How to Make Google Analytics GDPR Compliant in 2026
Google Analytics collects personal data by default. Here's exactly what to configure — Consent Mode v2, data retention, and DPA signing — to use GA4 legally in the EU.
The Problem With Google Analytics Out of the Box
Google Analytics 4 (GA4), by default, collects IP addresses, user agents, device identifiers, and generates persistent user IDs — all of which qualify as personal data under GDPR. Simply installing GA4 without any configuration makes you non-compliant before a single user visits your site.
The good news: with the right configuration, you can use Google Analytics legally in the EU. Here's exactly what to do.
Step 1: Set Up Google Consent Mode v2
Consent Mode v2 is Google's framework for adjusting GA4's data collection behavior based on user consent. It must be implemented via your consent management platform (CMP).
What It Does
When a user rejects analytics cookies:
- GA4 does not set
_ga,_gid, or_gatcookies - Google uses modeling to fill in aggregate gaps (so you still get some data)
- No individual tracking occurs without consent
How to Implement
In your CMP configuration (or directly in your tag setup), set these signals:
analytics_storage: 'denied'— blocks GA cookiesad_storage: 'denied'— blocks ad cookiesad_user_data: 'denied'— blocks user data signals for adsad_personalization: 'denied'— disables personalization
These must be set as default (before consent), then updated to 'granted' only after explicit opt-in.
Step 2: Sign a Data Processing Agreement
Google offers a Data Processing Agreement (DPA) that must be signed before using Google Analytics for EU users.
- Go to Google Analytics → Admin → Account Settings
- Scroll to Data Processing Amendment
- Review and accept the agreement
This is a legal requirement, not optional. Without the DPA, you have no contract with Google as a data processor — a clear GDPR violation.
Step 3: Configure Data Retention
Reduce how long Google stores user-level data:
- In GA4, go to Admin → Data Settings → Data Retention
- Set user-level data retention to 2 months (minimum available)
- Enable Reset on new activity only if users have given consent
Step 4: Enable IP Anonymization
In GA4, IP anonymization is enabled by default. Verify it hasn't been disabled:
- Check that you're using GA4, not Universal Analytics (which is sunset)
- In Measurement Protocol hits, ensure IP addresses are not being sent explicitly
Step 5: Disable Google Signals (or Gate It Behind Consent)
Google Signals enables cross-device tracking by linking GA4 data to Google accounts. This is highly privacy-invasive and requires explicit consent.
- Go to Admin → Data Settings → Data Collection
- Disable Google Signals for EU regions, or only enable it for consented users via Consent Mode
Step 6: Update Your Cookie Policy
Your cookie policy must list:
_ga(2 year expiry, Google Analytics)_gid(24 hour expiry, Google Analytics)_gat(1 minute expiry, Google Analytics)- Any
_ga_XXXXXXXXXXcontainer-specific cookies
Link to Google's Privacy Policy and specify data is transferred to the US under the EU-US Data Privacy Framework.
Step 7: Verify With a Scan
After implementation, use GDPR Fix to verify:
- No GA cookies are set before consent
- Consent Mode signals are firing correctly
- Your cookie policy lists the correct cookies and retention periods
A compliant Google Analytics setup is entirely achievable. The key is Consent Mode v2 properly wired to your CMP, the DPA signed, and your cookie policy updated to reflect reality.
Check your website now
Find out if your site has the issues described in this article. Free scan, results in minutes.
Scan Your Site — Free