Is Google Analytics GDPR-compliant?

What happened in 2022

Following the 2020 Schrems II ruling, data protection authorities in Austria, France, and Italy decided in 2022 that using Google Analytics, as configured at the time, involved transferring personal data to the United States without sufficient safeguards, and so breached the GDPR rules on international transfers. These decisions, prompted by complaints from the privacy group noyb, pushed many EU sites to reconsider.

What changed in 2023

In July 2023 the European Commission adopted an adequacy decision for the EU to US Data Privacy Framework. For US organisations that self-certify under it, this restored a legal basis for transferring personal data from the EU. Google participates in the framework, which materially changes the 2022 transfer analysis. The framework itself has been challenged and could evolve.

So, can you use it compliantly today?

Often, with care. In practice that usually means using the current version (GA4), obtaining valid consent because it sets cookies, configuring data handling and retention sensibly, and keeping your privacy policy accurate. The point is that "compliant" is a property of your whole setup and configuration, not a fixed yes or no about the product.

The simpler path

A cookieless, EU-processed analytics tool sidesteps most of these questions: no consent banner to get right, no cross-border transfer to defend, no personal data to retain. That is the trade PlainStats makes. See GDPR-compliant analytics and the Google Analytics alternative overview.

Sources

• CNIL on Google Analytics and data transfers: cnil.fr.
• EU to US Data Privacy Framework adequacy decision (2023): commission.europa.eu.
• European Data Protection Board: edpb.europa.eu.

General information, not legal advice. This area moves quickly and varies by country. Confirm the current position with a data protection officer or qualified counsel.