Back to articles
Analytics
Analytics GDPR CNIL Google Analytics

Google Analytics and GDPR: Is It Legal in France in 2026?

5 November 2025 9 min read DPLIANCE

The question of Google Analytics’ legality under the GDPR has been a legal saga since 2020. Six years later, the answer still isn’t simple. And that’s precisely what should worry you.

Google Analytics still powers over 330,000 sites in France and approximately 55% of websites worldwide. It’s the most widely used analytics tool on the planet. But being popular has never meant being compliant.

At DPLIANCE, we believe a business shouldn’t have to juggle legal uncertainties to understand its audience. User privacy is not an adjustment variable.

Here’s the complete picture — factual and unvarnished.

Timeline: From Schrems II to the 2025 Decisions

July 2020: Schrems II Disrupts EU-US Transfers

On July 16, 2020, the Court of Justice of the European Union (CJEU) delivers the “Schrems II” ruling (Case C-311/18). It invalidates the Privacy Shield, the agreement governing personal data transfers between the EU and the United States. Reason: American surveillance laws (FISA Section 702, Executive Order 12333) do not guarantee a level of protection equivalent to the GDPR.

Immediate consequence: any transfer of personal data to the United States without additional safeguards becomes illegal. And Google Analytics systematically transfers data to Google’s US servers.

August 2020: NOYB Files 101 Complaints

Following Schrems II, the association NOYB (None Of Your Business), founded by Max Schrems, files 101 complaints with data protection authorities across Europe. The complaints target websites using Google Analytics and Facebook Connect, which transfer data to the United States.

The European Data Protection Board (EDPB) creates a task force in September 2020 to coordinate responses from different national authorities.

January 2022: Austria Leads the Way

On January 13, 2022, the Austrian data protection authority (DSB) is the first to rule: using Google Analytics violates the GDPR due to data transfers to the United States. Additional measures implemented by Google (encryption, contractual clauses) are deemed insufficient.

February-March 2022: CNIL (French Data Protection Authority) Follows

On February 10, 2022, CNIL publishes its decision: using Google Analytics under the conditions at the time is not GDPR-compliant. CNIL orders a French e-commerce website operator to stop using Google Analytics within one month. On March 2, 2022, two more formal notices follow.

CNIL is explicit: personal data transfers to the United States via Google Analytics are illegal. The protection measures Google implemented are not sufficient to prevent US intelligence services from accessing European citizens’ data, via the Cloud Act and FISA.

CNIL proposes an operational solution: using a properly configured proxy server to anonymize data before any transfer. But it acknowledges that this implementation “may prove costly and complex” and “does not always meet operational needs.”

2022: Italy Confirms

The Garante italiano (Italian authority) issues a similar decision during 2022, confirming Google Analytics’ illegality for the same reasons.

Three of Europe’s largest data protection authorities (Austria, France, Italy) are now aligned.

July 2023: The Data Privacy Framework Changes the Game

On July 10, 2023, the European Commission adopts an adequacy decision for the EU-US Data Privacy Framework (DPF). This new framework, negotiated between the EU and the US, once again authorizes personal data transfers to certified American companies.

Google is certified under the DPF. Data transfers via Google Analytics become legally possible again.

Following this decision, CNIL updates its position: transfers to the United States are now authorized under the DPF.

September 2025: The DPF Survives, But for How Long?

On September 3, 2025, the EU General Court rejects the action for annulment of the DPF brought by French member of parliament Philippe Latombe, who also sits on CNIL’s board. The DPF therefore remains valid.

But this legal victory is fragile. The General Court emphasizes that its decision “does not preclude future appeals based on different arguments, circumstances, or new facts.” Philippe Latombe had until November 3, 2025 to appeal to the CJEU.

Meanwhile, NOYB closely monitors US developments: executive orders from the Trump administration and the replacement of independent agency officials could weaken the safeguards on which the DPF relies. A “Schrems III” cannot be ruled out.

State of Play in March 2026

What Is Authorized

  • Using Google Analytics 4 (GA4) with Consent Mode if users give explicit consent
  • Transferring data to Google in the US under the Data Privacy Framework (as long as it remains valid)

What Is Mandatory

  • Obtaining explicit user consent before deploying GA4 cookies (CNIL has never granted a consent exemption to Google Analytics)
  • Informing users of data transfer to the United States
  • Documenting the legal basis for processing in your records
  • Complying with CNIL cookie guidelines (positive consent, refusal as easy as acceptance)

What Remains Risky

  • The DPF’s longevity: its two predecessors (Safe Harbor and Privacy Shield) were invalidated by the CJEU. The DPF relies on US executive orders that can be unilaterally modified.
  • Actual consent: in France, depending on the sector, 30 to 70% of visitors refuse cookies. Using GA4 with consent means accepting that you see only a fraction of your audience.
  • Fines for non-compliance: CNIL doesn’t hesitate to sanction. In 2025, total CNIL fines reached 487 million euros, of which 475 million was for Google and Shein.

Google launched Consent Mode to allow sites to use GA4 even when users refuse cookies. The principle: when consent is denied, GA4 sends cookieless “pings,” and Google uses statistical modeling to fill the gaps.

The problem? Several:

  1. Data is still sent to Google, even without consent. The exact nature of this data and what Google does with it remain opaque.
  2. Statistical modeling is not measurement. The displayed figures are estimates, not facts.
  3. Consent Mode’s compliance has not been validated by CNIL or any other European data protection authority.
  4. Data still flows through Google’s US servers, implying dependency on the DPF.

The Hidden Cost of Google Analytics

Google Analytics is “free,” but what’s free always has a cost.

Compliance Cost

  • Implementing and maintaining a compliant cookie banner (CMP)
  • Legal documentation (processing records, impact assessments)
  • Ongoing legal monitoring of the DPF’s status
  • Risk of fines for non-compliance

Lost Data Cost

  • 30 to 70% of your audience refuses cookies
  • Ad blockers block the GA4 script
  • You see only a fraction of your actual traffic

Dependency Cost

  • Your data is with Google. You don’t have full control.
  • Google can modify GA4, change its terms of service, or deprecate features at any time (as it did with Universal Analytics in July 2023).
  • Your data feeds Google’s advertising ecosystem, whether you want it to or not.

Compliant Alternatives

Faced with these risks, many European companies have already migrated to GDPR-compliant alternatives.

Mirage Analytics

Mirage Analytics is the web analytics tool published by DPLIANCE. No third-party cookies, no persistent tracker, hosted in France on Scaleway. It integrates analytics, session replay, heatmaps, and error monitoring in a single solution. Zero data transfer outside the European Union. Starting at EUR 19 excl. tax/month.

Other Alternatives

  • Matomo: open source, self-hostable, eligible for CNIL exemption. Free when self-hosted, from EUR 22/month in Cloud.
  • Plausible: open source, minimalist, cookieless. From EUR 9/month.
  • Fathom: simple, cookieless. From $15/month.

For a complete comparison, see our guide to Google Analytics alternatives.

What We Recommend

We are not lawyers, and this article does not constitute legal advice. But here’s our reading of the situation:

  1. If you’re launching a new site in 2026, don’t choose Google Analytics by default. Evaluate compliant alternatives from the start.
  2. If you already use GA4, make sure your cookie banner is compliant (explicit consent, refusal as easy as acceptance), document your legal basis, and monitor the DPF’s evolution.
  3. If you want legal certainty, choose a tool hosted in Europe, with no data transfer outside the EU, compatible with the CNIL exemption.
  4. If you want complete data, a cookieless tool that measures 100% of your audience will be more reliable than a GA4 that only sees the 30 to 70% who accepted cookies.

FAQ

Is Google Analytics 4 different from Universal Analytics for the GDPR?

GA4 collects less data by default (no stored IP address, for example) and offers Consent Mode. But the fundamental problem remains: data flows through Google’s US servers, and the tool requires user consent to deploy cookies. GA4 has never received a CNIL exemption.

Can the Data Privacy Framework be invalidated?

Yes. Its two predecessors were (Safe Harbor in 2015 by Schrems I, Privacy Shield in 2020 by Schrems II). The DPF survived an initial challenge in September 2025, but further challenges are possible, particularly if US safeguards are weakened by legislative or executive changes.

Can I use Google Analytics with a proxy to be compliant?

CNIL mentioned this possibility in 2022, but with significant reservations. The proxy must fully anonymize data before any transfer, which is technically complex and can render data unusable for analysis. In practice, few companies have successfully implemented this solution.

What is the maximum fine for GDPR non-compliance?

The GDPR provides for fines up to 20 million euros or 4% of annual global revenue, whichever is higher. In France, CNIL has demonstrated its capacity to impose heavy sanctions: 325 million euros for Google in September 2025.

How to migrate from Google Analytics to an alternative?

The technical migration is generally simple: you add the new tool’s script to your site and remove the GA4 script. Importing historical data is not possible (formats are incompatible), but you can run both tools in parallel for 1 to 3 months to compare data.

Sources: CJEU, Schrems II ruling, July 16, 2020, Case C-311/18; CNIL, Google Analytics formal notice, February 10, 2022 (cnil.fr); CNIL, formal notice of March 2, 2022; European Commission, DPF adequacy decision, July 10, 2023; EU General Court, ruling of September 3, 2025 (Latombe case); CNIL, Google EUR 325M sanction, September 1, 2025; NOYB, 101 complaints tracking (noyb.eu); Le Monde Informatique, “CNIL orders several sites to stop using Google Analytics” (2022).

Want reliable analytics without legal uncertainty? Discover Mirage Analytics: cookieless web analytics, hosted in France, with session replay and heatmaps built in. Starting at EUR 19 excl. tax/month.

Write to us

contact@dpliance.com
Contact us