Google Analytics and GDPR: Is Your Site Compliant in 2025?
Three years ago, Austria's data protection authority issued a decision that shook most European website owners: Google Analytics was declared illegal without additional safeguards. Italy, France, Denmark, and Finland followed. In 2024, the Dutch DPA confirmed the same.
If you're running Google Analytics on a site with European visitors and you haven't changed anything since 2020, you're almost certainly non-compliant.
Here's what's actually happening and what you need to do.
Why Google Analytics Got Flagged
The core issue isn't Google Analytics itself — it's where your visitor data ends up. GA sends data to Google's US servers. Under GDPR, transferring personal data to a country outside the EU/EEA requires adequate safeguards (a valid transfer mechanism). After the Schrems II ruling in 2020 invalidated the Privacy Shield framework, that mechanism broke down.
The DPA rulings found that even with Google's Standard Contractual Clauses in place, the actual risk of US intelligence access to EU user data was real and not mitigated. The conclusion: loading GA without explicit, informed consent is an illegal data transfer.
Note: The EU-US Data Privacy Framework (DPF) was adopted in 2023 and Google has certified under it. This is the current legal basis for US data transfers. But it only helps you if users have consented to analytics in the first place.
What "Compliant" Actually Means for GA4
You can run Google Analytics 4 legally, but you need all of the following:
**Explicit consent before loading** GA4 must not fire until the user actively accepts analytics cookies. No pre-loading, no "implied consent," no loading GA in the footer after the page renders.
**IP anonymization enabled** GA4 has this on by default now, but verify it in your data stream settings.
**Consent Mode v2 properly configured** Google's Consent Mode v2 lets GA4 model behavior from users who decline. It doesn't collect personal data from opt-outs — it uses aggregate signals to fill gaps. Set `analytics_storage` and `ad_storage` to `denied` by default, then update to `granted` only after explicit consent. CookieSeal handles this automatically.
**Cookie policy updated** Your policy must list `_ga`, `_ga_XXXXXXXX`, and any other GA cookies, their purpose, duration, and Google as the third party.
The Lazy Fix That Doesn't Work
A lot of sites add a "This site uses cookies" banner that accepts all cookies by default and only gives a settings link in small text. This is still non-compliant.
Under GDPR Article 7(2), consent must be freely given, specific, informed, and unambiguous — which means an active opt-in. Pre-ticked boxes and nudged UI that makes "Accept" easier than "Reject" don't meet the standard. Several DPA rulings have confirmed this.
How to Check Your Current Setup
Open your site in an incognito browser window. Before clicking anything on the cookie banner:
1. Open DevTools → Network → filter for "google-analytics.com" or "gtag" 2. If any GA requests fire before you click Accept, you're non-compliant 3. Click "Reject All" — those same requests should never fire in that session
If GA loads on page render regardless of what you click, you have a consent management problem, not just a banner problem.
What CookieSeal Does for You
CookieSeal's GA integration handles the technical parts:
- Blocks GA scripts until consent is granted - Injects Consent Mode v2 default `denied` state before GTM/GA loads - Updates consent state on accept/reject in real-time - Records consent events with timestamp, category, and user signal for your audit log
The whole setup takes about 20 minutes. Your GA data continues working for users who consent; Consent Mode v2 fills in aggregate modeling for everyone else.