The enforcement landscape in 2025
GDPR enforcement has accelerated significantly since 2023. The Irish DPC issued €1.2B in fines to Meta. France's CNIL has issued dozens of fines to companies using Google Analytics without proper consent mechanisms. Austrian, German, and Italian authorities have ruled that using GA4 without consent mode violates GDPR.
The pattern is clear: regulators are specifically targeting third-party tracking tools (GA4, Google Ads, Meta Pixel) that transmit user data to US servers without explicit consent. If you're operating in or targeting EU users, this is not a theoretical risk.
What GDPR actually requires for analytics
Under GDPR, you need a lawful basis for processing personal data. For analytics and advertising tracking, the lawful basis is almost always 'consent' — meaning you need explicit, informed, freely given consent before setting non-essential cookies or transmitting user data to third parties.
This means: no GA4 hits before the consent banner appears and the user makes a choice. No Meta Pixel firing on page load. No Google Ads remarketing tags loading before consent is granted. The bar is higher than many businesses realize.
What you can track without consent
Not all tracking requires consent. Server-side analytics that don't use cookies or cross-site identifiers can often proceed without consent under the 'legitimate interests' basis. Aggregated, anonymized analytics (no IP addresses, no user IDs) may be permissible.
Google's Consent Mode with cookieless pings (analytics_storage denied, url_passthrough enabled) allows GA4 to send minimal, non-personalized data even when users decline consent. This gives you aggregate measurement without violating GDPR — but it requires correct configuration.
The consent banner requirements
Your consent banner must meet specific requirements to be valid under GDPR. It must be shown before any tracking fires. It must be equally easy to decline as to accept (no dark patterns like a large 'Accept' button and a hidden 'Decline' link). It must clearly describe what data is collected and for what purpose. And it must allow users to withdraw consent as easily as they gave it.
Regulators have specifically targeted pre-ticked checkboxes, dark color choices that make 'decline' hard to see, and banners that only appear after tracking has already fired. All of these can constitute GDPR violations even if a banner is technically present.
Practical compliance checklist
Use a GDPR-compliant CMP (Cookiebot, OneTrust, Usercentrics, or similar) that has been certified against the IAB TCF 2.2 framework. Implement Google Consent Mode v2 with all four consent signals. Block all third-party pixels (Meta, TikTok, LinkedIn) until ad_storage is granted. Regularly audit your consent banner to ensure it hasn't been reconfigured to be non-compliant after CMP updates.
Run regular technical audits to verify that your implementation is actually blocking pre-consent tracking — not just displaying a banner. A banner that looks compliant but doesn't actually block tracking is worse than no banner at all, because it creates a false sense of security.