Skip to content
← Back to blog
Compliance July 11, 2026· 7 min read

Is Google Analytics legal in Europe? What the CNIL says

CNIL formal notices, the Schrems II ruling, the Data Privacy Framework: the real state of Google Analytics' legality in Europe, explained simply.

Contents

It’s a question more and more teams are asking, and one that’s often answered too quickly, in either direction. “Is Google Analytics banned in Europe?” No, not outright. “Is it GDPR-compliant?” Not that either, at least not without heavy precautions and a legal context that is anything but stable. The truth sits in that uncomfortable in-between, and it’s precisely this haze that pushes so many site owners to look for an alternative. Here is the real state of things, without drama or downplaying.

The starting point: the Schrems II ruling

It all goes back to July 2020. The Court of Justice of the European Union issues the ruling known as Schrems II, which invalidates the Privacy Shield — the agreement that until then governed transfers of personal data between the European Union and the United States. The Court finds that US surveillance programmes do not guarantee Europeans a level of protection equivalent to the GDPR. Overnight, a large share of tools that send data to servers subject to US law find themselves on fragile legal ground.

Google Analytics is directly concerned, because in its operation, part of the data collected on European visitors is liable to be transferred to and processed in the United States. The problem isn’t the quality of the tool, but the path the data takes.

The CNIL’s 2022 formal notices

In France, the question stopped being theoretical in February 2022. Following complaints, the CNIL issued formal notices to several French website operators. Its analysis was clear: under the conditions of the time, using Google Analytics was not GDPR-compliant, precisely because of those transfers to the United States. The CNIL considered that the contractual and technical measures put forward by Google were not enough to rule out any risk of access to the data by US authorities.

France wasn’t alone. The Austrian and Italian authorities issued converging decisions over the same period. The message these authorities carried was consistent: this isn’t a marginal configuration flaw you fix by ticking a box, but a problem tied to the very architecture of the collection and the destination of the data.

The Data Privacy Framework: a lull, not a guarantee

In July 2023, the European Commission adopted a new adequacy decision, the Data Privacy Framework (DPF), replacing the invalidated Privacy Shield. For US companies that certify under it, transfers become possible again, in principle, on a recognised legal basis. That’s a genuine lull, and it would be dishonest to gloss over it: the 2024-2025 situation is not the 2022 one.

But two major reservations remain. First, the DPF rests on the same foundations as the Privacy Shield — the assessment of US surveillance — and is already being challenged before European courts; a “Schrems III” that would strike it down is far from improbable, and no one can guarantee it stable in the long run. Second, the DPF doesn’t waive the GDPR’s other obligations: informing individuals, having a legal basis, and above all consent for trackers that are not strictly necessary. In other words, even under the DPF, Google Analytics remains a tracker subject to consent in France.

What this means concretely for your site

If you use Google Analytics in Europe today, you are not unlawful as a matter of principle, but you carry a real compliance burden and lasting uncertainty. Concretely, that means a mandatory consent banner to drop the measurement cookies, clear information for visitors about transfers, documentation to maintain, and a dependence on a legal framework — the DPF — whose durability is beyond your control. You inherit the risk without controlling its source.

That’s not nothing, and it’s this calculation that pushes many teams to change approach: rather than endlessly trying to make a profiling tool acceptable, they adopt a form of measurement that doesn’t raise the problem at all.

The clean way out: don’t collect the problem

There is a radical way to close the legal debate: don’t collect the data that triggers it. An audience-measurement tool designed without a tracking cookie, without an advertising profile and hosted in the European Union does not transfer personal data to the United States — the Schrems II question simply doesn’t arise. And by dropping no consent-bound tracker, it falls outside the scope that requires a banner.

That’s Takt’s stance: measuring a site’s audience without ever tracking the person who visits it, with data hosted in Europe. Compliance is no longer a layer bolted on afterwards to rescue a problematic tool — it follows from the design. You measure your visits, your pages, your traffic sources, with no banner, no transatlantic transfer, and without depending on the legal sturdiness of the next adequacy agreement.

In short

Google Analytics is not “banned” in Europe, but its use rests on a fragile balance: compliance invalidated in 2022 by the CNIL, partly restored by the 2023 Data Privacy Framework, and hanging on how well that framework holds up in court. Even in the best case, it remains a tracker subject to consent, with the banner and documentation load that come with it. For many sites, the calmer answer isn’t to secure Google Analytics, but to choose a form of measurement that never collects the data at the root of the problem.

Share