Skip to content
Back to Blog
GuideApril 25, 20267 min read

How to Make Google Analytics GDPR Compliant in 2026

Google Analytics collects personal data by default. Here's exactly what to configure — Consent Mode v2, data retention, and DPA signing — to use GA4 legally in the EU.

The Problem With Google Analytics Out of the Box

Google Analytics 4 (GA4), by default, collects IP addresses, user agents, device identifiers, and generates persistent user IDs — all of which qualify as personal data under GDPR. Simply installing GA4 without any configuration makes you non-compliant before a single user visits your site.

The good news: with the right configuration, you can use Google Analytics legally in the EU. Here's exactly what to do.

Step 1: Set Up Google Consent Mode v2

Consent Mode v2 is Google's framework for adjusting GA4's data collection behavior based on user consent. It must be implemented via your consent management platform (CMP).

What It Does

When a user rejects analytics cookies:

  • GA4 does not set _ga, _gid, or _gat cookies
  • Google uses modeling to fill in aggregate gaps (so you still get some data)
  • No individual tracking occurs without consent

How to Implement

In your CMP configuration (or directly in your tag setup), set these signals:

  • analytics_storage: 'denied' — blocks GA cookies
  • ad_storage: 'denied' — blocks ad cookies
  • ad_user_data: 'denied' — blocks user data signals for ads
  • ad_personalization: 'denied' — disables personalization

These must be set as default (before consent), then updated to 'granted' only after explicit opt-in.

Step 2: Sign a Data Processing Agreement

Google offers a Data Processing Agreement (DPA) that must be signed before using Google Analytics for EU users.

  1. Go to Google Analytics → Admin → Account Settings
  2. Scroll to Data Processing Amendment
  3. Review and accept the agreement

This is a legal requirement, not optional. Without the DPA, you have no contract with Google as a data processor — a clear GDPR violation.

Step 3: Configure Data Retention

Reduce how long Google stores user-level data:

  1. In GA4, go to AdminData SettingsData Retention
  2. Set user-level data retention to 2 months (minimum available)
  3. Enable Reset on new activity only if users have given consent

Step 4: Enable IP Anonymization

In GA4, IP anonymization is enabled by default. Verify it hasn't been disabled:

  • Check that you're using GA4, not Universal Analytics (which is sunset)
  • In Measurement Protocol hits, ensure IP addresses are not being sent explicitly

Step 5: Disable Google Signals (or Gate It Behind Consent)

Google Signals enables cross-device tracking by linking GA4 data to Google accounts. This is highly privacy-invasive and requires explicit consent.

  1. Go to AdminData SettingsData Collection
  2. Disable Google Signals for EU regions, or only enable it for consented users via Consent Mode

Step 6: Update Your Cookie Policy

Your cookie policy must list:

  • _ga (2 year expiry, Google Analytics)
  • _gid (24 hour expiry, Google Analytics)
  • _gat (1 minute expiry, Google Analytics)
  • Any _ga_XXXXXXXXXX container-specific cookies

Link to Google's Privacy Policy and specify data is transferred to the US under the EU-US Data Privacy Framework.

Step 7: Verify With a Scan

After implementation, use GDPR Fix to verify:

  1. No GA cookies are set before consent
  2. Consent Mode signals are firing correctly
  3. Your cookie policy lists the correct cookies and retention periods

A compliant Google Analytics setup is entirely achievable. The key is Consent Mode v2 properly wired to your CMP, the DPA signed, and your cookie policy updated to reflect reality.

Free scan

Check your website now

Find out if your site has the issues described in this article. Free scan, results in minutes.

Scan Your Site — Free