CNIL Google Analytics decisions: what they mean for an EU storefront in 2026

On 10 February 2022, France's CNIL issued the first of a series of formal notices against website operators using Google Analytics. The published reasoning relied on the Schrems II judgment of the Court of Justice (Case C-311/18, 16 July 2020), which invalidated the EU-US Privacy Shield framework. The CNIL held that the standard contractual clauses Google used at the time were not, on their own, an adequate safeguard for the kinds of identifiers GA4 transmits to the United States.

The Italian Garante and Austrian DSB issued substantively identical decisions in the same year. The pattern was uniform.

What changed with the EU-US Data Privacy Framework in 2023?

The European Commission adopted an adequacy decision for the EU-US Data Privacy Framework on 10 July 2023 (Commission Implementing Decision (EU) 2023/1795). Operators using a US-based recipient that self-certifies under the DPF can rely on the adequacy decision in place of SCCs for the transfer mechanism. Google self-certified under DPF in early 2024.

That solved the transfer mechanism question but did not solve every issue. The GA4 deployment still has to satisfy the rest of GDPR. Two issues remain live.

1. Lawful basis for the processing

GA4 is analytics. Most operators rely on consent under Article 6(1)(a). That means the script must not fire before the user has accepted. Pre-consent firing is the single most-fined pattern in the EU and the DPF adequacy decision does nothing to defend a pre-consent install.

2. The information disclosed at collection

Article 13 requires disclosure of recipients, retention, transfer destination, and the lawful basis. "We use Google Analytics" is not enough. The policy needs to specify GA4 as the processor, the category of data sent (event parameters, client ID, IP fragments), the country of recipient (United States, under DPF), and the retention configured on the GA4 property.

What does a defensible GA4 install look like in 2026?

• GA4 script is gated by an explicit consent banner. The default is that the script does not load.
• The CMP and the GA4 install are wired together such that revoking consent stops further data flow within the same session.
• Privacy policy lists GA4 as a processor, lists Google LLC as the US recipient, and references the DPF adequacy decision (Commission Implementing Decision 2023/1795) as the transfer mechanism.
• Retention on the GA4 property is set to the shortest period that still supports the analytics use case (14 months is the GA4 default; 2 or 12 months are also options).

Bottom line

GA4 is usable on an EU storefront in 2026 if it is gated by consent, disclosed accurately, and configured with a sensible retention. The CNIL decisions did not ban Google Analytics. They banned a specific way of deploying it. Operators that fixed the deployment in 2022 are still using GA4 today. Operators that did not are the ones receiving formal notices in 2025.