Is GA4 GDPR-compliant by default in 2026?

No. GA4 collects by default data that requires explicit consent (cookies _ga, _ga_*, user identifiers). Without Consent Mode v2 + a consent banner + IP anonymisation, your implementation is not compliant. The French CNIL has fined several sites in 2022-2024 on this exact point. The good news: with a CMP (Cookiebot, Axeptio or Tarteaucitron) and 30 minutes of setup, you become compliant.

Do I really need a cookie banner to use GA4?

Yes, as soon as your site is accessible from the EU. The GDPR requires free, specific, informed and unambiguous consent before dropping any non-strictly-necessary cookie. GA4 cookies are non-strictly-necessary audience measurement cookies: therefore subject to consent. An exception exists for CNIL-friendly audience measurement (Matomo in anonymised mode) but GA4 does not qualify.

What happens if the user refuses consent with Consent Mode v2?

GA4 receives anonymised 'pings' without persistent cookies or identifiers. You lose granularity (no user_id, no long sessions), but Google statistically models the lost conversions via 'consent mode modeling'. You keep ~60-70% of useful data for business decisions, without cookies. It's the legally 'safest' solution today.

What's the best consent tool (CMP) for a freelancer in 2026?

For < 100 visits/day: Tarteaucitron (free, open source, self-hosted). For 100-10,000 visits/day: Axeptio (French, GDPR-by-design, 25€/month). Beyond: Cookiebot (international, IAB TCF v2.2, ~30€/month). For client sites: recommending Axeptio is usually the best compliance/simplicity/price ratio on the European market.

Is IP anonymisation still necessary in GA4?

Technically no: GA4 no longer stores the full IP since 2023 (unlike Universal Analytics). The IP is used on the fly for geolocation, then discarded. BUT: in your privacy policy, mention explicitly that GA4 doesn't store IPs: regulators expect this. And enable the 'No Google Signals' option if you want to maximise compliance (at the cost of a few advertising features).

What are the risks of non-compliance?

Data-protection regulators can issue fines up to €20M or 4% of global revenue (GDPR article 83). In practice, for a French SMB, observed fines range from €1,000 to €50,000. More frequent: a public formal notice (damaging reputation), an obligation to comply within 1-2 months, and the risk of a complaint by a user or competitor. Compliance takes 30 minutes: the risk isn't justified.

GA4 and GDPR: complete guide to cookies and consent compliance (2026)

GA4 and GDPR has become THE critical question for any freelancer or agency installing Google Analytics on European sites. Between the CNIL sanctions of 2022-2024 against non-compliant sites, Consent Mode v2 mandated by Google since March 2024, and the constant evolution of case law, many freelancers are flying blind. This guide gives you the full up-to-date framework for 2026.

Google Analytics 4 collects by default:

Persistent cookies (_ga, _ga_*) to distinguish users between sessions
Client identifiers (Client ID, sometimes User ID)
Behavioural data (page views, events, traffic source, device)
The IP address (used for geolocation, then no longer stored since 2023)

All these elements are personal data under the GDPR: they allow indirect identification of a natural person (even without a name, the IP + device + behaviour aggregate may be enough to re-identify).

So cookie placement + personal data collection = mandatory prior consent before any GA4 load.

The 3 pillars of GA4 compliance in 2026

Google has mandated Consent Mode v2 for any site that wants to keep using GA4 + Google Ads for European audiences. Without Consent Mode v2, you lose access to certain advertising features.

The principle: GA4 receives consent signals continuously (ad_storage, analytics_storage, ad_user_data, ad_personalization). Based on these signals, GA4 adapts what it collects:

Full consent: GA4 works normally with cookies + identifiers
Refused consent: GA4 sends "cookieless pings", Google statistically models the missing data

This is consent mode modeling: you keep 60-70% of useful data without cookies.

A CMP is the tool that displays the consent banner and transmits the signals to Consent Mode v2. The 3 main ones in 2026:

CMP	Price	Market	Key benefit
Tarteaucitron	Free (open source)	< 100 visits/day	Self-hosted, zero recurring cost
Axeptio	~25€/month	100 to 10,000 visits/day	Made in France, premium UX
Cookiebot	~30€/month	Multi-site, international	IAB TCF v2.2, maximum compliance

Pillar 3: Compliant privacy policy

The pillar that's often forgotten. The client's site must have a privacy policy that explicitly mentions:

Use of Google Analytics 4
Purpose (audience measurement, statistics)
List of cookies dropped (_ga, _ga_* with 13-month duration)
Identification of the data controller
User rights (access, rectification, opposition, deletion)
Transfer to the USA with a mention of the DPF (Data Privacy Framework)

See the regulator's model wording for audience measurement tools.

Step 1: choose and install the CMP

Example with Axeptio (the simplest):

Create an account on axeptio.eu
Configure the project (site name, languages, services to manage)
Enable the "Google Consent Mode v2" module
Retrieve the JavaScript snippet

Step 2: install the CMP before GA4

The order of tags in the <head> is critical. Always:

The CMP snippet (which sets the default signals to "denied")
Then GA4 or Google Tag Manager

If the order is reversed, GA4 starts before the CMP can block its cookies = non-compliant.

If you use Google Tag Manager (recommended):

In GTM → Templates → Gallery → install "Consent Mode (Google tags)"
Create a "Consent Default" tag → all signals to denied by default
Configure the CMP to send gtag('consent', 'update', {...}) on user choice
Verify in GA4 Realtime that sessions only appear after consent

Step 4: verify compliance

Free tools to audit your implementation:

Google Tag Assistant (Chrome extension): verifies Consent Mode is active
Cookiebot Compliance Test: free site scan with compliance report
2GDPR.com: independent scanner that detects non-compliant cookies

The concrete questions your clients ask

No, not if your site targets the EU. But you can make it less intrusive: discreet design, "Refuse all" choice as visible as "Accept all" (regulator requirement), no pre-ticked boxes.

Empirically: 20-40% of users refuse. With Consent Mode v2 + modeling, you recover 60-80% of conversions through modelling. So you lose in practice 10-20% of precision on business KPIs. Largely acceptable against the legal risk.

"What about server-side tagging?"

Server-side tagging (GTM Server) hides Google cookies behind your domain: better ITP/Safari persistence, but does not exempt from GDPR consent. The data remains personal, the legal framework remains the same.

"Can data be transferred outside the EU?"

GA4 transfers to Google US servers. Since July 2023, the EU-US Data Privacy Framework legalises this transfer as long as Google stays certified under DPF (which it is). To be mentioned in the privacy policy.

Special case: compliance audit of an existing client site

If you take over a client that already had GA4 without a proper CMP:

Quick audit (15 min): scan with Cookiebot Compliance Test, identify non-compliant cookies
Compliance plan: choose the CMP, redo the tag order, update the privacy policy
Implementation (1-2h): CMP install, Consent Mode v2 configuration, tests
Client communication: explain that data will drop by 20-40% for 1-2 months, that's normal

You can bill this work €300-800 depending on complexity: it's real added value that justifies your expertise.

The future: will GA4 stay compliant?

Two scenarios to watch:

The DPF (EU-US transfer) may be invalidated: as Privacy Shield was in 2020. In that case, GA4 would become technically not transferable outside the EU. Fallback solutions: Matomo (self-hosted), Plausible (EU servers), Piwik PRO.
CNIL hardens its position: it could mandate server-side tagging or ban consent mode modeling. Unlikely short term, but worth watching.

For most freelancers and agencies, GA4 remains the most robust tool for 2026-2027. The compliance cost (CMP + 30 min of setup) is trivial against the GA4 ecosystem (Looker Studio, Google Ads, BigQuery export).

Going further

Install Google Analytics 4: complete guide: the technical foundation, to complement this GDPR guide.
Google Tag Manager + GA4: GTM makes Consent Mode v2 implementation much simpler.

On the reporting side: NarratIQ is hosted in Europe (Vercel Frankfurt + Upstash Ireland), zero GA4/Meta raw data stored in DB, AES-256-encrypted tokens. Our privacy policy details every processing. 14-day free trial, 100% GDPR-compliant.

GA4 and GDPR: complete guide to cookies and consent compliance (2026)

The 3 pillars of GA4 compliance in 2026

Pillar 3: Compliant privacy policy

Step 1: choose and install the CMP

Step 2: install the CMP before GA4

Step 4: verify compliance

The concrete questions your clients ask

"Can I completely disable the banner?"

"What about server-side tagging?"

"Can data be transferred outside the EU?"

Special case: compliance audit of an existing client site

The future: will GA4 stay compliant?

Going further

Frequently asked questions

Read next

Plausible vs GA4 vs Matomo: 2026 analytics comparison (freelance)

Automated GA4 report: send the monthly PDF without lifting a finger

GA4 report templates: 10 templates to copy for clients (2026)

Ready to automate your GA4 reports?

GA4 and GDPR: complete guide to cookies and consent compliance (2026)

Why GA4 raises a GDPR issue

The 3 pillars of GA4 compliance in 2026

Pillar 1: Consent Mode v2 (mandatory since March 2024)

Pillar 2: CMP (Consent Management Platform)

Pillar 3: Compliant privacy policy

Step-by-step config: GA4 + Consent Mode v2 + CMP

Step 1: choose and install the CMP

Step 2: install the CMP before GA4

Step 3: configure Consent Mode v2 in GA4 or GTM

Step 4: verify compliance

The concrete questions your clients ask

"Can I completely disable the banner?"

"How much data do I lose with consent?"

"What about server-side tagging?"

"Can data be transferred outside the EU?"

Special case: compliance audit of an existing client site

The future: will GA4 stay compliant?

Going further

Frequently asked questions

Read next

Plausible vs GA4 vs Matomo: 2026 analytics comparison (freelance)

Automated GA4 report: send the monthly PDF without lifting a finger

GA4 report templates: 10 templates to copy for clients (2026)

Ready to automate your GA4 reports?