Is GA4 GDPR compliant?

GA4 is not automatically GDPR compliant. It collects personal data including cookie identifiers and IP addresses, which means it falls within the scope of UK GDPR and PECR. Compliance depends on how you implement it — specifically whether you obtain valid consent before GA4 fires, configure a compliant Consent Management Platform, accept Google's Data Processing Agreement, and correctly configure GA4's privacy settings.

What is GA4 Consent Mode and does it make GA4 GDPR compliant?

GA4 Consent Mode (Google Consent Mode v2) is a framework that adjusts how GA4 behaves based on a user's consent choices. It has two modes. Basic Mode only fires tags after consent is granted and is compliant if properly configured. Advanced Mode loads tags in a restricted state and sends cookieless pings before or without consent — which the ICO confirmed in April 2025 does not provide a lawful basis for tracking. GA4 Consent Mode is not a compliance shortcut. It requires a properly integrated Consent Management Platform and does not replace the need for valid consent.

Do I need a cookie banner for GA4 in the UK?

Yes. Under PECR, you need valid consent before placing analytics cookies or using tracking technologies on a UK website. A basic cookie banner is not sufficient — you need a Consent Management Platform that blocks GA4 before any consent signal, offers a Reject All option as prominently as Accept All, supports GA4 Consent Mode v2, and maintains a consent audit trail.

Can I use legitimate interests as a lawful basis for GA4?

No. PECR takes precedence over UK GDPR where both apply. If PECR requires consent for your use of GA4 — which it does in almost all cases — then consent is also required as your lawful basis under UK GDPR. You cannot substitute legitimate interests to avoid needing a consent banner for analytics.

What is the maximum GDPR fine for misusing GA4?

Under UK GDPR the maximum fine is £17.5 million or 4% of global annual turnover, whichever is higher. Under PECR the current maximum is £500,000, which is under review for increase. Beyond fines, the ICO can issue public reprimands and enforcement notices, and third-party collective redress actions were approved in the UK in late 2024.

London, UK · Serving UK/EU · GBP pricing

GA4 and UK GDPR: A Compliance Guide for Website Owners.

GA4 and UK GDPR: An overview in 2026.

Understanding the relationship between GA4 and GDPR is no longer optional for UK website owners. Google Analytics 4 collects personal data, a fact Google's own terms confirm, which means it falls squarely within the scope of UK GDPR and PECR.

Getting that wrong carries real consequences: in January 2025, the ICO assessed the top 200 UK websites for cookie compliance and found significant concerns with 134 of them. It has now committed to reviewing the top 1,000.

This guide covers everything you need to know: what GA4 collects, what the law requires, how GA4 consent mode works (and where it falls short), and what a compliant setup actually looks like.

Based on ICO guidance 2025–2026, including direct correspondence with the ICO.

Download The Guide

What data does GA4 collect?

Before getting into the GA4 GDPR requirements, it helps to be clear about what GA4 is doing when it runs on your site.

GA4 collects cookie identifiers (the _ga, _gid and _gat cookies that track users across sessions), IP addresses used for geolocation, device and browser information, and detailed user behaviour data including page views, clicks, scroll depth and conversions.

If you have Google Signals or User ID enabled, it can also collect demographic estimates and link data across sessions and devices.

This is personal data under UK GDPR. That is not a grey area — it is the starting point for everything that follows.

The legal framework: GA4, GDPR, and PECR.

Three regulations govern the use of GA4 on UK websites, and understanding how they interact is essential.

UK GDPR governs the processing of personal data and requires a lawful basis for all processing. It applies to any organisation processing personal data of UK residents.

PECR (the Privacy and Electronic Communications Regulations) governs the use of cookies and tracking technologies. Crucially, it applies to both personal and anonymous data, not just personal data. It applies to anyone operating a website accessed by UK users.

The Data (Use and Access) Act 2025 introduced updates to PECR that came into force in June 2025. ICO guidance is still being updated to reflect this.

The rule that catches most people out: PECR takes precedence over UK GDPR where both apply. If you need consent under PECR to run GA4, consent is also required as your lawful basis under UK GDPR. You cannot use legitimate interests as a workaround for analytics.

What counts as valid consent for GA4?

Under UK GDPR and PECR, consent for GA4 must meet five requirements.

It must be freely given, users must have a genuine choice, with no penalty for refusing.

It must be specific, meaning separate consent is required for analytics, advertising and personalisation; bundled consent is not valid.

It must be informed, so users must understand what they are agreeing to before they agree.

It must be unambiguous, requiring a clear positive action such as a tick or a click. And it must be withdrawable, users must be able to change their mind as easily as they gave consent in the first place.

The following do not count as consent: pre-ticked boxes, implied consent ("by continuing to browse you agree…"), consent bundled with no granular options, and cookie walls that block access unless consent is given.

When must consent be obtained?

Timing is one of the most commonly misunderstood GA4 GDPR requirements and one of the most actively enforced.

GA4 must not fire before the user has interacted with the consent banner, while the banner is being displayed, after the user has rejected consent, or if the user ignores the banner and navigates away.

GA4 may only fire after the user has actively and clearly indicated consent through a positive action.

In September 2024, the ICO issued a formal reprimand to Sky Betting and Gaming for setting cookies before consent had been given. That is a real enforcement precedent, not a theoretical one.

GA4 Consent Mode: what it is, and what it is not.

GA4 consent mode (officially Google Consent Mode v2) was made mandatory by Google in March 2024 for websites using Google's services in the UK, EU and EEA. Understanding how it works, and where its limits are, is one of the most important parts of getting GA4 and GDPR right.

There are two modes.

In Basic Mode, tags only fire after consent is granted. If properly configured, this is compliant.

In Advanced Mode, tags load but operate in a restricted state, sending "cookieless pings" to Google even before or without consent. This is where many implementations fall down.

Direct guidance obtained from the ICO in April 2025 makes clear that Advanced Consent Mode does not provide a lawful basis for tracking users who have not consented.

Even without traditional cookies, explicit consent is required for any tracking or storage access technologies. PECR applies to tracking technologies processing both personal and anonymous data. Transmitting any signals, including cookieless pings, before or after rejection, without consent, is not permitted.

GA4 consent mode is not a compliance workaround. It requires proper CMP integration and does not replace the need for consent. Implementing it without a correctly configured Consent Management Platform is not sufficient.

International data transfers.

When you use GA4, you are the data controller. Google acts as a data processor on your behalf.

Under UK GDPR Article 28, you must have a Data Processing Agreement (DPA) in place with Google before using GA4.

You can accept this by logging into your Google Analytics account, going to Admin → Account Settings, and accepting the Google Ads Data Processing Terms.

One important clarification: accepting the DPA does not make your GA4 GDPR implementation compliant. It is a necessary step, but not a sufficient one.

GA4 privacy settings you must configure.

Getting consent right is only part of the GA4 GDPR picture. GA4 itself has settings that need to be reviewed.

Data retention should be set to the minimum period necessary. The default is two months and the maximum is 14 months. Under UK GDPR's data minimisation principle, do not retain data longer than you need it.

Google Signals is disabled by default — keep it that way unless you have explicit user consent. Enabling it activates cross-device tracking and demographic reporting.

User ID should only be enabled for logged-in users who have given explicit consent. It can link data across sessions and devices, which increases the sensitivity of what you are collecting.

Data sharing settings should be reviewed and restricted. Do not share data with other Google products unless you have clear consent and a genuine business need.

What your Consent Management Platform must do.

A basic cookie banner is not sufficient for GA4 GDPR compliance. You need a Consent Management Platform (CMP) that:

Blocks GA4 and all non-essential scripts before any consent signal is received

Supports GA4 consent mode v2 and transmits the four consent parameters in real time

Provides a "Reject All" button that is at least as prominent and easy to use as "Accept All"

Offers granular consent categories, with analytics and advertising separated

Maintains an audit trail of consent records

Is IAB TCF v2.2 compliant if you are running advertising services

What your privacy policy and cookie policy must cover.

Your privacy policy must state that you use Google Analytics 4, what data it collects, the lawful basis for processing (consent), how long data is retained, details of international data transfers, whether Google Signals or advertising features are enabled, how users can withdraw consent, and how users can exercise their data subject rights.

Your cookie policy must list all cookies GA4 places (_ga, _gid, _gat and others), the purpose of each, the duration of each, and identify Google as a third-party recipient.

The ICO has confirmed that a privacy policy that is hard to find or difficult to understand cannot be relied on as a valid means of obtaining consent.

Data subject rights and GA4.

Under UK GDPR, users have rights over their data. As data controller, you are responsible for facilitating those rights even for data processed via GA4.

Users have the right of access: the GA4 User Explorer report can help you locate their data. They have the right to erasure — GA4 provides a data deletion request tool in Admin → Data Deletion.

They have the right to object, and your CMP must make opting out simple at any time. They also have the right to data portability.

You have one calendar month to respond to data subject requests.

What the ICO is finding in practice.

Based on ICO enforcement activity, the most common GA4 GDPR failures are:

GA4 firing during the pre-consent window, before the banner has been interacted with

No "Reject All" button, or one that is harder to find than "Accept All"

Pre-ticked boxes or sliders defaulted to "on"

Relying on GA4 consent mode Advanced configuration without a properly integrated CMP

Treating analytics cookies as "strictly necessary" to avoid needing consent

No consent logs, leaving organisations unable to demonstrate compliance

Misclassifying analytics cookies as functional cookies

No Data Processing Agreement in place with Google

A privacy policy that does not mention GA4 or international data transfers

GA4 GDPR compliance checklist.

Legal and documentation:

Accept Google's Data Processing Terms in GA4 Admin

Update your privacy policy to disclose GA4, data transfers, and consent as your lawful basis

Create or update your cookie policy listing all GA4 cookies

Document your lawful basis as consent

Technical configuration:

Implement a compliant CMP that supports GA4 consent mode v2

Set the GA4 default consent state to DENIED in your CMP

Ensure GA4 is fully blocked before any consent signal is received

Configure granular consent categories

Add a clearly visible "Reject All" option

Enable consent logging and audit trails

Review and disable Google Signals unless you have consent

Set data retention to the minimum period required

Disable User ID unless explicitly consented to

Testing:

Use browser developer tools to verify no GA4 requests fire pre-consent

Test the reject flow — confirm GA4 is blocked after rejection

Test the withdrawal flow — confirm GA4 stops if consent is withdrawn mid-session

The risk of getting it wrong.

The maximum fine under UK GDPR is £17.5 million or 4% of global annual turnover, whichever is higher. The PECR maximum is currently £500,000 and is under review for increase.

Beyond fines, the ICO issues public reprimands, enforcement notices requiring practice changes, and in late 2024 approved third-party collective redress actions on behalf of data subjects.

The ICO is no longer taking a light-touch approach. The top 1,000 UK websites are under active review. Any organisation with a website could be next.

Five things to remember about GA4 and GDPR.

GA4 is not automatically compliant. Configuration, consent, and documentation are all your responsibility as data controller.

Consent must come first. GA4 must not fire before, during, or after a user rejects the consent banner.

GA4 consent mode is not a compliance shortcut. It requires proper CMP integration and does not replace the need for consent.

PECR applies to all tracking technologies, including those processing anonymous data — and it takes precedence over UK GDPR.

The ICO is actively enforcing. Any organisation with a website could be next.

Related services

38-Point GA4 Audit — Comprehensive review of your current setup

Expert GA4 Setup — Clean implementation from scratch

GA4 Training — Empower your team to use GA4 confidently

Connect GA4 to BigQuery — Unlock advanced analysis and data warehousing