If you're running a company in the EU and still using Google Analytics 4, you're operating in a legal grey area that gets greyer every quarter. Multiple EU data protection authorities have ruled GA4 non-compliant. The rulings aren't ambiguous. They're not suggestions. And the Data Privacy Framework that's supposed to fix the problem is built on the same foundations that collapsed twice before.
Here's the current state of GA4 compliance in Europe, what the actual legal risks are, and which Google Analytics alternative EU companies are switching to.
Which EU Countries Have Ruled Against Google Analytics?
The rulings came fast and across multiple jurisdictions:
- Austria (January 2022): The Datenschutzbehörde (DSB) ruled that a website's use of Google Analytics violated GDPR because data was transferred to the US without adequate safeguards. This was the first domino.
- France (February 2022): The CNIL issued a formal notice to a website operator, stating that Google Analytics transfers personal data to the US in violation of GDPR Article 46.
- Italy (June 2022): The Garante ruled Google Analytics illegal, giving website operators 90 days to switch or face fines.
- Denmark (September 2022): Datatilsynet ruled Google Analytics non-compliant and issued guidance for municipalities and businesses to stop using it.
- Finland (2023): The Finnish DPA followed suit with similar findings about US data transfers.
- Norway (2023): Datatilsynet issued warnings about Google Analytics use, aligning with the broader Nordic position.
These are not theoretical risks. These are formal regulatory decisions with enforcement authority behind them.
Why Is GA4 Problematic for EU Companies?
The core issue is straightforward: Google Analytics transfers personal data to the United States. Under GDPR Article 46, this requires "appropriate safeguards" — and the safeguards Google relies on have been invalidated or challenged repeatedly.
The Transfer Problem
GA4 collects IP addresses (even in "anonymized" mode, the full IP is briefly processed on Google's servers), sets cookies that create persistent identifiers, and sends all of this to Google's US-based infrastructure. The combination of IP address + cookie identifier + browsing behavior constitutes personal data under GDPR.
The Legal Basis Problem
Google previously relied on the EU-US Privacy Shield for legal data transfers. The Court of Justice of the EU invalidated Privacy Shield in the 2020 Schrems II decision. Google then fell back on Standard Contractual Clauses (SCCs), but the Austrian, French, and Italian DPAs all found that SCCs alone are insufficient because US surveillance laws (FISA Section 702, Executive Order 12333) give US agencies access to data that EU law does not permit.
The Data Privacy Framework Problem
In July 2023, the EU-US Data Privacy Framework (DPF) was adopted as Privacy Shield's replacement. Google self-certified under the DPF, and this is currently the legal basis they claim for data transfers.
The problem: the DPF is already challenged. NOYB (the privacy organization that brought the Schrems cases) has announced plans to challenge it. The DPF relies on Executive Order 14086 — an executive order, not a law — which can be revoked by any future US president. Given that Privacy Shield was invalidated in 2020 after operating since 2016, the DPF's long-term viability is questionable.
If you're building compliance infrastructure around the DPF, you're betting on a legal framework that may not survive its next court challenge.
What Does GDPR Actually Require for Analytics?
GDPR requires a legal basis for processing personal data. For analytics, there are three approaches:
1. Full consent (what GA4 requires). You show a cookie consent banner, collect explicit opt-in, and only track users who accept. This is legally valid but operationally painful — you lose 30-50% of your data from users who reject or ignore the banner.
2. Legitimate interest (debatable). Some companies claim analytics as a "legitimate interest" under GDPR Article 6(1)(f). This is legally contested and most DPAs have rejected it for third-party analytics tools that transfer data internationally.
3. No personal data processing (the cleanest approach). If your analytics tool does not process personal data — no IP addresses stored, no cookies, no persistent identifiers, no international data transfers — then GDPR's data processing requirements do not apply. No consent needed. No banner needed. No legal basis required.
EngageTrack takes the third approach. No cookies. No PII stored. EU-hosted in Frankfurt. No data ever leaves the EU.
Google Analytics Alternatives for EU Companies
Here's how the main alternatives compare for EU-based companies:
| Feature | GA4 | Plausible | Fathom | EngageTrack |
|---|---|---|---|---|
| EU data storage | US (primary) | Yes (EU) | Yes (EU) | Yes (Frankfurt) |
| Cookies | Yes | No | No | No |
| PII stored | Yes | No | No | No |
| Consent banner needed | Yes | No | No | No |
| GDPR compliant by default | No | Yes | Yes | Yes |
| Revenue attribution | Requires setup | No | No | Yes (Stripe, Paddle, LemonSqueezy, Polar) |
| Price | Free | From €9/mo | From $15/mo | €5/mo |
| Data transfers outside EU | Yes (US) | No | No | No |
| DPA required | Yes | Optional | Optional | Optional |
| Script size | 50-100KB | ~1KB | ~2KB | 3KB |
| Real-time dashboard | Yes | Yes | Yes | Yes |
| Funnels | Yes | Paid | No | Yes |
| Goals/conversions | Yes (complex) | Yes | Yes | Yes |
Plausible
Plausible is the most established privacy-first alternative. EU-hosted, no cookies, no PII, genuinely GDPR compliant. The dashboard is clean and focused. The gap: no revenue attribution. You can see traffic sources but not which sources produce paying customers. Starts at €9/mo.
Fathom
Similar positioning to Plausible — privacy-first, cookie-free, EU hosting available. Slightly different dashboard design. Also lacks revenue attribution. Starts at $15/mo.
EngageTrack
EngageTrack provides the same privacy guarantees as Plausible and Fathom — no cookies, no PII, EU-hosted in Frankfurt — but adds direct revenue attribution via Stripe, LemonSqueezy, Paddle, and Polar. EngageTrack connects traffic sources to actual payments, so you can see which channels drive revenue, not just visits. Starts at €5/mo.
Matomo (self-hosted)
Matomo can be GDPR compliant when self-hosted in the EU with cookies disabled. However, the default configuration uses cookies and stores IP addresses, so compliance requires manual configuration. Self-hosting means infrastructure maintenance is on you.
Why EngageTrack Is Built for EU Companies
EngageTrack was designed from day one to make GDPR compliance the default, not a configuration option:
EU-only infrastructure. All data is processed and stored in Frankfurt, Germany. No data replication to US servers. No international transfers.
Zero PII architecture. EngageTrack uses a daily-rotating hash for session grouping — combining an anonymized IP prefix, user agent, and a salt that changes every 24 hours. The raw inputs are discarded immediately. The hash cannot be reversed into identifying information. No personal data is ever stored.
No cookies, no local storage, no fingerprinting. Nothing is written to the visitor's browser. The 3KB tracking script sends pageview and event data to EngageTrack's EU servers, and that's it.
Revenue attribution included. Unlike Plausible and Fathom, EngageTrack connects to Stripe, LemonSqueezy, Paddle, and Polar via webhook. Every payment is attributed to the traffic source that started the session. You see which channels generate revenue, not just which ones send traffic.
For detailed setup instructions, see the getting started guide. For revenue attribution configuration, see the revenue attribution documentation.
How to Migrate From GA4 to EngageTrack
The migration is straightforward and takes about 30 minutes:
Step 1: Install EngageTrack alongside GA4
Add the EngageTrack script to your site. It's a single <script> tag — no npm packages, no build steps, no SDK initialization.
<script
defer
data-site-id="YOUR_SITE_ID"
src="https://cdn.engagetrack.net/sdk.js"
></script>Step 2: Run both tools in parallel for 2-4 weeks
Compare session counts between GA4 and EngageTrack. The difference represents your cookie-rejected traffic — visitors who declined GA4's consent banner but are fully tracked by EngageTrack. This is typically 20-40% of your total traffic.
Step 3: Connect your payment provider
If you use Stripe, LemonSqueezy, Paddle, or Polar, connect it in EngageTrack's dashboard under Settings > Integrations. This takes about 30 seconds per provider and gives you revenue attribution data immediately.
Step 4: Remove GA4
Once you're confident EngageTrack captures your data accurately, remove the GA4 script and the gtag configuration. If GA4 was the only tool requiring a cookie consent banner, you can remove or simplify the banner as well.
Step 5: Update your privacy policy
Even though EngageTrack processes no personal data, transparency is good practice. Update your privacy policy to mention the analytics tool you use and how it works. Remove references to Google Analytics, cross-site tracking, and analytics cookies.
FAQ
Is Google Analytics 4 legal in my EU country?
It depends on the country. Austria, France, Italy, and Denmark have issued formal rulings against Google Analytics. Finland and Norway have issued warnings. Other EU countries have not yet issued specific rulings, but the GDPR applies uniformly — the legal reasoning from existing rulings applies across the EU. The European Data Protection Board has broadly endorsed the position that US data transfers via Google Analytics are problematic.
Do I need a Data Processing Agreement (DPA) for EngageTrack?
EngageTrack does not process personal data, so a DPA is not strictly required under GDPR. However, EngageTrack provides a DPA for organizations that want one for their compliance documentation. You can request it from the dashboard settings.
Can I use both GA4 and EngageTrack at the same time?
Yes. Many companies run both during a transition period. Keep in mind that running GA4 means you still need a consent banner for GA4's cookies, and you'll still have the accuracy gap from users who decline consent. The parallel period is useful for validating data before fully switching.
What about Google Search Console — do I lose SEO data?
Google Search Console is separate from Google Analytics. It does not use cookies, does not track visitors on your site, and is not affected by any of the GDPR rulings. You can remove GA4 and keep Google Search Console without any issues.
Is the EU-US Data Privacy Framework enough to make GA4 compliant?
The DPF is currently the legal basis Google claims for EU-US data transfers. However, it faces legal challenges and its predecessor (Privacy Shield) was invalidated after 4 years. Building your compliance strategy around the DPF means accepting the risk that it could be invalidated. If it is, you'd need to migrate away from GA4 on short notice — the same situation companies faced after Schrems II.
Stop gambling on legal frameworks that keep getting invalidated. EngageTrack is GDPR compliant by architecture — no cookies, no PII, EU-hosted, with revenue attribution included. Start your free 14-day trial — no credit card required.