before clicking anything on the consent banner, open the browser developer tools and go to the Network tab. Filter by "google-analytics" or "gtag". If any GA4 requests appear before you click Accept, GA4 is loading without consent and your setup is non-compliant. You should see zero GA4 network activity before consent is given.

This test takes two minutes and tells you exactly where you stand. Most sites that think they're compliant fail it. The Consentify domain scanner also flags active trackers on your site, including uncategorized scripts that may be firing without consent.

Does GA4's IP Anonymization Make It GDPR Compliant on Its Own?

No. IP truncation doesn't constitute full anonymization under GDPR. Cookie identifiers and behavioral data still qualify as personal data. Anonymization as a concept under GDPR requires data to be irreversibly de-identified so that re-identification is impossible. GA4's truncation doesn't meet that bar because the remaining data points can still, in combination, identify individuals.

What About Using GA4 on a Site With Existing Consent?

If a user has already consented to analytics cookies, GA4 can fire immediately when they land on a new page, without showing the banner again. This is correct behavior. Consent is stored per domain and policy version. If you add a new integration or significantly change your data processing, your policy version should increment and returning visitors will be prompted to re-consent. This is how Consentify handles it automatically when you add a new integration to your dashboard.

The Bottom Line

GA4 is not illegal. Using it without a consent gate is. The fix isn't complicated, but it requires actually blocking the script, not just displaying a banner. Set up a compliant consent tool, configure Consent Mode v2, sign the DPA, and test with the network tab. If GA4 requests appear before consent, your setup is broken regardless of how good your banner looks.

For a complete walkthrough of setting up a compliant banner from scratch, see the step-by-step setup guide. If you want to understand what cookies are currently running on your site before you configure anything, start with the free domain scanner.

Ready to get started? Try Consentify free — one domain, no watermark, no time limit.

Start your cookie banner for free

Get your own customizable, GDPR-ready banner in minutes with Consentify.

Get Started Free

Frequently asked questions

Is Google Analytics 4 GDPR compliant by default?

No. GA4 is not GDPR compliant by default. It collects personal data including IP addresses and cookie identifiers, and must be blocked from loading until the visitor has explicitly consented to analytics cookies. Installing GA4 and adding a banner separately does not make you compliant if the script loads before consent is given.

Do I need Google Consent Mode v2 for GA4?

Yes, if you serve EU visitors and use Google Ads or GA4. Google made Consent Mode v2 mandatory for EEA advertisers in March 2024. It lets you communicate your users' consent choices to Google so that tags adjust their behavior accordingly. Consent Mode does not replace the need to block GA4 before consent — it works on top of a consent-gated setup.

Does IP anonymization in GA4 make it GDPR compliant?

No. IP truncation in GA4 doesn't constitute full anonymization under GDPR. Cookie identifiers and behavioral data are still personal data. True anonymization under GDPR requires irreversible de-identification, which GA4's truncation doesn't achieve. You still need a consent gate.

Can I still use GA4 if some users decline consent?

Yes. When a user declines, GA4 shouldn't load in Basic Consent Mode, meaning you get no data for that session. With Advanced Consent Mode, Google sends cookieless, anonymized pings that it uses for modeling to fill in data gaps. For small sites, Basic mode is the simpler and more clearly compliant choice.

How do I check if GA4 is loading before consent on my site?

Open your site in an incognito window. Before clicking anything on the consent banner, open the browser developer tools and go to the Network tab. Filter for 'google-analytics' or 'gtag'. If any GA4 requests appear before you click Accept, GA4 is loading without consent and your setup is non-compliant.

Written by Consentify
Helping you stay GDPR compliant, one banner at a time.