TL;DR
Yes, with the right setup. GA4 with Consent Mode v2 in default-deny mode, combined with Google's EU-US Data Privacy Framework certification as the transfer mechanism, is the current accepted pattern. Load GA4 only after consent, declare it in your privacy policy with Google LLC as the data processor and the DPF as the transfer mechanism, and configure Consent Mode v2 to not fire before consent. Some DPAs have issued divergent guidance; monitor your local authority.
Compliance Blog
Can I Use Google Analytics in the EU in 2026?
Yes, with the right setup. The answer has been complicated by several years of regulatory activity: Schrems II (2020), a wave of DPA decisions against Google Analytics in 2022, and the EU-US Data Privacy Framework (DPF) adopted in July 2023. As of mid-2026, GA4 with Consent Mode v2 and the DPF as the transfer mechanism is the accepted pattern. Here is what each part means in practice.
This post covers the legal framework and configuration requirements. It is not a substitute for legal advice about your specific situation.
Why this was complicated: Schrems II and the DPA decisions
In July 2020, the Court of Justice of the European Union invalidated the EU-US Privacy Shield in its Schrems II judgment (Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, Case C-311/18). Privacy Shield had been the primary legal mechanism for transferring EU personal data to US companies. After Schrems II, the alternative was Standard Contractual Clauses (SCCs), but with a requirement for a "transfer impact assessment" showing that US law did not undermine the SCCs' protections.
In 2022, the Austrian DSB, French CNIL, Italian Garante, and several other DPAs issued decisions finding that the use of Google Analytics violated GDPR. The basis was not the analytics function itself but the transfer of EU user data (including IP addresses and identifiers) to Google LLC servers in the US, which the DPAs found could not be adequately protected under SCCs given US national security law.
In July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF). The DPF creates a mechanism for certified US organisations to receive EU personal data without needing SCCs or a transfer impact assessment. Google LLC is listed in the DPF participant list. This substantially resolves the transfer problem that drove the 2022 DPA decisions, subject to the ongoing legal challenge to the DPF itself.
The current accepted framework
As of mid-2026, using GA4 in the EU requires satisfying three legal requirements simultaneously:
- A valid legal basis under GDPR Article 6. For analytics cookies, this is consent (Article 6(1)(a)). Legitimate interests (Article 6(1)(f)) is not an accepted basis for setting non-strictly-necessary cookies, per the ePrivacy Directive and EDPB guidance.
- Compliance with the ePrivacy Directive. The ePrivacy Directive Article 5(3) requires prior informed consent before placing any non-strictly-necessary cookie on a user's device. This is the consent banner requirement. Consent must be obtained before GA4 loads.
- A valid transfer mechanism for data sent to Google LLC. Google's DPF certification provides this mechanism for EU-US transfers.
Consent Mode v2: what it is and why it matters
Google Consent Mode v2 is a configuration layer that tells GA4 and Google Ads tags how to behave based on user consent signals. It has two parameters relevant to GDPR: analytics_storage and ad_storage, plus the v2 additions ad_user_data and ad_personalization.
When these parameters are set to "denied", GA4 does not set measurement cookies. It may send "cookieless pings" to Google, which Google uses for modelling and aggregate reporting. Whether these pings constitute personal data processing under GDPR is debated. At minimum, they do not carry user identifiers.
For GDPR compliance, implement Consent Mode v2 in "default deny" mode:
- On page load, before any GA4 or Google Ads scripts execute, set all Consent Mode parameters to "denied".
- After the user consents via your cookie banner, update the parameters to "granted" for the appropriate categories.
- If the user declines, keep parameters as "denied".
- The GA4 tag itself should be loaded after the Consent Mode defaults are set, not before.
The practical implementation in Google Tag Manager: add a Consent Initialization trigger that fires before all other triggers, set default deny in a Custom HTML tag, and configure your consent banner's "granted" signal to update the Consent Mode parameters. Your Consent Management Platform (CMP) should handle this automatically if it is Google-certified.
What to declare in your privacy policy
Your privacy policy must disclose GA4 use in a way that satisfies GDPR Article 13 (if you collect data from users directly) or Article 14. At minimum, the disclosure should include:
- The name of the tool (Google Analytics 4)
- The processor (Google LLC, a US company)
- What data is collected (page views, session data, device information, anonymised IP address)
- The purpose (analytics, understanding site usage)
- The legal basis (consent)
- The transfer mechanism (EU-US Data Privacy Framework, Google LLC certification)
- The retention period (typically 14 months in GA4 default settings; configurable to 2, 14, 26, or 38 months)
- A link to Google's privacy policy and opt-out options
The cookie category entry in your cookie banner and your cookie policy should mirror this disclosure and list the specific cookies GA4 sets (_ga, _ga_*, _gid).
Where DPA positions still vary
The DPF resolves the transfer problem for most use cases. However, some DPAs have issued guidance that is not fully aligned with the DPF framework, and the DPF itself faces ongoing legal challenge from Max Schrems and NOYB.
The Austrian DSB and French CNIL have not retracted their earlier positions on Google Analytics outright, though both acknowledge the DPF changes the landscape. Some DPAs may issue new guidance as the DPF challenge progresses. Monitor your local supervisory authority's website.
The Italian Garante remains the most active enforcer in this space. If your primary market is Italy and you have significant Italian traffic, dedicated legal advice is warranted.
Alternatives to consider
If you want to avoid the complexity entirely, privacy-first analytics tools process data within the EU and do not set third-party cookies. Plausible Analytics (EU-hosted), Fathom Analytics (EU-hosting option), and Matomo (self-hosted) are common alternatives that can be used without a cookie consent banner for their core measurement features. The trade-off is less data richness and no integration with Google Ads conversion tracking.
For full GDPR compliance requirements including cookie and consent rules, see the GDPR checklist. For the B2B-specific cookie banner question, see Do I need a cookie banner for a B2B website?
FAQ
Are the Schrems II concerns about Google Analytics resolved?
Substantially but not entirely. The EU-US Data Privacy Framework, adopted in July 2023, restored the legal mechanism for EU-US transfers that Schrems II invalidated. Google LLC is DPF-certified. However, the DPF faces ongoing legal challenge and some DPAs have issued divergent guidance.
What is Consent Mode v2 and do I need it?
Consent Mode v2 is a Google feature that adjusts how GA4 tags behave based on user consent signals. For GDPR compliance, implement it in default-deny mode: all parameters set to "denied" before consent, updated to "granted" only after explicit consent. Without this, GA4 may set cookies before consent is given.
Can I use Google Analytics without a cookie banner?
Not if you use GA4's standard measurement features. Analytics cookies are not strictly necessary. The ePrivacy Directive requires prior consent for any non-strictly-necessary cookie regardless of whether you use GDPR consent or another legal basis for the underlying processing.