Do You Need a Cookie Banner If You Only Use Google Analytics?
If your website loads Google Analytics, you almost certainly need a consent banner, and you need it to appear before Analytics runs, not after. Google Analytics sets cookies on your visitor's browser, and under EU law that action requires prior consent unless the cookie is strictly necessary. Analytics is not strictly necessary. That is the whole case, and it did not change with GA4.
The confusion usually comes from treating this as a GDPR question. It is really a cookie-law question, and the two work differently.
The requirement comes from the cookie law, not GDPR alone
The rule that forces the banner is Article 5(3) of the ePrivacy Directive (2002/58/EC), often called the "cookie law." In plain terms: you may not store information on a user's device, or read information already stored there, unless the user has consented after being clearly informed. There is one carve-out, for cookies that are strictly necessary to deliver a service the user actually asked for, such as keeping items in a shopping cart or remembering a login.
GDPR enters at a second stage. It defines what valid consent means. Under Article 4(11), consent has to be freely given, specific, informed, and unambiguous: a clear affirmative action, not a pre-ticked box or silence. Article 7 adds that withdrawing consent must be as easy as giving it. So the ePrivacy Directive decides when you need consent; GDPR decides what counts as consent.
Google Analytics trips the first rule. It reads and writes cookies. That alone requires consent, regardless of what you later do with the data.
Google Analytics cookies are not "strictly necessary"
GA4 sets cookies such as _ga and _ga_<container-id> to tell visitors and sessions apart. Their purpose is measurement: understanding how people use your site. Useful, but not necessary to deliver the page the visitor requested. Every major EU regulator treats analytics as non-exempt by default.
A few authorities have carved out narrow exemptions for privacy-preserving, first-party audience measurement. France's CNIL, Italy's Garante, and Spain's AEPD allow certain analytics cookies without consent, but only where the tool is strictly limited: first-party only, aggregate figures, no cross-site tracking, and data kept under the site operator's control. Google Analytics does not qualify for any of them. The CNIL has said plainly that neither Universal Analytics nor GA4 meets its exemption criteria, because the data leaves your control and enters Google's ecosystem. The tool the CNIL actually points to for exempt analytics is a self-hosted, EU-hosted Matomo setup.
So if you are running standard Google Analytics and hoping the analytics exemption covers you, it does not.
"But we use Consent Mode" isn't a defence
This is the mistake we see constantly. Google Consent Mode v2, which Google has required since March 2024 for anyone using its tags to measure or advertise to EEA users, is not a consent banner and does not collect consent. It is a signal-passing mechanism. Your banner or consent management platform collects the user's choice; Consent Mode relays that choice to Google's tags so they behave accordingly, firing normally when consent is granted and sending cookieless pings when it is not.
Consent Mode assumes a banner exists upstream to tell it what the user decided. Installing Consent Mode without a working banner means you have wired up the plumbing with nothing feeding it. You still have no lawful basis to set the cookie in the first place.
The "anonymised IP" and "we don't run ads" arguments
Two objections come up often, and neither survives contact with Article 5(3). Anonymising IP addresses reduces the personal data GA collects, but the consent trigger is the act of storing and reading the cookie, not the sensitivity of what sits inside it. Anonymisation does not remove the cookie. And "we only use Analytics, no advertising" misses that the cookie law draws no line between analytics cookies and advertising cookies. Both are non-essential. Both need consent.
There is a separate, older dispute about Google Analytics and EU–US data transfers, which produced enforcement decisions from the Austrian, French, and Italian authorities in 2022. The EU–US Data Privacy Framework adequacy decision from July 2023 addresses the transfer question when Google is certified under it. But transfers and cookie consent are two different problems. Even with the transfer issue settled, the requirement to obtain consent before setting the cookie is untouched.
What a compliant setup looks like
A lawful Google Analytics deployment needs a banner that holds GA back until the user acts, offers a real choice where refusing is as easy as accepting, and records the decision. Behind it, your cookie policy should name the Google Analytics cookies, state their purpose and lifespan, and your Consent Mode configuration should read from the banner. Pre-ticked boxes, "by continuing to browse you accept" notices, and cookie walls that load GA before any click are the exact setups regulators have been fining.
The ePrivacy Regulation meant to replace all this was formally withdrawn by the European Commission in February 2025 — this isn't consolidating into one clean EU rule any time soon. The Directive stays in force, each member state keeps transposing it slightly differently, and the banner requirement isn't going anywhere.
Not sure whether your site fires Google Analytics before your visitors consent?