The relationship between Google Analytics 4 and GDPR has been contested since 2022, when multiple European Data Protection Authorities ruled that standard GA deployments violated international data transfer requirements. Austria, France, Italy, and Denmark issued findings against GA4 deployments. The landscape has evolved but the fundamental tension remains: GA4 processes European user data on US-based infrastructure, which requires legal justification under GDPR Chapter V.
UK organisations should also align this work with our guide toUK PECR regulations and GA4, since the cookie-storage rules sit alongside UK GDPR rather than under it.
The current legal framework
Google now relies on theEU-US Data Privacy Framework(DPF), adopted in July 2023 — though the framework is subject to ongoing legal challenges that high-risk organisations should monitor, as the legal mechanism for transatlantic data transfers. That changed the operational position for many organisations, but it does not remove the need for legal review, regional analysis, or documentation of how your implementation works. High-risk organisations should consult legal counsel.
The GDPR-aware GA4 setup: five steps
A privacy-aware GA4 setup is not a single configuration change. It is a sequence of decisions that must work together — beginning with a correctly wiredConsent Mode v2 implementation. The exact legal interpretation still depends on your organisation, region, and disclosures.
Select a GDPR-compliant CMP
Choose a Consent Management Platform that supports your legal and implementation requirements. If you rely on TCF or Google's CMP integrations, verify that the chosen platform actually supports the flows you need for your region, languages, and tag architecture.
Configure consent defaults before tags fire
Set consent defaults before GA4 or Google Ads tags evaluate storage permissions for the regions where consent is required. In GTM this is commonly handled with a Consent Initialization trigger. Then verify the live browser behavior rather than assuming the template wiring is correct.
Implement consent mode v2 update after consent
Configure the CMP or consent layer to update Google consent signals after the user interacts with the banner. Verify how analytics_storage, ad_storage, ad_user_data, and ad_personalization behave in the actual implementation and document any regional differences.
Set data retention to the minimum required period
In Admin > Data Settings > Data Retention, set user and event data retention to the shortest period appropriate for your use case. Two months is the minimum GA4 offers. If you need longer retention for trend analysis, use BigQuery where retention is under your direct control. Do not leave retention at the 14-month default without justification.
Sign a data processing agreement with Google
Go to Admin > Account Settings and confirm the Data Processing Amendment or equivalent account-level terms have been reviewed and accepted where required by your organisation. Treat this as part of your legal and vendor-governance process, not just a tagging task.
Want to check whether your GA4 property has Consent Mode and DPA configured correctly?
Google signals and cross-device tracking
Google Signalsconnects GA4 data with Google account information for cross-device user recognition and demographic enrichment. This may require a different consent and governance review than basic analytics measurement. If Signals is active for regions where privacy rules are strict, confirm with your legal team and CMP configuration that the disclosed purposes and technical behavior still match. Pair this review with yourGA4 data retention settingsso the two controls tell a consistent story.
Data deletion requests
GA4 provides aData Deletion Requestfeature in Admin > Data Deletion Requests for removing data associated with a specific user_id or client_id. Processing takes up to 63 days. Critical: GA4 deletion requests do not affect BigQuery exports. Separate deletion workflows for BigQuery are required to fully honour data subject requests, and anyserver-side consent pathmust be reviewed end-to-end so deletions and consent state stay aligned. Document both workflows before you need them.
Validating and fixing GA4 GDPR compliance
These are the checks most commonly failed in GA4 compliance audits and how to remediate them.
Validate
- Check Consent Mode signals in GA4 Admin > Data Settings > Consent Settings, confirm signals are being received for EEA traffic
- Verify the Data Processing Amendment is accepted in Admin > Account Settings
- Check your cookie policy lists every cookie GA4 sets and describes the purpose accurately
- Confirm Google Signals and reporting identity settings are intentionally configured and documented
Fix
- Implement or repair consent defaults and updates before relying on the property for regulated-region measurement
- Set data retention to the minimum period needed, do not leave at the 14-month default without justification
- Accept the DPA in GA4 Admin > Account Settings > Data Processing Amendment
- Document and test data deletion workflows for both GA4 and BigQuery separately
Watch for
- Any GA4 platform update that changes what data is collected by default, review release notes on consent-related changes
- CMP updates that alter how consent signals are passed to GTM without a corresponding re-test
- New Google services linked to GA4 (e.g., Google Ads, Display & Video 360) that may introduce additional data processing
GDPR and GA4 checklist
- Consent behavior for regulated regions is documented and verified in the browser
- Google Signals and reporting identity settings have been reviewed with privacy implications in mind
- Data retention set to the minimum appropriate period
- GA4 deletion request process documented and tested
- BigQuery deletion workflows exist separately from GA4 deletion requests
- Data Processing Amendment accepted in GA4 Account Settings
- Privacy policy accurately reflects analytics data collection and international transfers
Related guides
Consent Mode v2 Implementation Guide
Step-by-step GTM implementation for all four Consent Mode v2 signals, with verification instructions.
CMP and GA4 Timing Validation
How to verify your CMP fires consent signals before GA4 tags load, and what happens when it does not.
Cookieless Tracking in GA4
How GA4 handles non-consenting users through behavioral modeling and what data you actually lose.
Consent Mode v2 and Unassigned Traffic
Why Consent Mode v2 can cause a spike in Unassigned channel traffic and how to interpret it.
Check your GA4 compliance configuration
GA4 Audits helps surface consent, configuration, and governance checks that support a privacy-aware analytics review. Final decisions should still be reviewed by a qualified analyst and legal team.