Is Google Analytics 4 illegal in Europe? The actual answer in 2026

Asking whether GA4 is illegal in Europe is asking three questions in one. The answers differ depending on which one you mean. Compliance teams that conflate them either over-react (rip out GA4, lose all analytics signal) or under-react (assume DPF fixed everything, ship pre-consent firing). Neither is right in 2026.

The three questions

1. Is the transfer of EU personal data to Google’s US servers lawful under Chapter V GDPR? This is the Schrems II question.
2. Does setting a GA4 cookie or storing a client ID require consent under ePrivacy? This is the cookie banner question.
3. Does GA4 process personal data lawfully under Articles 5 and 6 GDPR? This is the legal-basis question.

All three must be answered yes for GA4 to be deployed compliantly. Most coverage collapses them into one.

Question 1 — Schrems II and the DPF

Schrems II (C-311/18, July 2020) invalidated Privacy Shield as a basis for EU-US transfers, finding US surveillance law incompatible with GDPR adequacy. From 2020 to 2023 the only lawful basis was Standard Contractual Clauses plus “supplementary measures” — a legal posture the EDPB explicitly characterized as difficult to satisfy for cloud services.

That changed on 10 July 2023 when the Commission adopted an adequacy decision for the EU-US Data Privacy Framework. Google self-certified under the DPF. As a matter of black-letter law in 2026, transfers to Google for GA4 purposes are lawful provided Google’s DPF certification is current.

The Schrems III risk. noyb (the same NGO that won Schrems I and II) has telegraphed intent to challenge the DPF. The legal architecture is similar to Privacy Shield. A successful Schrems III invalidation would put GA4 back in the pre-2023 state: transfer-unlawful without supplementary measures. Planning horizon: assume the DPF is good for at least 18 months and probably 3 years; revisit quarterly.

Question 2 — ePrivacy consent

ePrivacy Article 5(3) requires informed consent for “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user.” This applies to all non-essential storage — cookies, localStorage, IndexedDB, fingerprinting techniques.

GA4 sets first-party cookies and stores a client ID. It is non-essential by every reasonable definition. Article 5(3) consent is required before the storage occurs.

The DPF does not change this. The DPF addresses GDPR Chapter V (transfers); ePrivacy 5(3) is a separate framework whose national-level transpositions all require pre-collection consent. A site that fires GA4 on first page load before the banner is clicked is in breach regardless of where the data ends up.

Question 3 — Lawful basis under Article 6

Once you have consent (Question 2 satisfied) and a lawful transfer mechanism (Question 1 satisfied), the GA4 processing itself needs an Article 6 lawful basis. For consent-gated analytics this is Article 6(1)(a) — the same consent. Legitimate interest (6(1)(f)) cannot be the basis because the EDPB has repeatedly held that tracking technologies requiring ePrivacy consent cannot then be processed under a different Article 6 basis post-collection.

What this means in practice

• You can use GA4 in the EU. Provided you obtain ePrivacy consent before any GA4 cookie is set or any client ID stored, the deployment is lawful under the current DPF.
• You must gate GA4 behind consent. No first-load firing, no “legitimate interest” arguments, no “but the data is anonymous.” Pre-consent firing is the single most common GA4 violation Veracly sees on SMB sites.
• Consent Mode v2 is not a workaround. Google’s Consent Mode v2 sends modeled aggregates when consent is denied, but it still requires consent to set any cookie. The marketing pitch can be misleading; the actual mechanism is consent-gated.
• Plan a contingency for Schrems III. The DPF will likely face challenge. Sites with significant EU traffic should have a documented analytics fallback (Matomo, Plausible, server-side first-party analytics) that does not depend on US transfers.

The non-Google alternatives

Two categories of GA4 alternative reduce the legal-basis stack to just ePrivacy consent:

• EU-hosted analytics. Matomo (Cloud EU), Plausible (self-hosted or Plausible Cloud — EU servers). Both eliminate the transfer question. Both still require consent unless deployed in cookie-less mode.
• Cookie-less analytics. Plausible default, Cabin, Vercel Web Analytics, Fathom. These do not set cookies and use techniques (daily-rotated hashed IPs, no cross-session identifiers) that EU DPAs have generally accepted as not requiring ePrivacy consent. Note: “cookie-less” is not a magic word — verify the specific tool against ePrivacy 5(3) before assuming.

Veracly’s rule entry for GA4

Veracly flags GA4 on every scan with a high severity and a Schrems II jurisdictional note. The flag fires whenever GA4 (any of google-analytics.com, analytics.google.com, googletagmanager.com) loads pre-consent. It does not fire when GA4 is loaded post-consent because the deployment is lawful in that case. The report’s severity reflects pre-consent firing risk, not GA4 as a category.

See also: GDPR vs ePrivacy: which one actually governs cookies? · GDPR cookie audit explained