Is Google Analytics Legal in 2026? EU Rulings, US Lawsuits

A Google Analytics misconfiguration sent the health data of 4.7 million patients to Google Ads for three years. It wasn't a hack. Nobody broke in. It was a setting someone left on. That's the risk you sign up for when you run GA4 in 2026, and it's only one corner of the picture. Here's the full one.

Seven countries have already said no

Between January 2022 and June 2023, seven European data protection authorities ruled that using Google Analytics violates the GDPR. Not "might violate." Violates.

It started in Austria. On December 22, 2021, the Austrian DSB ruled that sending EU visitor data to Google's US servers via Google Analytics broke GDPR Chapter V (published by noyb in January 2022). Google's defense was IP anonymization. The DSB threw it out. Google can still re-identify people through the other data it already holds on them.

Then the rest of Europe followed, within months.

• France (CNIL), February 2022: Ordered three websites to stop using Google Analytics. The data sent to Google's US servers was personal data, and US surveillance law handed US intelligence access without enough safeguards to protect it.

• Italy (Garante), June 2022: Ruled Google Analytics unlawful and gave a website operator 90 days to comply.

• Denmark (Datatilsynet), September 2022: Declared Google Analytics non-compliant without extra measures bolted on.

• Finland (tietosuojavaltuutettu), April 2023: Found the Finnish Meteorological Institute violated GDPR by sending personal data to the US through Google Analytics.

• Sweden (IMY), June 2023: Issued the first financial penalty for using Google Analytics. Tele2 was fined SEK 12 million (about EUR 1 million). Three other companies were told to stop.

• Norway (Datatilsynet), March 2023: Issued preliminary findings that Google Analytics violated GDPR, with a blunt warning: "Google Analytics 4 will not necessarily correct those problems."

All seven rulings turned on the same point. Google LLC answers to US surveillance law (FISA Section 702), which lets US intelligence agencies reach data sitting on Google's servers. No technical fix changes that, not even IP anonymization. It comes down to where Google is and who can force it to hand the data over.

One detail gets skipped a lot. Not a single EU data protection authority has ever said GA4 is compliant. Sweden's IMY put it plainly in its June 2023 ruling: GA4 does not fix the core transfer problem. So the question was never which version of Google Analytics you run. Google is an American company bound by American surveillance law. New version, same flow.

If you want the technical and legal architecture behind cookieless tracking, my guide on how privacy-first analytics avoids these problems goes deeper.

The legal bridge that's cracking

After the 2022-2023 rulings, Google caught a break. On July 10, 2023, the European Commission adopted the EU-US Data Privacy Framework (DPF), the third attempt at a legal bridge for moving data across the Atlantic. Google self-certified under it. Regulators paused enforcement. GA4 was alive again.

The first two bridges were both struck down by the EU Court of Justice. Safe Harbor fell in 2015 (Schrems I). Privacy Shield fell in 2020 (Schrems II). Two for two. The third one is the one holding GA4 up right now, and it's being attacked from several directions at once.

The oversight body is gone. The DPF leans on the Privacy and Civil Liberties Oversight Board (PCLOB), an independent US agency that keeps an eye on intelligence activities. When it adopted the DPF in 2023, the European Commission named PCLOB's independence as one of the reasons it trusted the deal. On January 27, 2025, the Trump administration fired all three Democratic PCLOB members. That left the board below quorum and unable to function. It's been non-operational for over a year. The safeguard the Commission counted on is no longer there.

The court challenge is live. Philippe Latombe, a French MP, took the DPF to the EU General Court. The General Court dismissed his challenge in September 2025. He didn't stop there. In October 2025, Latombe appealed to the full CJEU, the same court that struck down both Safe Harbor and Privacy Shield. A ruling is unlikely before late 2027.

Schrems III is coming. NOYB, the privacy organization run by Max Schrems, announced it is preparing a broader challenge built around the PCLOB collapse and Trump-era changes to US oversight. Schrems has argued the Commission may not even need to wait for a court. It could suspend the DPF on its own if it decides the oversight guarantees are gone.

Norway is already telling companies to prepare. In February 2025, Norway's DPA issued guidance: if the adequacy decision is revoked, "there will most likely not be a transition period." Build the contingency plan now, not later.

So the DPF is valid today. But it sits in the same court that killed its two predecessors, its oversight body has been gutted, and regulators are telling companies not to treat it as permanent. Clifford Chance called the situation "legal uncertainty and a storm over the Atlantic."

If the DPF falls, every website running Google Analytics in the EU lands right back where it was in 2022. No legal basis for the data transfer.

In the US, your analytics script might be a wiretap

The legal risk isn't only European. In the United States, a 1967 California phone-tapping law called CIPA is being used to sue website owners for running Google Analytics.

Here's the theory. When a third-party script captures visitor behavior and sends it to the vendor's servers in real time, that counts as a third party intercepting a communication without consent. Courts have bought the argument. In Smith v. Google (2024), a federal court denied Google's motion to dismiss, finding that Google builds "detailed dossiers" from the data it collects and uses it for its own ad business. Google is not a passive tool. It's a third-party eavesdropper.

The numbers back this up. 2,341 lawsuits filed. $5,000 per violation, and you don't have to prove any harm was done. 70% of web privacy claims come from just four law firms. The reform bill (SB 690) stalled in the California Assembly in July 2025 and became a two-year bill. No legislative fix until 2026 at the earliest.

I wrote a full deep-dive on this: Is Your Analytics Script a Wiretap Under California Law? It covers which tools are at risk, how plaintiffs find targets, why cookie banners don't protect you, and what to do about it.

The short version. If your analytics vendor uses the data it collects for its own purposes, like ad targeting, model training, or cross-site profiling, that vendor is a third-party eavesdropper under CIPA. If the data never leaves your control, the party exception defense applies and the whole CIPA theory falls apart.

The breaches that proved the risk

Legal theories get real when the data leaks for real. In 2024 and 2025, Google Analytics was directly behind two of the largest healthcare data breaches ever recorded.

Blue Shield of California: 4.7 million patients. Between April 2021 and January 2024, Google Analytics sent protected health information to Google Ads. Insurance plan names, patient names, doctor names, medical service dates, the amount each person owed, and what they typed into the "Find a Doctor" search. All of it went out because of how Google Analytics was set up to share data with Google's advertising products. Class action lawsuits were filed the day after the breach was disclosed.

Kaiser Permanente: 13.4 million members. In April 2024, Kaiser notified 13.4 million members that web tracking tools on its sites and apps had sent personal data to Google, Microsoft, and X (formerly Twitter). Kaiser agreed to pay up to $47.5 million to settle the class action that followed.

These aren't edge cases. They are what happens when Google Analytics works as designed. GA4 sends data to Google's servers, where it feeds into Google's advertising products. When that data includes anything sensitive, like health information, financial data, or form submissions, nothing in the tool stops it from reaching Google's ad infrastructure.

The Swedish DPA reinforced this principle in August 2024, fining two pharmacies EUR 3.9 million combined for a Meta Pixel that leaked health data. The ruling made one thing clear. The website operator, not the tracking vendor, is responsible for whatever the third-party script sends.

Google Analytics is no longer an analytics tool

Most articles skip this part, and it changes the whole legal picture.

In December 2025, Google rolled out Analytics Advisor to all English-language GA4 accounts. It's a Gemini-powered AI agent that reads your property's behavioral data and answers questions about your visitors. In January 2026, Google added cross-channel budgeting and conversion attribution analysis betas. These forecast advertising returns across channels and work out where to spend your budget. That is media planning, not analytics.

But the deeper problem hides in a setting most GA4 users never really read.

When you turn on "Google products and services" in GA4 and accept Google's Measurement Controller-Controller Data Protection Terms, Google becomes an independent controller of your visitor data. Google's own documentation says this data can be used to "improve Google products and services," including the Google Ads system. Under those terms, your visitors' data becomes Google's data.

And in October 2025, Google officially killed Privacy Sandbox. Third-party cookies stay in Chrome for good. The promise of a more private web, from the world's largest advertising company, turned out to be a four-year PR exercise.

This matters for the legal side because of legitimate interest, the legal basis some website owners lean on for analytics. It requires a balancing test. When someone browses a website, they don't expect their behavior to feed an AI system that trains advertising bidding models and predicts what they'll buy next. That gap between what a visitor expects and what really happens collapses the legitimate interest argument. The Cologne Regional Court reached the same conclusion in March 2023 when it ruled Deutsche Telekom's use of Google Analytics violated GDPR, upheld on appeal in November 2023.

20 US states, 12 requiring Global Privacy Control

The EU debate gets the headlines, but the US is quietly building its own privacy rules. As of January 2026, 20 states have comprehensive privacy laws in effect. Three new ones came online on January 1, 2026: Indiana, Kentucky, and Rhode Island.

Twelve states now require businesses to honor Global Privacy Control (GPC) signals: California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas. California, Colorado, and Connecticut ran a joint enforcement sweep in 2025, going after businesses that ignored GPC.

This is where the distinction matters most. Under CCPA and every Virginia-model state law, "personal information" is data that is "linked or reasonably linkable to an identified or identifiable natural person." Google Analytics collects IP addresses, cookie identifiers, and browsing paths. All of that is personal information. It triggers opt-out requirements, GPC obligations, and data subject rights in every state with a privacy law.

Now picture analytics that collects no IP addresses, sets no cookies, builds no per-user profiles, and produces only aggregate page-level counts. That falls outside the definition of personal information in every current US state privacy framework. No compliance overhead, by design.

For a fuller look at the regulatory landscape, our privacy-friendly analytics guide covers both EU and US compliance requirements in detail.

What 40% of your traffic is doing that GA4 can't see

Even if Google Analytics were fully legal everywhere, it has a growing accuracy problem most website owners never hear about. Between ad blockers, browser privacy features, and consent rejection, GA4 misses a large and growing chunk of your real traffic.

Ad blockers are eating GA4 alive. 42.7% of global internet users run ad-blocking tools on at least one device. On tech-savvy audiences it gets far worse. Plausible's study found that 58% of Hacker News and Reddit readers block Google Analytics outright, and 88% of the Firefox users in their sample blocked it. Tools like uBlock Origin and Brave Shields stop google-analytics.com at the network request level, before it ever loads.

Browsers are tightening the screws. Safari 26 activates Advanced Fingerprinting Protection by default for all browsing, and its Advanced Tracking and Fingerprinting Protection (default in Private Browsing) blocks Google Tag Manager from loading at all. Safari 26 also strips Google click IDs (gclid) from URLs, which breaks paid search attribution. Firefox 145 added anti-fingerprinting protections that cut trackable users in half. And Firefox's Enhanced Tracking Protection has now blocked more than 1 trillion tracking attempts in total.

Consent rejection piles on top. In the EU, between 30% and 70% of visitors decline analytics cookies, depending on the country and how the banner is built. Every one of those visitors is invisible to GA4.

Google's answer to consent rejection is Consent Mode v2. It sends "cookieless pings" to Google even when people decline cookies, then builds "behavioral models" from that non-consented data to fill the gaps. Whether modeling from users who explicitly said no is itself a GDPR violation is still legally unresolved.

First-party analytics sidesteps all three layers of loss. The tracker is served from your own domain, so ad blockers can't tell it apart from your site's own code. No cookies means no consent banner and nothing to reject. And first-party requests aren't caught by Safari ITP or Firefox ETP. The result is that you see close to 100% of your actual traffic.

This is also why your bounce rate measurements might be off. When GA4 only sees a fraction of your visitors, every metric built on that data is distorted.

EUR 7.1 billion in fines and counting

Maybe you're thinking regulators don't really enforce any of this. The numbers say otherwise.

Total GDPR fines since May 2018 have reached EUR 7.1 billion, according to DLA Piper's January 2026 survey. EUR 1.2 billion was issued in 2025 alone, roughly matching 2024. Breach notifications hit an average of 443 per day, a 22% jump and the first time the daily count topped 400 since the GDPR took effect.

Cookie enforcement in particular keeps climbing.

• September 2025: CNIL fined Google EUR 325 million for ads in Gmail without consent and dark patterns in cookie acceptance. This was Google's third CNIL cookie fine, after EUR 100 million (2020) and EUR 150 million (2021). CNIL counted the repeat offending against it.

• September 2025: CNIL fined SHEIN EUR 150 million for setting cookies on devices before users had even touched the consent banner. 12 million French users per month were affected.

• August 2024: Sweden's IMY fined two pharmacies EUR 3.9 million combined for a Meta Pixel that leaked health data.

• April 2025: The Netherlands' DPA launched a proactive monitoring program, scanning about 10,000 websites a year and warning 500 organizations a year about cookie compliance.

The trend is clear. DPAs are getting tougher, not softer. Fines are growing. Enforcement is becoming proactive instead of waiting for someone to complain. And cookie and analytics violations sit near the top of the priority list.

The law that could change everything

On November 19, 2025, the European Commission published the Digital Omnibus, a sweeping proposal to simplify the EU's digital rulebook. Tucked inside it is a change that could reshape the whole analytics market.

The proposal moves cookie consent rules out of the ePrivacy Directive and into the GDPR as a new Article 88a. That article creates a whitelist of purposes that need no consent. One of them is audience measurement.

Article 88a(3)(c) exempts "creating aggregated information about the usage of an online service to measure the audience of such a service, where it is carried out by the controller of that online service solely for its own use."

The conditions are specific.

• The analytics must produce aggregated information, not individual user profiles
• It must be carried out by the controller of the online service (the website owner)
• It must be used solely for that controller's own use
• The analytics provider must not reuse the data for its own commercial purposes
• Data must not be combined with other datasets from other services

This is not law yet. The proposal is still in early legislative procedure at the European Parliament. Legal analysts expect the analytics exemption could take effect by mid-2027 at the earliest.

But the direction is clear. The EU is heading toward a world where privacy-first, first-party analytics runs without consent requirements, while tools that share data with third parties for advertising still need the full consent machinery. IntelligentCIO Europe quoted Mateusz Krempa: "this will give privacy-friendly European analytics providers an edge compared to US-based platforms."

The tools that win here aren't the ones scrambling to redesign. They're the ones that were built this way from the start.

What you should actually do

I'm not going to pretend there's one answer that fits everyone. It depends on where you operate, what industry you're in, and what you really need from analytics.

If you're in healthcare, finance, or education: remove Google Analytics now. The Blue Shield and Kaiser cases show that GA4's design clashes with HIPAA, and the data flow to Google's ad infrastructure is a built-in risk that no setting fully removes. Use a first-party analytics tool that processes data on EU infrastructure and shares nothing with third parties.

If you're in the EU and want to keep GA4: you need explicit, informed consent before any tracking fires. Not "by browsing you agree." A real consent banner that blocks every GA4 script until the user clicks Accept. You need a Data Processing Agreement with Google. And you need to accept that 50-70% of your visitors will decline consent, which leaves your analytics showing a minority of your real traffic.

If you're in the US: audit your tracking stack for CIPA exposure. Every third-party script that captures visitor behavior and ships it to a vendor that uses it for its own purposes is a potential $5,000-per-violation liability. Our CIPA deep-dive covers the specific tools at risk and what to do about each one.

If you want to stop worrying about all of this: switch to analytics that never create the legal exposure in the first place. Our comparison of the leading Google Analytics alternatives walks through what each privacy-first tool does and which one fits which kind of site.

The honest answer to "is Google Analytics legal in 2026?" is that it depends on who you ask, where you are, and how much risk you're willing to carry. Seven EU countries have called it illegal. The legal bridge keeping it alive is under attack. US wiretapping lawsuits are surging. The tool has turned into an AI advertising platform. Browsers are blocking it. And a proposed EU law would hand privacy-first analytics a clear legal edge.

You can wait for the courts and regulators to sort it out. Or you can decide now.