Google Analytics is the most widely used web analytics tool in the world, embedded in over 28 million websites as of 2026. Yet since the French data protection authority (CNIL) declared Google Analytics non-compliant with the GDPR in February 2022, the legality of this tool has remained a critical concern for every European website operator. The introduction of Google Analytics 4 and the adoption of the EU-US Data Privacy Framework in July 2023 have changed the landscape, but the risks have not vanished. If you operate a website accessible from the EU, understanding these issues is essential to avoid fines of up to 20 million euros.
Why Google Analytics creates GDPR problems
The conflict between Google Analytics and the GDPR centres on one fundamental issue: the transfer of personal data to the United States. When a visitor browses a website using Google Analytics, data such as their IP address, cookie identifier, screen resolution and browsing behaviour are collected and transmitted to Google’s servers located in the United States.
The Schrems II ruling and its consequences
In July 2020, the Court of Justice of the European Union invalidated the EU-US Privacy Shield, the mechanism that had authorised transatlantic data transfers. This ruling, known as Schrems II, created a legal vacuum for all US-based services processing data of European residents. Google Analytics, which systematically transfers data to Google’s American servers, was directly affected.
The CNIL’s February 2022 decision
In February 2022, the CNIL issued a formal notice to a French website operator to stop using Google Analytics in its standard configuration. The authority concluded that Google’s standard contractual clauses did not provide sufficient safeguards against access to data by US intelligence services. This decision followed a coordinated complaint filed by the privacy organisation noyb across 101 European countries. Other data protection authorities in Austria, Italy and Denmark reached similar conclusions.
The dual cookie problem
Beyond data transfers, Google Analytics places tracking cookies on the user’s device. Under the ePrivacy Directive 2002/58/EC and national transpositions across the EU, any non-essential cookie requires the user’s prior consent. A website that loads Google Analytics without waiting for consent therefore commits a double infringement: a violation of cookie rules and an unauthorised transfer of personal data to the United States.
The Data Privacy Framework: an uncertain improvement
In July 2023, the European Commission adopted the EU-US Data Privacy Framework (DPF), a new legal mechanism intended to resolve the transatlantic data transfer problem. Google was certified under the DPF, which in theory makes data transfers to its American servers lawful again. However, this framework relies on commitments from US authorities, and legal challenges are already underway. The privacy organisation noyb has announced its intention to challenge the DPF before the Court of Justice of the EU, just as it did with the Privacy Shield. A potential “Schrems III” ruling could invalidate this framework in turn. In 2026, legal uncertainty persists.
Google Analytics 4: is it enough?
Since July 2023, Google has retired Universal Analytics and replaced it with Google Analytics 4 (GA4). This new version brings significant improvements in data protection.
GA4 improvements
GA4 anonymises IP addresses by default, with no additional configuration required. Data retention periods are shorter (2 or 14 months instead of the 26-month default in Universal Analytics). The data model is event-based rather than session-based, and GA4 offers greater control over the data collected.
Persistent limitations
Despite these improvements, GA4 still places cookies on the user’s device, which means prior consent remains mandatory. Data is still processed by Google, a company subject to US law (Cloud Act, FISA Section 702). The DPF could be invalidated, which would place GA4 in the same position as its predecessor. Furthermore, even with consent, the data transmitted to Google feeds an advertising ecosystem beyond the user’s control.
Current position of regulators
In 2026, GA4 is considered usable provided three cumulative requirements are met: obtaining the user’s prior consent before any cookie is placed, configuring GA4 strictly (disabling Google Signals, reducing retention, limiting data sharing), and mentioning GA4 in your cookie policy. But this tolerance rests on the validity of the DPF, which remains legally fragile.
GDPR-compliant alternatives
Given the risks associated with Google Analytics, several alternatives allow you to measure your website’s audience in full GDPR compliance.
Matomo (formerly Piwik)
Matomo is the leading open-source alternative to Google Analytics. It offers a comparable range of features (traffic reports, conversions, heatmaps) while ensuring full control over your data. Hosted in Europe (self-hosted or via Matomo Cloud in Germany), it eliminates the transatlantic data transfer issue. Under certain configuration conditions (no data cross-referencing, limited cookie lifetime, minimal data collection), Matomo qualifies for the CNIL exemption: it can be used without obtaining prior consent. The self-hosted version is free; Matomo Cloud starts at 19 euros per month.
Plausible Analytics
Plausible is a lightweight, privacy-first analytics tool. It places no cookies, collects no personal data, and weighs less than 1 KB (compared to approximately 45 KB for GA4). Since it does not use cookies, no consent banner is required for audience measurement. Data is hosted within the European Union. Pricing starts at approximately 9 euros per month. The interface is deliberately minimalist, making it ideal for small businesses that need essential metrics without complexity.
Fathom Analytics
Fathom shares Plausible’s philosophy: no cookies, no personal data, GDPR compliance by design. It offers a clean interface, an ultra-lightweight script and compliant hosting. It stands out for its intelligent bot traffic filtering and email reporting features. Pricing starts at approximately 14 US dollars per month.
AT Internet (Piano Analytics)
AT Internet, now Piano Analytics, is a French audience measurement solution used by many French government agencies and large enterprises. The CNIL has granted it an exemption from consent requirements in its audience measurement configuration (subject to compliant settings). It is the reference tool for organisations with strict compliance requirements. Pricing is available on request, generally suited to high-traffic websites.
Hybrid approach: the best of both worlds
In 2026, many websites adopt a hybrid approach: a cookie-free tool (Plausible or exempted Matomo) to capture baseline statistics from all visitors, combined with GA4 activated only after consent for users who accept it. This strategy delivers baseline data on 100% of traffic while retaining GA4’s advanced features for consenting visitors.
How to configure GA4 in a compliant manner
If you choose to keep Google Analytics 4, strict configuration is essential to limit legal risk.
Obtain consent before placing any cookie. The GA4 script must only load after explicit acceptance via a compliant consent banner. Tools such as Tarteaucitron, Axeptio or Cookiebot allow you to condition script loading on consent.
Configure GA4 restrictively. In the GA4 administration interface: disable Google Signals, reduce data retention to 2 months, disable granular advertising data collection, and enable advanced Consent Mode (Consent Mode v2) to respect user choices.
Document your compliance. Mention Google Analytics in your cookie policy, specifying the purpose (audience measurement), the types of cookies placed, their lifespan, and data transfers to the United States under the DPF.
The impact on your cookie policy
Using Google Analytics or any alternative has a direct impact on your cookie policy. This document must precisely list each audience measurement tool used, the cookies it places (or the absence of cookies in the case of Plausible or Fathom), the data collected and its purpose, any transfers outside the European Union, and the legal basis for processing (consent or CNIL exemption).
If you use a hybrid approach, both tools must be documented separately. For guidance on drafting a complete and compliant cookie policy, see our guide on cookie policy rules and sanctions. Remember that a cookie policy is one of the 4 essential legal documents for any e-commerce website. Failing to comply can expose your website to fines of up to 300,000 euros, as detailed in our overview of the top 15 GDPR fines in France.
Conclusion: which solution should you choose in 2026?
Your choice of analytics tool depends on your profile and needs.
Small business or startup on a limited budget: Plausible Analytics (from 9 euros/month) or self-hosted Matomo (free) offer native GDPR compliance with no consent requirements for audience measurement. These tools cover essential traffic monitoring needs.
Mid-sized company with marketing needs: Matomo Cloud (from 19 euros/month) or Plausible, supplemented by GA4 with prior consent. The hybrid approach preserves Google’s advanced features while ensuring baseline data across all traffic.
Large enterprise or public sector organisation: Piano Analytics (AT Internet) offers a French-made solution exempted by the CNIL, with a level of detail and customisation suited to high-traffic websites and strict compliance requirements.
Whatever your choice, one point remains non-negotiable: your cookie policy must be up to date and accurately reflect the tools you use. Analytics compliance is inseparable from document compliance. Do not let an analytics tool jeopardise your website’s overall GDPR compliance.