Is Google Analytics Legal in Europe Under GDPR? 2025 Answer

Google Analytics 4 is legal in Europe right now, but "right now" is doing a lot of work in that sentence. Between 2022 and 2023, six EU/EEA data protection authorities ruled Universal Analytics illegal under GDPR. Google responded by moving EU data processing into the EU, adding Consent Mode V2, and riding the EU-US Data Privacy Framework that replaced the invalidated Privacy Shield. As of late 2025, GA4 operates normally in Europe. None of that means the question is settled.

This article explains the current legal status, how we got here, what could change, and what to actually do as a business running Google Analytics in Europe. No panic, no "GA is illegal, switch now" fear-mongering, and no pretending the legal risk has been fully eliminated. Just the state of play in October 2025, based on the Consent Mode V2 and GA4 compliance work I've done for European businesses since Schrems II.

If you haven't yet implemented Consent Mode V2, start with my Consent Mode V2 guide first, it's half of what makes GA4 usage defensible under GDPR.

Key Takeaways

GA4 is legal in the EU today under the Data Privacy Framework (DPF), adopted July 2023 as the successor to Privacy Shield.

Before DPF, six EU DPAs (Austria, France, Italy, Denmark, Norway, Hungary) ruled Universal Analytics illegal. Those rulings are technically still on the books.

DPF could be struck down by the CJEU like Privacy Shield was in 2020 (Schrems II). Legal scholars expect a challenge within 2-4 years of adoption.

Compliance isn't just about DPF. You still need: Consent Mode V2, IP anonymization, proper data retention, a signed Data Processing Agreement with Google, and a documented DPIA.

If legal risk tolerance is low, switch to Matomo EU (~19 EUR/mo) or Plausible EU (~9 EUR/mo), both fully GDPR-compliant and running exclusively on EU infrastructure.

How We Got Here: The Short Timeline

Understanding the current legal status requires knowing the sequence of court decisions. Skip this section if you already know Schrems II by name.

July 2020: Schrems II ruling. The Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, the mechanism that legalized personal data transfers from the EU to US service providers. The court said US surveillance law (specifically FISA 702) gave US intelligence agencies broad access to data held by US companies, without adequate safeguards for EU data subjects.

Late 2020 through 2022: Standard Contractual Clauses (SCCs) uncertainty. Google and many US SaaS platforms fell back on SCCs plus "supplementary measures" (encryption, data minimization) to justify continued EU operations. Legal scholars, NOYB (Max Schrems' NGO), and several DPAs pushed back.

January 2022: Austrian DPA rules Google Analytics illegal. First EU ruling explicitly finding GA violated GDPR. IP addresses and client identifiers counted as personal data; transfers to the US under SCCs weren't sufficient.

Feb-Sept 2022: France, Italy, Denmark, Norway, Hungary follow. Chain reaction. Each DPA either ruled directly against GA or issued guidance that GA usage required specific controls.

March-May 2023: Google responds. EU-based data processing added for analytics data, aggregate data export, and model training. Consent Mode V2 announced. Server-side anonymization improved.

July 2023: Trans-Atlantic Data Privacy Framework (DPF) adopted. The European Commission issued a new adequacy decision for data transfers to US companies certified under DPF. Google is DPF-certified. This re-legalized Google Analytics in the EU, effective immediately.

2024-2025: GA4 operates normally. DPAs haven't issued new restrictive rulings. Google Ads, Meta, Microsoft, and AWS are also DPF-certified. The old pre-DPF rulings are technically still on the books but haven't been actively enforced against DPF-certified companies.

That's the "jest ale nie wiadomo na jak dlugo" situation, legal today, legally fragile tomorrow.

Why DPF Is Fragile

NOYB (noyb.eu) filed a legal challenge against DPF in 2023, the day after it was adopted. The argument: US surveillance law hasn't materially changed since Schrems II, so DPF suffers from the same core defect as Privacy Shield.

The CJEU generally takes 3-5 years to rule on a major data protection case. A Schrems III ruling could come as early as 2026-2027 and could invalidate DPF. If that happens, you'd be back to the pre-DPF uncertainty: SCCs plus supplementary measures, with the same DPAs that ruled GA illegal in 2022 free to resume.

The practical reality: DPF gives you a defensible legal basis today. Don't treat it as permanent. Build your analytics setup so that a future DPF invalidation doesn't force a rushed migration under legal pressure.

Compliance Is Not Just About DPF

Even under DPF, GA4 usage requires several independent compliance layers. Missing any one of these is a GDPR violation regardless of the US-EU transfer mechanism.

1. Valid Consent via Consent Mode V2

Analytics and advertising cookies require explicit consent under GDPR. Since March 2024, Google also requires Consent Mode V2 signals for EEA/UK traffic. Without a compliant cookie banner and proper signal routing, you have a GDPR problem even if DPF holds.

See the Consent Mode V2 implementation guide for the technical setup.

2. IP Anonymization

GA4 anonymizes IP addresses by default. Universal Analytics required manual configuration. Verify in Admin > Data Collection and Modification > Data Streams > your web stream > Configure tag settings: IP anonymization should be on.

3. Data Retention Settings

GA4 default retention is 2 months for event-level data, extendable to 14 months. Longer retention isn't available. Check Admin > Data Settings > Data Retention and set to whatever your DPIA justifies (usually 2 months for low-risk cases, 14 months for businesses that need year-over-year analytics).

4. Data Processing Agreement with Google

You must have a signed Data Processing Amendment (DPA) with Google, accessible at Admin > Account Settings > Account Details. This is a click-through acceptance in most accounts, verify yours is accepted.

5. Documented Data Protection Impact Assessment (DPIA)

Under GDPR Article 35, high-risk processing (most analytics counts) requires a DPIA documenting: what data is collected, why, where it flows, what risks, what mitigations. Your DPO or external legal counsel drafts this. Most mid-market businesses I work with have one written in 2022-2023, update it annually.

6. User Rights Handling

GDPR gives users rights to access, delete, and export their data. GA4's User Explorer + Data Deletion Requests panel covers this, but only if you can identify the user. For truly anonymous traffic, rights requests usually aren't enforceable since there's no way to match the request to stored data.

Want to check whether your GA4 setup actually covers all six compliance layers? Run the free GTM audit, it flags consent, IP anonymization, and retention configuration problems in one pass.

A Mini-Story: The Austrian Client Who Stayed with GA

When Andreas, data lead at an Austrian B2B SaaS company, reached out in March 2024, his team was panicking. The Austrian DPA had ruled against GA in January 2022. His previous compliance consultant had recommended ripping GA out and migrating to Matomo. Two years later, his team was still running GA4, the DPF had just been adopted, and his legal counsel was asking whether they should finally pull the plug or double down.

We audited his setup. Consent Mode V2 was deployed but misconfigured (Basic mode, missing ad_user_data). IP anonymization was on. Data retention was on the default 2 months. DPA with Google was signed. No DPIA existed.

The fix list: switch Consent Mode to Advanced, add missing V2 signals, write the DPIA, set retention to 14 months (his analytics team needed year-over-year), done. Total effort: 1.5 weeks of his team's time plus 2 days of mine.

He stayed with GA4. His legal counsel signed off under DPF. His conversion data improved 22% from the Consent Mode fix alone. Cost of migrating to Matomo would have been 4-6 months of team effort plus historical data loss.

For his risk profile (B2B SaaS, no sensitive PII, DPF certification acceptable to his legal team), GA4 + proper compliance was the right call. For higher-risk profiles, the answer might be different.

When to Consider Switching Away From GA4

Three scenarios where I'd advise moving off GA4 despite DPF:

1. Highly sensitive industries. Healthcare, financial services with PII risk, legal services. Your DPO should drive this decision, some industries treat any US transfer as excessive risk regardless of DPF.

2. Clients who explicitly demand EU-only data processing. Some European enterprises (especially German, Scandinavian) write "no US processors" into their contracts. If you're a SaaS vendor selling to them, GA4 may be a deal-breaker regardless of legal technicalities.

3. Risk-averse leadership with low appetite for legal uncertainty. If your CEO or General Counsel wants zero US-transfer exposure, respect that judgment. The legal math is defensible for GA4, but "defensible" isn't "guaranteed."

EU-Based Alternatives Worth Evaluating

Matomo Cloud EU (formerly Piwik). Open-source analytics, hosted in the EU, ~19 EUR/month for entry plan. Feature parity with GA4 for most dashboards. Migration tooling available from Universal Analytics and GA4.

Plausible EU. Lightweight, cookie-free analytics (no consent banner needed for most use cases), hosted in Germany, ~9 EUR/month. Trade-off: much simpler feature set than GA4, no audience building, no Google Ads integration.

Server-side GTM + first-party analytics warehouse. Keep using GA4 client-side for specific use cases but mirror events to a first-party analytics system in your own EU-based data warehouse (BigQuery EU region, or Snowflake EU). This is a hybrid approach, GA4 for convenience, warehouse for legal-defensible reporting.

For context on server-side options, see my GTM Server-Side guide.

Another Mini-Story: The Polish E-commerce That Stayed

Magda, ecommerce director at a Polish D2C brand, evaluated switching to Matomo in July 2025 after her legal team flagged the DPF challenge. She got quotes: Matomo Cloud EU at 49 EUR/month for her traffic volume, plus an estimated 80 hours of migration work to rebuild dashboards and retrain her team.

She ran the math. Total migration cost: roughly 6,000 EUR. Annual Matomo license: 588 EUR/year. Loss of Google Ads integration (her primary paid channel): would require manual conversion imports, estimated 10 hours/month = 3,000 EUR/year in her marketing analyst's time.

Three-year cost of Matomo switch: 6,000 + (588 × 3) + (3,000 × 3) = 16,764 EUR.

Three-year cost of GA4 + proper compliance: 0 EUR in licensing, 1 day of DPO time for DPIA update + annual review, roughly 600 EUR in consulting.

She stayed with GA4, updated her DPIA, documented DPF reliance, and set a quarterly review to reassess if DPF challenges accelerate. The break-even for switching would require Matomo providing specific features Google Ads integration can't replace, or DPF actually being struck down.

That's the practical calculus most businesses should do.

Thinking about whether to stay, switch, or hedge? Get in touch for a scoped compliance review, I'll review your actual setup, risk profile, and business needs, and give you a straight recommendation. Not a doom-mongering sales pitch, not "trust DPF and forget about it". The honest middle.

What To Do If DPF Gets Struck Down

A Schrems III ruling invalidating DPF could come in 2026-2027. Here's what preparation looks like:

1. Document a fallback plan now. DPIA should include: "If DPF is invalidated, we will [migrate to Matomo / maintain SCCs + supplementary measures / pause advertising / etc.]." Having a documented plan is itself a compliance posture.

2. Keep client-side GA4 implementation portable. Don't let custom configuration rot. If you need to switch to Matomo in 3 months, clean GA4 setup migrates faster.

3. Maintain a first-party data warehouse. If GA4 data is locked in Google's cloud and you suddenly can't process EU data there, you lose historical analytics. Mirror key events to BigQuery EU or similar, see the Adobe Analytics API guide and Reactor API guide for how pipeline patterns work in practice; same concepts apply to GA4 via BigQuery Export.

4. Track the legal situation. noyb.eu publishes case updates. Your DPO should have DPF litigation on their watch list. If a Schrems III ruling is handed down, you want to know in the first hour, not the first quarter.

Frequently Asked Questions

Is Google Analytics legal under GDPR in 2025?

Yes, as of late 2025, Google Analytics 4 is legal for EU businesses to use under the EU-US Data Privacy Framework (DPF), adopted in July 2023. You still need Consent Mode V2, IP anonymization, valid data retention settings, a signed DPA with Google, and a documented DPIA.

What was the Schrems II ruling about Google Analytics?

Schrems II (July 2020) invalidated the EU-US Privacy Shield framework. While it didn't specifically ban Google Analytics, it made US data transfers legally uncertain, and subsequent rulings by Austrian, French, Italian, and other EU DPAs in 2022 explicitly ruled Universal Analytics illegal under GDPR without additional safeguards.

What's the Data Privacy Framework (DPF)?

The EU-US Data Privacy Framework is the successor to Privacy Shield. Adopted by the European Commission in July 2023, it provides a legal basis for EU-US data transfers to DPF-certified US companies. Google is certified. DPF gives GA4 a defensible legal basis for EU usage today.

Could the Data Privacy Framework be struck down?

Yes. NOYB filed a legal challenge against DPF the day after it was adopted. Privacy Shield (DPF's predecessor) was struck down in 2020 after a similar challenge. Legal scholars expect a CJEU ruling on DPF within 2-4 years of adoption, potentially in 2026-2027.

Is GA4 better for GDPR compliance than Universal Analytics?

Yes. GA4 has IP anonymization on by default, better data retention controls, and integrated support for Consent Mode V2. Universal Analytics required manual configuration for several of these. More importantly, Universal Analytics was sunset by Google in July 2023, so the question is mostly moot, GA4 is the only Google Analytics product still actively supported.

What are the best GDPR-compliant alternatives to GA4 in Europe?

Matomo Cloud EU (feature-rich, ~19 EUR/mo starting) and Plausible EU (lightweight, cookie-free, ~9 EUR/mo) are the most common EU-based alternatives. Both run exclusively on EU infrastructure, avoid the US transfer question entirely, and are fully GDPR-compliant out of the box. Trade-off: neither integrates with Google Ads as tightly as GA4 does.

Conclusion

GA4 is legal in the EU today. The legal basis, the Data Privacy Framework, is defensible but fragile, and businesses should build their analytics setup assuming DPF might not be permanent. If you run GA4, you need: Consent Mode V2 in Advanced mode, IP anonymization, proper data retention, a signed Google DPA, and a documented DPIA. Miss any of these and you have a GDPR problem regardless of DPF.

For most mid-market European businesses, staying with GA4 + proper compliance is the right call. For highly sensitive industries, risk-averse leadership, or clients with no-US-processor contracts, Matomo EU or Plausible EU are credible alternatives worth evaluating.

"Is GA4 legal in Europe?" is the wrong question. The right question is: "Is my specific GA4 setup compliant today, and do I've a plan if DPF gets invalidated?" Answer both, and the legal ambiguity becomes manageable.

Want a specialist to review your actual GA4 + GDPR compliance posture? Get in touch for a scoped assessment. I'll check your Consent Mode, retention, DPIA coverage, and give you a concrete action list, plus a backup plan if DPF gets struck down. No fear-mongering, no "it's all fine", just the current state and what to do about it.