Multiple European data protection authorities have ruled that Google Analytics violates GDPR. However, millions of EU websites still run GA4 tracking scripts. If you’re one of them, you’re sitting on a compliance risk that’s growing every year. Here’s what happened, what it means for your business, and what your options are.
Why Google Analytics Has a GDPR Problem
The issue isn’t with analytics itself. It’s with where your visitors’ data ends up. Google Analytics collects personal data — IP addresses, device identifiers, browsing behavior — and transfers it to servers in the United States. Consequently, that data becomes subject to US surveillance laws, specifically FISA Section 702 and Executive Order 12333.
Under these laws, US intelligence agencies can access data held by American companies without meaningful judicial oversight. In other words, when your European visitor lands on your website, their data flows to Google’s US infrastructure where EU privacy protections no longer apply.
This is exactly what the EU’s highest court — the Court of Justice of the European Union (CJEU) — has repeatedly flagged. First in the Schrems II decision that invalidated the Privacy Shield framework, and now in ongoing challenges to its replacement, the EU-US Data Privacy Framework.
Seven Countries That Ruled Against Google Analytics
Starting in 2022, European data protection authorities began issuing formal decisions against the use of Google Analytics. The wave started in Austria and quickly spread across the continent:
- Austria (January 2022) — The Austrian DPA (Datenschutzbehörde) ruled that a website’s use of Google Analytics violated GDPR because data transfers to the US lacked adequate safeguards.
- France (February 2022) — The CNIL ordered several websites to stop using Google Analytics, finding that Standard Contractual Clauses alone didn’t protect EU data from US government access.
- Italy (June 2022) — The Garante issued a 90-day deadline for companies to bring their GA implementations into compliance or stop using it entirely.
- Denmark (September 2022) — Datatilsynet concluded that Google Analytics could not be configured to comply with GDPR under existing legal mechanisms.
- Finland (2023) — The Finnish DPA joined the growing list, finding similar data transfer violations.
- Sweden (2023) — IMY fined companies for using Google Analytics without adequate data protection measures.
- Norway (January 2025) — Datatilsynet issued a preliminary ruling against Google Analytics, the most recent enforcement action to date.
Additionally, a German court in Cologne ruled that using Google Analytics constitutes a GDPR breach. Therefore, the pattern is clear: GA4’s data transfer model creates real legal exposure for EU businesses.
For more background on GDPR requirements, see our complete GDPR-compliant analytics guide.
The Data Privacy Framework: A Temporary Fix?
Google has pointed to the EU-US Data Privacy Framework (DPF), adopted in July 2023, as the solution. Google LLC is certified under the DPF, which theoretically provides a legal basis for transatlantic data transfers.
However, the DPF faces serious challenges. In fact, the European Data Protection Board published its first review report in 2025, urging the European Commission to re-evaluate the adequacy decision. Moreover, the CJEU is expected to review the DPF’s validity by 2026 — and many privacy experts predict a result similar to Schrems I and Schrems II.
The political situation makes things worse. In early 2025, the US administration removed all Democratic members from the Privacy and Civil Liberties Oversight Board (PCLOB) — one of the key bodies that EU authorities relied on when approving the DPF. As a result, the institutional safeguards that justified the framework are now weakened.
If the CJEU invalidates the DPF — as it did with Safe Harbor and Privacy Shield before it — every EU website running Google Analytics will instantly lose its legal basis for data transfers.
Google Analytics GDPR Compliance: What Google Has Done
Google hasn’t been idle. GA4 introduced several privacy improvements over Universal Analytics:
- IP anonymization — GA4 truncates IP addresses by default. However, this happens after data reaches Google’s servers, meaning the full IP is still transmitted.
- Data retention controls — You can set retention periods as short as 2 months.
- Consent mode — GA4 can operate in a limited mode when users decline cookies, but it still sends data to Google.
- Server-side tagging — You can route data through your own server first. That said, the data still ends up on Google’s infrastructure.
These measures help. But they don’t solve the fundamental problem: data still flows to US servers controlled by a US company subject to US surveillance laws. Essentially, you’re putting band-aids on a structural issue.
The Real Cost of Keeping Google Analytics in the EU
Beyond legal risk, there are practical costs that EU businesses rarely calculate. Specifically, these include:
1. Lost Traffic Data From Cookie Banners
Google Analytics requires cookies, which means you need a consent banner under GDPR. The average consent rate in Europe sits between 30-40%. Therefore, if you’re using GA4, you’re likely missing data from 60-70% of your visitors.
That’s not a small gap. It’s the majority of your traffic, invisible to your analytics. For context on what this means for SEO, read our guide on measuring organic traffic in a cookieless world.
2. Compliance Overhead
Running GA4 in a GDPR-compliant manner requires:
- A properly configured consent management platform (CMP)
- Regular audits of your data processing agreements
- Documentation of your legal basis for data transfers
- Ongoing monitoring of DPF validity
For a small or medium business, this compliance overhead can cost more than a paid analytics subscription.
3. Fines and Enforcement
GDPR fines for data transfer violations can reach up to 4% of annual turnover or 20 million euros, whichever is higher. While most enforcement has targeted larger companies so far, the trend is clear — DPAs are actively investigating analytics implementations.
Privacy-First Alternatives That Solve the GDPR Problem
Several analytics tools are designed from the ground up to comply with European privacy law. Unlike Google Analytics, these tools don’t collect personal data and don’t transfer anything outside the EU:
| Tool | Data Hosting | Cookies | Starting Price | Best For |
|---|---|---|---|---|
| Plausible | EU (Germany) | None | $9/month | Simple, clean dashboards |
| Fathom | EU option available | None | $14/month | Privacy + features balance |
| Matomo | Self-hosted or EU cloud | Optional | Free (self-hosted) | GA4-like features, full control |
| Simple Analytics | Netherlands | None | $9/month | Maximum simplicity |
| Umami | Self-hosted | None | Free (open source) | Developers, full ownership |
These tools work without cookies, meaning no consent banners are needed. As a result, you see 100% of your traffic instead of the 30-40% that consented. Similarly, because they don’t collect personal data, GDPR’s strict data transfer rules simply don’t apply.
If you’re curious about what changes when you leave GA, check out our article on what you lose and gain when switching.
How to Migrate Away From Google Analytics
Switching analytics platforms isn’t as disruptive as it sounds. In fact, most businesses complete the migration in a single afternoon. Here’s the process:
- Choose your alternative. Plausible works for most small-to-medium sites. Matomo is better if you need GA4-level features. For a detailed comparison, see our guide on automation and data export in privacy-first tools.
- Export historical data from GA4. Download your key reports — traffic trends, top pages, conversion data — before removing the tracking code.
- Add the new tracking script. Most privacy-first tools require a single line of JavaScript. No tag manager needed.
- Remove the GA4 tracking code and the cookie consent banner (if GA was the only reason you had one).
- Run both tools in parallel for 2-4 weeks to validate data consistency.
- Inform your DPO and update your privacy policy to reflect the new analytics setup.
For a detailed step-by-step process, use our analytics migration checklist.
What About the Cookie Banner Question?
One of the biggest practical benefits of switching is eliminating your analytics cookie banner. If your only reason for showing a consent popup was Google Analytics, removing GA means removing the banner entirely.
This matters more than most businesses realize. Cookie banners reduce page engagement, slow down page loads, and frustrate users. Furthermore, studies consistently show that 60-70% of European visitors either reject cookies or ignore the banner — meaning your GA data was incomplete from the start.
We covered this topic in depth in our article on whether you really need a cookie banner.
Bottom Line
Google Analytics and GDPR have been on a collision course since 2020, and the situation is getting worse, not better. Seven EU countries have ruled against GA. The Data Privacy Framework that currently enables data transfers is under legal challenge. And the political foundations supporting it are eroding.
If you’re an EU business — or serve EU visitors — the question isn’t whether to prepare for a switch. It’s whether to switch now or wait until you’re forced to. Given that privacy-first alternatives offer better data completeness (100% vs 30-40% with consent banners) at a modest cost, the business case often makes itself.
Start with our migration checklist and make the transition on your terms, not under enforcement pressure.
