GA4 was marketed as a more privacy-friendly version of Google Analytics, but the fundamental GDPR compliance issues persist. Multiple European data protection authorities have confirmed that their rulings apply to all versions, including GA4.

What GA4 Changed

GA4 introduced IP anonymization by default, reduced reliance on cookies for some measurements, and shifted to an event-based data model. These changes represent incremental privacy improvements.

What GA4 Did Not Change

GA4 still collects personal data through cookies and unique identifiers. Data is still transferred to US-based servers. Google still qualifies as an electronic communications provider subject to US surveillance obligations. The standard contractual clauses and technical measures available do not adequately protect data from potential US government access.

Regulatory Position

CNIL and other EU authorities explicitly confirmed that their rulings against Google Analytics apply regardless of version or configuration. No technical setup can resolve the fundamental issue: personal data is transferred to a jurisdiction where it may be accessed by intelligence agencies without adequate safeguards.

The Verdict

GA4 is not GDPR compliant for the same reasons Universal Analytics was not: the data transfer problem is structural, not technical. Organizations seeking genuine compliance need solutions that either do not collect personal data or process it exclusively within the EU/EEA.