Google Analytics EU Alternative 2026: Five DPAs Ruled GA4 Illegal Under GDPR — What EU Developers Use Instead

Post #934 in the sota.io EU Cyber Compliance Series | EU-ANALYTICS-SERIE Post #1

Between January 2022 and June 2023, five European data protection authorities issued decisions finding that the use of Google Analytics on European websites violated GDPR. Austria, France, Italy, Sweden, and Denmark each conducted independent investigations and reached the same conclusion: sending analytics data to Google constitutes an unlawful international data transfer under Article 44 of the GDPR.

This was not a marginal finding. NOYB (the European Centre for Digital Rights) filed 101 coordinated complaints across EU member states targeting websites using Google Analytics. The Austrian Datenschutzbehörde was the first to rule. The French CNIL, Italian Garante, Swedish IMY, and Danish Datatilsynet followed. The collective message was unambiguous: using Google Analytics without a legal basis for international data transfers to the US violates GDPR — and Standard Contractual Clauses do not provide one.

If your SaaS, web application, or product website currently sends analytics data to Google, you have a compliance exposure that cannot be resolved by ticking a GDPR consent box.

Why Google Analytics Violates GDPR Art.44-49

The GDPR permits international data transfers — sending personal data from the EU to third countries — only under specific conditions. Article 44 establishes the general principle: a transfer may only take place if it satisfies one of the conditions set out in Chapter V (Articles 44-49). Those conditions include:

• An adequacy decision under Article 45 (the EU has determined the destination country provides adequate protection)
• Appropriate safeguards under Article 46 (Standard Contractual Clauses, Binding Corporate Rules)
• Derogations for specific situations under Article 49 (explicit consent, contractual necessity, etc.)

The United States did not have a general adequacy decision for most of this period. The EU-US Privacy Shield was invalidated by the Court of Justice of the European Union in its July 2020 Schrems II judgment (Case C-311/18). A replacement framework — the EU-US Data Privacy Framework (DPF) — was adopted in July 2023, but it applies only to companies that have self-certified under the framework. Its legal durability is uncertain: NOYB and others have already challenged it, and another court invalidation is plausible.

The CLOUD Act Structural Problem

Google LLC is incorporated in Delaware and is a subsidiary of Alphabet Inc. It is a US person under the CLOUD Act (18 U.S.C. § 2713). The CLOUD Act requires US persons — including US-incorporated companies and their officers, employees, and agents — to preserve, backup, and disclose electronic communications and records when served with a valid US government order, regardless of where the data is physically stored.

The critical word is "regardless." Google can store analytics data on servers in Frankfurt, Dublin, or Amsterdam. The CLOUD Act reaches it anyway because the legal obligation binds Google as a US person, not as a data storage operator. A US government demand compels the parent entity, not the EU subsidiary.

This was precisely the analysis the Austrian DSB applied in January 2022. The authority found that:

1. Google Analytics placed cookies on the user's browser that identified the user across sessions.
2. The cookie values — combined with device fingerprinting attributes, IP address, and behavioral data — constituted personal data under GDPR Article 4(1).
3. The data was transmitted to Google LLC servers in the United States.
4. Google LLC is subject to FISA § 702 and the CLOUD Act.
5. The Standard Contractual Clauses that Google offered as an Article 46 transfer mechanism did not eliminate the risk of US government access.
6. No supplementary technical measures effectively closed this gap.
7. The transfer therefore lacked a valid legal basis under Article 44 GDPR.

The French CNIL reached the same conclusion in February 2022. The Italian Garante ruled in June 2022. The Swedish IMY issued its decision in June 2023, finding three Swedish companies had unlawfully transferred data to the US via Google Analytics. The Danish Datatilsynet confirmed the same analysis in 2023.

What Data Google Analytics Sends to the US

Every standard Google Analytics 4 implementation sends the following to Google's servers:

IP address. Even with IP anonymization configured, the full IP address is transmitted to Google's servers before truncation occurs. Google processes the full IP and applies anonymization server-side. The full IP — which can identify a specific household or business location — reaches US infrastructure.

Client ID and Session ID. The _ga cookie contains a client ID that uniquely identifies a browser/device combination across sessions. Combined with other parameters, this allows Google to build a cross-session user profile.

User properties and custom dimensions. Any user_properties or custom_dimensions you set — such as user tier, account ID, or subscription status — travel to Google's servers with every event.

Behavioral events. Page views, clicks, scroll depth, conversions, ecommerce transactions. All event data, including any parameters you attach, goes to Google.

Device and browser fingerprint attributes. Screen resolution, browser version, operating system, language, and viewport size — used for session attribution and de-duplication.

UTM and referral parameters. Campaign source, medium, content, and term — which may include PII if developers pass user-identifiable information through URL parameters (common in B2B SaaS flows).

All of this constitutes personal data under GDPR Article 4(1) — information that, alone or in combination, identifies or allows the identification of a natural person. The Austrian DSB explicitly found that the combination of _ga cookie value, IP address (even truncated), and behavioral session data constitutes personal data for Google's purposes.

Why Google Consent Mode v2 Does Not Fix This

Google released Consent Mode v2 in early 2024, partially in response to Digital Markets Act obligations and partly as an attempt to address the GDPR analytics problem. The premise: if a user has not consented to analytics tracking, Consent Mode v2 sends "cookieless pings" — modeled/aggregated signals rather than full event data.

This does not fix the GDPR transfer problem for several reasons.

Modeled data is still data transferred to Google. Even cookieless pings include network-layer information (IP address, device attributes) that travels to Google's US-incorporated infrastructure. The CLOUD Act concern applies to the connection itself, not just to what Google ultimately stores.

The consent model assumes consent is valid. For the portion of users who do consent to analytics tracking, the full data transfer occurs — and that transfer still lacks a legal basis under Art.44 if SCCs don't hold (which five DPAs found they don't for Google Analytics specifically).

Consent to analytics tracking ≠ consent to US data transfer. GDPR Article 49(1)(a) permits transfers based on explicit consent only when the data subject has been "explicitly informed of the possible risks" of such transfers. A generic cookie consent banner that says "I accept analytics cookies" does not constitute explicit, informed consent to data transfer to a US company subject to the CLOUD Act and FISA § 702. The EDPB's guidance on derogations (Opinion 2/2018, updated Guidelines 2/2018) makes this clear.

The structural defect is jurisdiction, not cookie presence. The reason Google Analytics creates a GDPR transfer problem is not that it uses cookies. It is that any data Google receives — cookie or no cookie, modeled or raw — goes to a US person that can be compelled by US government access demands. Consent Mode v2 does not change Google's legal status as a US person.

Consent Mode v2 is designed for advertising, not GDPR compliance. Google's primary motivation for Consent Mode v2 is preserving advertising measurement attribution when users reject cookies. It allows conversion modeling for Google Ads campaigns. It was not designed as a GDPR-compliant analytics solution, and it does not function as one.

The IP Anonymization Misconception

Many developers believe that enabling IP anonymization in Google Analytics — historically the anonymizeIp parameter in Universal Analytics — eliminates the GDPR problem.

The Austrian DSB directly addressed this argument and rejected it. The authority found that:

1. IP anonymization in Google Analytics occurs server-side, after the IP address has been transmitted to Google.
2. Before anonymization, the full IP address is available to Google's infrastructure and subject to all applicable US laws.
3. Even after anonymization, the combination of truncated IP, client ID, and behavioral data may still identify a natural person with sufficient precision to constitute personal data.
4. The anonymization process itself takes place on US-subject infrastructure, so the transfer of the unanonymized data has already occurred.

This analysis applies to GA4 as well. In GA4, Google deprecated the anonymizeIp parameter and replaced it with built-in IP anonymization. The same analysis applies: the IP address reaches Google's servers before any anonymization occurs, and the transfer has therefore taken place before any protection is applied.

GDPR Enforcement Risk: What Five Rulings Mean for Your Website

The five DPA rulings are not technically binding across all EU member states — each DPA rules on cases in its own jurisdiction. However:

They create a consistent legal consensus. When Austria, France, Italy, Sweden, and Denmark have all ruled the same way, any other EU DPA investigating a Google Analytics complaint will apply the same reasoning. The analysis is not jurisdiction-specific — it derives from the Schrems II ruling and the CLOUD Act text, which apply uniformly.

NOYB's 101 complaints are still open in some jurisdictions. While the first wave of rulings is complete, investigations are ongoing in multiple member states. Being served an investigation notice is itself costly in terms of legal resources and management time.

Fines under GDPR Article 83(5) are up to 4% of global annual turnover. For a SaaS company, that could be material even at a small scale. More practically, receiving a warning or corrective order from a DPA requires documented compliance remediation — switching analytics tools, notifying affected users, and potentially restricting processing.

Enterprise customers are increasingly auditing their vendors. If your SaaS product itself uses Google Analytics to track user behavior within the product, your enterprise customers may flag this in security and privacy questionnaires under GDPR Article 28. You may be required to demonstrate that your analytics infrastructure does not transfer EU user data to US-subject entities.

EU-Native Google Analytics Alternatives

The following tools are either EU-incorporated with no US parent, or provide EU-region hosting that is not subject to US jurisdiction through a US-incorporated parent company.

Matomo

Jurisdiction: Open-source core maintained by Matomo (Innocraft Ltd, New Zealand). Matomo Cloud hosted in EU option; self-hosted version deployable on EU infrastructure.

GDPR status: Self-hosted Matomo on EU infrastructure eliminates third-party data transfers entirely. You control all data. No data leaves your infrastructure. Matomo is the most commonly cited "GDPR-compliant Google Analytics replacement" in DPA guidance and developer communities.

Technical features: Full GA-equivalent feature set — pageviews, events, goals, ecommerce, funnels, cohort analysis, heatmaps (plugin), session recordings (plugin). JavaScript tag injection, server-side tracking via API, and a first-party cookie model. Compatible with Tag Manager.

Considerations: Self-hosting requires server administration overhead. Matomo Cloud on EU servers (Germany or Netherlands) removes this overhead but introduces a data processor relationship — you need a DPA with Innocraft, which they provide. Innocraft's New Zealand jurisdiction is not the EU, but New Zealand has an adequacy decision from the EU Commission (updated June 2023).

Cost: Free (self-hosted, open source). Matomo Cloud from €23/month for up to 50k page views.

Plausible Analytics

Jurisdiction: OÜ Plausible Insights, incorporated in Estonia, EU. All servers in EU (Hetzner Germany). No US parent, no US investor control.

GDPR status: Plausible does not use cookies by default. It does not collect personal data as defined by GDPR. It tracks aggregate metrics — pageviews, unique visitors (estimated), referrers, device types, countries — using a daily rolling hash that cannot be used to build cross-session user profiles. No IP address is stored. No persistent identifier is set.

Technical features: Lightweight script (less than 1KB), aggregated dashboards, goal tracking, custom events, revenue tracking (ecommerce), UTM campaign tracking, and a public dashboard option. API available. Does not support individual user journey analysis or session replays — deliberately designed to avoid personal data collection.

Considerations: If you need individual user analytics, session recordings, or A/B testing, Plausible is not the right tool. It is optimized for aggregate traffic analysis. For most SaaS marketing sites and product telemetry, aggregate metrics are sufficient.

Cost: From €9/month (up to 10k monthly pageviews), scaling by traffic volume.

PostHog EU Cloud

Jurisdiction: PostHog, Inc. is incorporated in the United States (Delaware). However, PostHog offers an EU Cloud deployment hosted exclusively on EU infrastructure (Google Cloud Platform Frankfurt region under a Google Cloud EU data boundary agreement).

GDPR status: PostHog EU Cloud provides a Data Processing Agreement and processes data only within the EU region. Unlike core Google Analytics, PostHog's EU Cloud deployment does not route data through US-parent infrastructure in the normal operating case. However: PostHog, Inc. as the parent is a US person subject to the CLOUD Act. The EU Cloud infrastructure is Google Cloud Platform — which itself is subject to the same Google/US-parent analysis discussed above for GA4.

Technical features: Full product analytics — events, funnels, cohorts, feature flags, A/B testing, session recordings, heatmaps, surveys, and user path analysis. Open-source core (can be self-hosted). Broad SDK ecosystem (web, mobile, server-side).

Considerations: PostHog EU Cloud addresses the data residency concern but does not fully eliminate the CLOUD Act chain: PostHog Inc. (US person) + Google Cloud Platform (US person) = two levels of potential US compulsion. For compliance-sensitive deployments, self-hosted PostHog on EU infrastructure (Hetzner, OVHcloud) eliminates both concerns.

Cost: PostHog Cloud free tier (1 million events/month free), then usage-based pricing. Self-hosted is free.

Simple Analytics

Jurisdiction: Simple Analytics BV, incorporated in Amsterdam, Netherlands. EU-native. All data processed in EU (Netherlands). No US parent, no US investor control.

GDPR status: No cookies, no personal data collection, no fingerprinting. GDPR-compliant by design. Simple Analytics provides aggregate traffic metrics without personal identifiers.

Technical features: Dashboard with pageviews, referrers, UTM parameters, device types, countries, browser types. Goals tracking, custom events, CSV export. API. Public dashboard option. Does not provide session-level analysis or individual user tracking.

Cost: From €19/month (up to 100k pageviews).

Pirsch

Jurisdiction: Emvi Software GmbH, incorporated in Germany. All data processed on EU servers in Germany. EU-native.

GDPR status: GDPR-compliant by design. No cookies, no personal data stored. Session tracking based on anonymized daily fingerprint (salted hash, discarded after 24 hours). No cross-session user profiling.

Technical features: Pageviews, sessions, unique visitors, referrers, UTM tracking, custom events, goals, conversion funnels, hourly statistics, public dashboard, and white-label option. Smaller feature set than Matomo but more than Plausible.

Cost: From €5/month (30-day trial available). Scales by domain and page view volume.

Comparison Table: EU Analytics Tools

Migration Considerations for SaaS Developers

Server-Side Event Tracking

For SaaS products where analytics data is generated server-side — user actions, API calls, feature usage — server-side tracking eliminates the browser-level CLOUD Act exposure entirely. Tools like Plausible, PostHog, and Matomo support server-side event ingestion via API.

Migrating to server-side analytics for your product's internal telemetry means:

• No JavaScript required on the client
• No consent requirement for aggregate, anonymized metrics
• No third-party requests from the user's browser
• Full control over what data you collect and where you store it

For product analytics specifically (as opposed to marketing site analytics), self-hosted PostHog or Matomo on EU infrastructure is the most feature-complete replacement for GA4.

Cookie Consent Banner Impact

If you switch from Google Analytics to a cookieless EU alternative like Plausible, Simple Analytics, or Pirsch, you eliminate the need for a cookie consent banner for your analytics tool specifically. This typically increases effective measurement coverage: visitors who reject cookies — often 20-40% of EU traffic depending on your CMP implementation — are currently invisible to your GA4 implementation. Cookieless tools measure all visitors.

This is a direct data quality improvement, not just a compliance improvement.

Google Signals and Cross-Device Tracking

Google Analytics 4 includes a feature called Google Signals, which uses signed-in Google accounts to enable cross-device measurement and remarketing audiences. If you have Google Signals enabled, you are sending GA4 data — including signed-in user identities — to Google's advertising infrastructure. This is a separate and more severe GDPR exposure than standard analytics collection. Disable Google Signals immediately if you have European users.

Reporting API Migration

If your application, dashboard, or business intelligence stack is connected to the Google Analytics Reporting API or GA4 Data API, you need to account for migration to an alternative API. Both Matomo and PostHog provide REST APIs. Plausible and Simple Analytics provide simpler query APIs for aggregate data. The migration effort depends on what you currently query and how complex your reporting logic is.

SaaS Architecture Implications

For EU SaaS companies building data-intensive products, the analytics tool choice has implications beyond the marketing site. Consider where analytics data flows:

Product telemetry (in-app events). If your SaaS product tracks user behavior inside the product — feature usage, workflow completion, error rates — and you use GA4 or Segment (which routes to US infrastructure by default), that telemetry includes EU user personal data. Every user action in your EU customer's account that you log to Google creates a GDPR transfer.

A/B testing infrastructure. Tools like Google Optimize (deprecated), Optimizely (US), and VWO (India) present similar transfer issues. PostHog's feature flags and A/B testing engine on self-hosted EU infrastructure provide an alternative. GrowthBook (open-source, self-hostable) is another option.

Session replay tools. Hotjar (owned by Contentsquare, which has US investors), FullStory (US), and LogRocket (US) all present CLOUD Act exposure. PostHog and Matomo both offer session replay as a self-hosted module. Clarity from Microsoft (US parent) presents the same problem as GA4.

Customer data platforms (CDPs). Segment (owned by Twilio, US) routes all event data through US infrastructure by default. EU-native alternatives include Rudderstack (offers EU hosting), Hightouch (US parent, EU region available), and June.so (EU-incorporated, Y Combinator-funded but EU data residency).

The pattern is consistent: any analytics, telemetry, or user-tracking tool that routes data to a US-incorporated parent creates a GDPR Chapter V transfer problem, regardless of whether EU servers are used.

What the Five DPA Rulings Mean for DPA Risk Assessment

When evaluating analytics tools, EU SaaS developers should assess the following:

1. Parent company jurisdiction. Is the ultimate parent company incorporated in the US? If yes, it is a US person subject to CLOUD Act and potentially FISA § 702.

2. Data residency vs. data access. EU server location eliminates geographic data transfer but does not eliminate US government access authority over a US person. These are different questions.

3. SCC coverage. Standard Contractual Clauses are valid as a transfer mechanism under Article 46 for transfers to non-adequate countries. However, as Schrems II established, SCCs only provide adequate protection if the law of the destination country does not undermine them. US surveillance law — FISA § 702, CLOUD Act — undermines SCCs for US-subject entities. Five DPAs have confirmed this for Google Analytics specifically.

4. Transfer Impact Assessment requirements. Since Schrems II, organizations are expected to conduct Transfer Impact Assessments (TIAs) before relying on SCCs. A TIA for Google Analytics would need to assess the probability and severity of US government access to analytics data. Five DPAs have effectively pre-answered this TIA: the risk is non-negligible and SCCs do not mitigate it.

5. Processor chain. If your analytics tool uses subprocessors — cloud infrastructure, CDN, storage providers — each link in the chain introduces potential transfer exposure. An analytics tool hosted on AWS US East, even if the analytics company is EU-incorporated, creates a CLOUD Act exposure through AWS, Inc.

Practical Transition Path

For most EU SaaS teams, the recommended migration path is:

Marketing site analytics: Plausible, Simple Analytics, or Pirsch. Cookie-free, EU-native, minimal setup. Eliminates GA4 compliance risk for marketing analytics with one hour of migration effort.

Product telemetry and user analytics: Self-hosted Matomo or self-hosted PostHog on EU infrastructure (Hetzner Germany, OVHcloud, or your EU PaaS deployment). More configuration required but provides the full analytics feature set including funnels, cohorts, and session analysis.

A/B testing and feature flags: Self-hosted PostHog EU or GrowthBook self-hosted. Avoids US-incorporated A/B testing platforms.

Data export and reporting: Matomo and PostHog both support full data export and provide query APIs compatible with BI tools like Metabase, Redash, or Apache Superset — all of which can be self-hosted on EU infrastructure.

The common architecture for EU-compliant product analytics in 2026:

User browser → your EU SaaS app → Matomo/PostHog (self-hosted, Hetzner Germany)
                                  ↓
                            Your BI dashboard (Metabase, self-hosted)

No US transfer. No CLOUD Act exposure. No consent requirement for aggregate metrics.

The sota.io Connection

If your EU SaaS application needs to run analytics, telemetry, or observability infrastructure on EU-native managed hosting — without managing VMs, without Docker complexity, without AWS dependency — sota.io provides EU-native managed deployment on Hetzner Germany.

Self-hosted Matomo, PostHog, or Umami can be deployed on sota.io in minutes: one configuration, auto-provisioned infrastructure in Frankfurt, no US parent, no CLOUD Act chain. Every analytics event your SaaS generates stays in the EU.

This is the architecture that EU-sovereign SaaS products need: EU-native deployment for EU-native analytics.

Summary

Five EU data protection authorities — Austria, France, Italy, Sweden, and Denmark — have ruled that using Google Analytics violates GDPR. The core legal issue is not consent banners or cookie settings: it is that Google LLC is a US person subject to the CLOUD Act, and any data it receives is accessible to US government authorities without an EU court order. Standard Contractual Clauses do not close this gap. Google Consent Mode v2 does not fix the structural transfer problem. IP anonymization does not prevent the full IP address from reaching Google before truncation.

EU-native alternatives exist for every analytics use case: Plausible and Simple Analytics for cookieless aggregate marketing analytics, Matomo self-hosted for full-featured product analytics, PostHog self-hosted on EU infrastructure for session replay and feature flags, and Pirsch for lightweight Germany-hosted analytics.

For EU SaaS developers, migrating away from Google Analytics is both a compliance necessity and a technical opportunity: cookieless tools measure more users, eliminate consent friction, and give you full control over your analytics data.

The five DPA rulings have been public for two to four years. The window for "we are reviewing our setup" is closing. EU analytics infrastructure should now be on EU-native, non-US-subject platforms.

This post is part of the sota.io EU-ANALYTICS-SERIE. Next: Mixpanel EU Alternative — US-Incorporated Product Analytics and GDPR Data Transfer Risk for SaaS Event Streams.