Is Google Analytics Legal in 2026? The Honest Answer for Both Sides of the Atlantic

In April 2025, Blue Shield of California disclosed that a Google Analytics misconfiguration had been sending the protected health information of 4.7 million patients to Google Ads. For three years. Patient names, insurance plan types, doctor names, medical service dates, financial responsibility amounts. All flowing into Google's advertising infrastructure because of how Google Analytics is designed to work.

This wasn't a hack. It was a configuration setting.

I'm David, founder of Clickport. I build privacy-first analytics, which means I spend a lot of time reading privacy law. And what I've found is that no single article covers the full picture of Google Analytics' legal status in 2026. EU articles ignore US risk. US articles ignore EU risk. Nobody covers the AI integration problem. And the best-ranking article on this topic hasn't been updated since July 2023.

This article covers everything. Both sides of the Atlantic. Every active legal threat. With sources you can verify.

Seven countries have already said no

Between January 2022 and June 2023, seven European data protection authorities ruled that using Google Analytics violates the GDPR. Not "might violate." Violates.

The cascade started in Austria. On January 12, 2022, the Austrian DSB ruled that transferring EU visitor data to Google's US servers via Google Analytics violated GDPR Chapter V. IP anonymization was rejected as a meaningful safeguard because Google can re-identify users through other data it holds.

Within months, regulators across Europe followed:

• France (CNIL), February 2022: Ordered three websites to stop using Google Analytics. Data transferred to Google's US servers constituted personal data, and US surveillance law gave US intelligence access without adequate safeguards.

• Italy (Garante), June 2022: Ruled Google Analytics unlawful, ordered a website operator to comply within 90 days.

• Denmark (Datatilsynet), September 2022: Declared Google Analytics non-compliant without supplementary measures.

• Finland (tietosuojavaltuutettu), April 2023: Found the Finnish Meteorological Institute violated GDPR by transferring personal data to the US via Google Analytics.

• Sweden (IMY), June 2023: Issued the first financial penalty for using Google Analytics. Tele2 was fined SEK 12 million (approximately EUR 1 million). Three other companies were ordered to stop.

• Norway (Datatilsynet), March 2023: Issued preliminary findings that Google Analytics violated GDPR, with an explicit warning: "Google Analytics 4 will not necessarily correct those problems."

The legal reasoning across all seven rulings is identical: Google LLC is subject to US surveillance law (FISA Section 702), which gives US intelligence agencies access to data on Google's servers. No supplementary technical measure, including IP anonymization, changes this structural reality.

And here's the detail most articles miss: not a single EU data protection authority has ever said GA4 is compliant. Sweden's IMY explicitly noted in its June 2023 ruling that GA4 does not resolve the core transfer problem. The issue was never which version of Google Analytics you use. It's that Google is an American company subject to American surveillance law.

For a deeper look at how privacy-first analytics avoids these problems, our complete guide covers the technical and legal architecture behind cookieless tracking.

The legal bridge that's cracking

After the 2022-2023 ruling cascade, Google got a reprieve. On July 10, 2023, the European Commission adopted the EU-US Data Privacy Framework (DPF), the third attempt at a legal bridge for transatlantic data transfers. Google self-certified under it. Regulators paused enforcement.

The two previous bridges were both struck down by the EU Court of Justice. Safe Harbor fell in 2015 (Schrems I). Privacy Shield fell in 2020 (Schrems II). The pattern is clear. And the DPF is now under attack from multiple directions simultaneously.

The oversight body is gone. The DPF's legal foundation relies on the Privacy and Civil Liberties Oversight Board (PCLOB), an independent US agency that oversees intelligence activities. The European Commission explicitly cited PCLOB's independence when adopting the DPF in 2023. On January 27, 2025, the Trump administration fired all three Democratic PCLOB members, leaving it below quorum and unable to function. It has been non-operational for over a year.

The court challenge is live. Philippe Latombe, a French MP, challenged the DPF before the EU General Court. The General Court dismissed his challenge in September 2025. But Latombe appealed to the full CJEU in October 2025, where both Safe Harbor and Privacy Shield were struck down. A ruling is unlikely before late 2027.

Schrems III is coming. NOYB, the privacy organization led by Max Schrems, announced it is preparing a broader challenge incorporating the PCLOB collapse and Trump-era changes to US oversight. Schrems has argued that the Commission may not need to wait for a court: it could suspend the DPF on its own if it determines the oversight guarantees no longer exist.

Norway is already warning companies to prepare. In February 2025, Norway's DPA issued guidance warning that if the adequacy decision is revoked, "there will most likely not be a transition period." Organizations should build contingency plans now.

The DPF is technically valid today. But it is being challenged in the same court that struck down its two predecessors, its oversight mechanism has been gutted, and multiple regulators are warning companies not to treat it as permanent. Clifford Chance described the situation as "legal uncertainty and a storm over the Atlantic."

If the DPF falls, every website using Google Analytics in the EU is back to where it was in 2022: no legal basis for the data transfer.

In the US, your analytics script might be a wiretap

The legal risk isn't just European. In the United States, a 1967 California phone-tapping law called CIPA is being used to sue website owners for running Google Analytics.

The theory: when a third-party script captures visitor behavior and sends it to the vendor's servers in real time, that's an interception of a communication by a third party without consent. Courts have accepted this argument. In Smith v. Google (2024), a federal court denied Google's motion to dismiss, finding that Google creates "detailed dossiers" from collected data and uses it for its own ad business. Google is not a passive tool. It's a third-party eavesdropper.

The numbers: 2,341 lawsuits filed. $5,000 per violation with no proof of harm required. 70% of web privacy claims come from just four law firms. The reform bill (SB 690) died in the California Assembly in July 2025. No legislative fix until 2027 at the earliest.

I wrote a full deep-dive on this: Is Your Analytics Script a Wiretap Under California Law? It covers which tools are at risk, how plaintiffs find targets, why cookie banners don't protect you, and what to do about it.

The short version: if your analytics vendor uses collected data for its own purposes (ad targeting, model training, cross-site profiling), that vendor is a third-party eavesdropper under CIPA. If the data never leaves your control, the party exception defense applies and the core CIPA theory collapses.

The breaches that proved the risk

Legal theories become real when data actually leaks. In 2024 and 2025, Google Analytics was directly responsible for two of the largest healthcare data breaches ever recorded.

Blue Shield of California: 4.7 million patients. Between April 2021 and January 2024, Google Analytics sent protected health information to Google Ads. Insurance plan names, patient names, doctor names, medical service dates, financial responsibility amounts, and search inputs from the "Find a Doctor" feature. All transmitted because of how Google Analytics was configured to share data with Google's advertising products. Class action lawsuits were filed the day after disclosure.

Kaiser Permanente: 13.4 million members. In April 2024, Kaiser notified 13.4 million members that web tracking tools on its websites and apps had transmitted personal data to Google, Microsoft, and X (formerly Twitter). Kaiser agreed to pay up to $47.5 million to settle the resulting class action.

These aren't edge cases. They're the logical consequence of how Google Analytics works. GA4 is designed to send data to Google's servers, where it feeds into Google's advertising products. When that data includes anything sensitive, whether health information, financial data, or form submissions, there is no technical barrier preventing it from reaching Google's ad infrastructure.

The Swedish DPA reinforced this principle in August 2024, fining two pharmacies EUR 3.9 million combined for Meta Pixel leaking health data. The ruling established that website operators, not the tracking vendor, bear full responsibility for what third-party scripts send.

Google Analytics is no longer an analytics tool

This is the part that most articles miss entirely, and it fundamentally changes the legal analysis.

In December 2025, Google rolled out Analytics Advisor to all English-language GA4 accounts. It's a Gemini-powered AI agent that reads your property's behavioral data and answers questions about your visitors. In January 2026, Google added cross-channel budgeting and conversion attribution analysis betas. These tools forecast advertising ROI across channels and model budget allocation. They're media planning tools, not analytics.

But the deeper problem is in a setting most GA4 users don't fully understand.

When you enable "Google products and services" in GA4 and accept Google's Measurement Controller-Controller Data Protection Terms, Google becomes an independent controller of your visitor data. Google's own documentation states this data can be used to "improve Google products and services," including the Google Ads system. Under these terms, your visitors' data becomes Google's data.

And in October 2025, Google officially killed Privacy Sandbox. Third-party cookies stay in Chrome forever. The promise of a more private web from the world's largest advertising company was, in the end, a four-year PR exercise.

This matters for the legal analysis because legitimate interest, the legal basis some website operators rely on for analytics, requires a balancing test. The visitor's reasonable expectation when browsing a website is not that their behavioral data will feed an AI system that trains advertising bidding models and predicts their future purchases. The gap between reasonable expectation and actual processing collapses the legitimate interest argument. The Cologne Regional Court reached exactly this conclusion in May 2025 when it ruled Deutsche Telekom's use of Google Analytics violated GDPR.

20 US states, 12 requiring Global Privacy Control

While the EU debate gets the headlines, the US is quietly building its own privacy infrastructure. As of January 2026, 20 states have comprehensive privacy laws in effect. Three new ones launched on January 1, 2026: Indiana, Kentucky, and Rhode Island.

Twelve states now require businesses to honor Global Privacy Control (GPC) signals, including California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas. California, Colorado, and Connecticut conducted a joint enforcement sweep in 2025 targeting businesses that failed to honor GPC.

Here's where the distinction matters most. Under CCPA and every Virginia-model state law, "personal information" is data that is "linked or reasonably linkable to an identified or identifiable natural person." Google Analytics collects IP addresses, cookie identifiers, and browsing paths. That's personal information. It triggers opt-out requirements, GPC honoring obligations, and data subject rights in every state with a privacy law.

Analytics that collects no IP addresses, sets no cookies, builds no per-user profiles, and produces only aggregate page-level counts? That falls outside the definition of personal information in every current US state privacy framework. Zero compliance overhead by design.

For a comprehensive look at the regulatory landscape, our privacy-friendly analytics guide covers both EU and US compliance requirements in detail.

What 40% of your traffic is doing that GA4 can't see

Even if Google Analytics were fully legal everywhere, there's a growing accuracy problem that most website owners don't know about. Between ad blockers, browser privacy features, and consent rejection, GA4 is missing a significant and growing share of your actual traffic.

Ad blockers are eating GA4 alive. 42.7% of global internet users use ad-blocking tools on at least one device. On tech-savvy audiences, the numbers are dramatically worse: Plausible's study found 58% of Hacker News and Reddit readers block Google Analytics entirely. 88% of Firefox users in their sample blocked it. Tools like uBlock Origin and Brave Shields block google-analytics.com at the network request level.

Browsers are tightening the screws. Safari 26 activates Advanced Fingerprinting Protection by default for all browsing, blocking Google Tag Manager from loading when enabled. It also strips Google click IDs (gclid) from URLs, breaking paid search attribution. Firefox 145 introduced anti-fingerprinting protections that cut trackable users in half. And Firefox's Enhanced Tracking Protection has blocked more than 1 trillion tracking attempts total.

Consent rejection compounds the loss. In the EU, consent rejection rates for analytics cookies range from 30% to 70% depending on the country and how the banner is designed. Those visitors are invisible to GA4.

Google's response to consent rejection is Consent Mode v2, which sends "cookieless pings" to Google even when users decline cookies. Google then builds "behavioral models" from this non-consented data to fill the gaps. Whether modeling from users who explicitly declined consent is itself a GDPR violation remains legally unresolved.

First-party analytics avoids all three layers of data loss. The tracker script is served from your own domain, so ad blockers can't distinguish it from your site's own code. No cookies means no consent banner needed and no consent rejection. And first-party requests aren't subject to Safari ITP or Firefox ETP restrictions. The result: you see close to 100% of your actual traffic.

This is also why your bounce rate measurements might be off. When GA4 can only see a fraction of your visitors, every metric built on that data is distorted.

EUR 7.1 billion in fines and counting

If you're thinking "regulators don't actually enforce this," the numbers say otherwise.

Total GDPR fines since May 2018 have reached EUR 7.1 billion, according to DLA Piper's January 2026 survey. EUR 1.2 billion was issued in 2025 alone, broadly matching 2024. Daily breach notifications reached an average of 443 per day, a 22% jump and the first time above 400 since the GDPR took effect.

The cookie-specific enforcement is escalating:

• September 2025: CNIL fined Google EUR 325 million for ads in Gmail without consent and dark patterns in cookie acceptance. This was Google's third CNIL cookie fine, after EUR 100 million (2020) and EUR 150 million (2021). CNIL cited recidivism as an aggravating factor.

• September 2025: CNIL fined SHEIN EUR 150 million for cookies installing on devices before users interacted with the consent banner. 12 million French users per month were affected.

• August 2024: Sweden's IMY fined two pharmacies EUR 3.9 million combined for Meta Pixel leaking health data.

• April 2025: The Netherlands' DPA launched a proactive monitoring program, scanning approximately 10,000 websites annually and warning 500 organizations per year about cookie compliance.

The trend is clear. DPAs are getting more aggressive, not less. Fines are growing. Enforcement is becoming proactive rather than complaint-driven. And cookie/analytics violations are a specific enforcement priority.

The law that could change everything

On November 19, 2025, the European Commission published the Digital Omnibus, a sweeping proposal to simplify the EU's digital rulebook. Buried inside it is a change that could reshape the analytics market entirely.

The proposal moves cookie consent rules from the ePrivacy Directive directly into the GDPR as a new Article 88a. And that article creates a whitelist of purposes that don't require consent. One of them: audience measurement.

Article 88a(3)(c) exempts "creating aggregated information about the usage of an online service to measure the audience of such a service, where it is carried out by the controller of that online service solely for its own use."

The conditions are specific:

• The analytics must produce aggregated information, not individual user profiles
• It must be carried out by the controller of the online service (the website owner)
• It must be used solely for that controller's own use
• The analytics provider must not reuse the data for its own commercial purposes
• Data must not be combined with other datasets from other services

This is not law yet. The proposal is in early legislative procedure at the European Parliament. Legal analysts project the analytics exemption could take effect by mid-2027 at the earliest.

But the direction is clear. The EU is moving toward a world where privacy-first, first-party analytics operates without consent requirements, while tools that share data with third parties for advertising purposes still need full consent infrastructure. IntelligentCIO Europe quoted Mateusz Krempa: "this will give privacy-friendly European analytics providers an edge compared to US-based platforms."

The tools that will benefit aren't the ones that have to redesign. They're the ones that were built this way from the start.

What you should actually do

I'm not going to pretend there's only one answer. Your situation depends on your jurisdiction, your industry, and what you actually need from analytics.

If you're in healthcare, finance, or education: remove Google Analytics immediately. The Blue Shield and Kaiser cases make it clear that GA4's architecture is incompatible with HIPAA, and the data flow to Google's ad infrastructure is a structural risk that no configuration setting can fully eliminate. Use a first-party analytics tool that processes data on EU infrastructure with no third-party data sharing.

If you're in the EU and want to keep GA4: you need explicit, informed consent before any tracking fires. Not "by browsing you agree." A real consent banner that technically blocks all GA4 scripts until the user clicks Accept. You need a Data Processing Agreement with Google. And you need to accept that 50-70% of your visitors will decline consent, which means your analytics data represents a minority of your actual traffic.

If you're in the US: audit your tracking stack for CIPA exposure. Every third-party script that captures visitor behavior and sends it to a vendor that uses it for their own purposes is a potential $5,000-per-violation liability. Our CIPA deep-dive covers the specific tools at risk and what to do about each one.

If you want to stop worrying about all of this: switch to analytics that don't create the legal exposure in the first place.

The honest answer to "is Google Analytics legal in 2026?" is: it depends on who you ask, where you are, and how much risk you're willing to accept. Seven EU countries have said it's illegal. The legal bridge keeping it alive is under attack. US wiretapping lawsuits are surging. The tool itself has evolved into an AI advertising platform. Browsers are blocking it. And a proposed EU law would give privacy-first analytics an explicit legal advantage.

You can wait for the courts and regulators to sort it out. Or you can make a decision now.