GDPR, CNIL & Analytics: Consent Mode, AI, DPF

Foreword

This report provides our analysis of using audience measurement and advertising tools within the framework of GDPR, the French Data Protection Act, and the various CNIL positions.

Originally published in June 2022 following the CNIL formal notices concerning Google Analytics, it was thoroughly updated in April 2026 to incorporate the Data Privacy Framework, Consent Mode v2, the AI Act, and EU-US geopolitical tensions.

EdgeAngel is not a law firm. We invite readers to exercise their own judgement regarding our interpretations and to engage in discussion with us if analyses and conclusions differ: [email protected]

GDPR & Google Analytics

GDPR and Analytics regulatory timeline: from Schrems II (2020) to CNIL self-assessment (2026) — GDPR and analytics regulatory timeline (2020-2026)

The Regulatory Framework in 2026

The General Data Protection Regulation (GDPR), which came into force on 25 May 2018, builds on the French Data Protection Act of 1978. It harmonises personal data protection rules across the European Union [1].

Who is affected?

Any organisation whose activities are within the European Union and that processes personal data (Art. 3 GDPR).

What is personal data?

"Any information relating to an identified or identifiable natural person" (Art. 4 GDPR). Any data that allows direct or indirect identification of a user. Penalties range from formal notices to potentially substantial fines, not to mention reputational damage.

In 2025, the CNIL imposed €487 million in fines across all types of violations [2]. The level of vigilance is at an all-time high.

Art. 82 French Data Protection Act

Article 82 is the French transposition of the European ePrivacy Directive (2002/58/EC). This text goes further than GDPR on one specific point: it governs all trackers and read/write operations on the user's device (cookies, localStorage, device fingerprinting), not just personal data [3].

User consent is required, unless the data collection:

has "the sole purpose of enabling or facilitating communication by electronic means"
or is "strictly necessary for providing an online communication service at the express request of the user"

It is on this text that the CNIL bases its intervention on trackers, beyond the strict scope of GDPR. The interpretation of "sole purpose" is the crux of the issue for audience measurement tools.

Technical note: the ePrivacy Directive was supposed to be replaced by an ePrivacy Regulation. This text has been under negotiation at the EU Council since 2017. It is still not adopted in 2026. Article 82 (and its equivalents in other EU countries) continues to apply.

The CNIL's Role and Its Limits

The CNIL is France's data protection authority. It enforces GDPR and the French Data Protection Act. It has the authority to issue formal notices, impose sanctions, and publish recommendations and guidelines.

However, it does not write the law. It interprets and enforces it. Its interpretation can be challenged before the competent authorities: the French Council of State (Conseil d'État) or the Court of Justice of the European Union (CJEU). This is an important point.

In 2025-2026, the CNIL has intensified its audits, particularly in e-commerce, media, healthcare, finance, and public services [4]. Its 2025-2028 strategic plan makes artificial intelligence one of its four pillars of action.

AI Act: the New Regulation to Know

The AI Act (Regulation (EU) 2024/1689) is the world's first legal framework dedicated to artificial intelligence. It does not replace GDPR: it complements it. When an AI system processes personal data, both texts apply simultaneously [5].

Implementation Timeline

February 2025: prohibitions (social scoring, untargeted biometric recognition)
August 2025: obligations for general-purpose AI models (GPAI)
August 2026: obligations for high-risk AI systems

Why does this concern advertisers?

AI systems integrated into advertising tools (GA4 predictive audiences, Performance Max, Demand Gen) process data. The CNIL has published practical guides on training AI models with personal data [6]. Legitimate interest is accepted as a possible legal basis, but under strict conditions: mandatory data protection impact assessment (DPIA), data minimisation, and exhaustive documentation.

The AI Act provides for sanctions of up to €35 million or 7% of global turnover for prohibited practices. The topic is being structured. We will revisit it in the GDPR and AI section.

Google Analytics and CNIL: From Crisis to Resolution

Key Takeaway

In 2026, Google Analytics is legally usable in Europe. The issue raised by the CNIL in 2022 (the lack of a legal framework for data transfers to the United States) was resolved by the adoption of the Data Privacy Framework (DPF) in July 2023. Google is DPF-certified. The condition: use a compliant CMP (Consent Management Platform) and follow collection rules. If you meet these criteria, your use of GA4 is GDPR-compliant.

The rest of this section details the full timeline, important nuances, and complementary strategies (Server-Side Tagging, consent exemption) for those who want to go further.

The Crisis: The 2022 Formal Notices

On 10 February 2022, the CNIL issued a formal notice to a French website operator using Google Analytics (in its Universal Analytics version). The findings [7]:

the tool collected personal data (IP address, GA Client Id stored in the "_ga" cookie) and was therefore subject to GDPR;
Google did not provide sufficient safeguards for transferring this data to the United States. The Privacy Shield had been invalidated in 2020 by the CJEU (Schrems II ruling);
no transfer derogation clause (Art. 49 GDPR) was applicable.

On 7 June 2022, the CNIL clarified that regardless of the configuration, using Google Analytics with personal data could be considered illegal, as long as there was no legal framework for transatlantic transfers [8].

Important clarification: GA was never "banned". The risk was legal, tied to the absence of a legal framework for personal data transfers to the United States. This absence has since been corrected.

What personal data?

At minimum: the visitor identifier (GA Client Id) and IP address. Potentially also user IDs, order IDs, and URL parameters related to traffic source (GCLID, UTM). The link between Google Analytics and other Google products (Google Ads, Google Signals) can turn non-personal data into personal data through cross-referencing.

Broader Implications

The formal notices went beyond the Google Analytics question. They questioned all solutions published by companies with ties to entities outside the European Union. Other solutions (Google Ads, Meta) were also in NOYB's crosshairs [9].

The Resolution: The Data Privacy Framework

On 10 July 2023, the European Commission adopted the Data Privacy Framework (DPF), a new legal framework governing personal data transfers to the United States [10].

In Plain Terms

Google LLC is on the list of DPF-certified organisations [11]. The fundamental issue of the 2022 formal notices, the absence of a legal framework for transfers, is resolved. Data transfers to Google have been legally framed since that date.

First Annual Review (October 2024)

The Commission concluded that the necessary structures and procedures have been put in place by the United States. The Data Protection Review Court (DPRC) functions as an independent redress mechanism for European citizens [12].

The DPF Remains Under Scrutiny

In September 2025, the EU General Court dismissed an appeal by a French MEP who challenged the adequacy decision, confirming that the DPF offers a level of protection "essentially equivalent" [13]. This judgment was appealed to the CJEU on 31 October 2025. The proceedings are ongoing. We return to this in the EU-US Tensions section.

Proxyfication and Server-Side Tagging

What the CNIL had required

In June 2022, the CNIL stated that Google Analytics could remain usable provided data was routed through an intermediary server (proxy) that removes personal data before any transfer to Google [8]. This is the proxyfication principle: by stripping the IP address, client_id, and advertising identifiers server-side, the processing falls outside the scope of GDPR. Without this proxy, GA could not be configured in a compliant manner in the post-Schrems II context.

The most common technical solution for implementing this proxyfication: Google Tag Manager Server-Side (sGTM). See also our GTM / sGTM offering.

Since the DPF: no longer a compliance prerequisite

With the adoption of the Data Privacy Framework in July 2023, the transfer issue is legally resolved. Proxyfication is no longer a prerequisite for using GA in a compliant manner. However, it remains a relevant option for advertisers whose DPO or internal policies require limiting data sent to Google and other third-party tools. The proxy provides total control over outgoing data: the advertiser chooses precisely which information to transmit, remove, or transform.

sGTM: a high-value infrastructure well beyond GDPR

Regardless of any regulatory considerations, Server-Side Tagging is a technical infrastructure that delivers concrete benefits: better collection quality (less ad-blocker interference, more reliable events), better web performance (fewer client-side scripts, positive impact on Core Web Vitals), and easier first-party data activation (server-side enrichment, direct CRM integrations). For a deeper dive, see our dedicated expert note on Server-Side Tagging.

If the DPF were to be invalidated (see EU-US Tensions), organisations with sGTM in place also have structural insurance: since the data sent to Google is already anonymised, the legal framework for transfer becomes secondary.

By default: consent is required

GA4 processes personal data (client identifier, IP address, browsing data). User consent is therefore legally required before firing the tag, in accordance with GDPR and Article 82 of the French Data Protection Act.

To manage this constraint, Google introduced Consent Mode: a framework that transmits the user's consent state to Google tags (granted or denied) across different purposes. Depending on the chosen implementation mode, GA4's behaviour changes significantly. It is a structural choice between a conservative approach (less data, less legal risk) and a complete approach (legal grey area, but modelled data in GA4). For a full technical breakdown, see our dedicated Consent Mode v2 note.

Basic Mode: conservative approach

Google tags do not fire until the user has given consent. If the user declines, no data is sent to Google.

Legally the safest option
30 to 70% data loss
Limited conversion modelling

Advanced Mode: legal grey area

Tags fire even without consent, with the parameter set to denied. They send degraded pings (no cookie, no identifier) that Google uses to statistically model non-consented traffic. Result: in GA4, you see all traffic, including the portion reconstructed statistically.

Complete data in GA4 (modelled)
Better conversion modelling
Not validated by the CNIL to date

sGTM and consent exemption

A specific configuration via Server-Side Tagging (sGTM) aimed at eliminating personal data server-side (IP address, client_id, advertising identifiers) could provide the framework for a consent exemption on Google Analytics. The rationale: if processing no longer involves personal data within the meaning of GDPR, the prior consent obligation no longer applies.

The criteria remain those of GDPR and Article 82: (1) not processing personal data, (2) falling within the "strictly necessary" derogation. The burden of proof lies with the publisher.

Consent remains the default principle. sGTM is not a circumvention mechanism: exemption depends on the actual configuration, not the infrastructure. And the level of anonymisation required has a real functional cost (no profiling, no advertising activation). This is a trade-off to be made knowingly.

The CNIL's position

The CNIL had established an evaluation programme to identify analytics solutions exempt from consent. This programme has ended: the CNIL no longer "validates" tools. GA4 was never included and will not be [14]. Since July 2025, the CNIL has shifted to a self-assessment model [15].

Note on the right of opposition: the CNIL recommends in its guidelines offering an opt-out mechanism even for exempt trackers. This is a good practice included in the CNIL's requirements, but it is not a strict obligation under Article 82 or the ePrivacy Directive. Legally, if the tool does not process personal data (the very condition for exemption), the GDPR right of opposition (Art. 21) does not apply by definition. In practice, offering an opt-out remains prudent and strengthens the compliance posture.

New Challenges

Consent Mode has been detailed in the previous section (GA4 and Consent). The key takeaway is: the choice between Basic and Advanced mode determines the advertiser's legal posture.

Basic mode is legally safe, but deprives the advertiser of a significant portion of their data. Advanced mode offers a complete (modelled) view in GA4, but relies on a mechanism that the CNIL has not validated.

The grey area

The legal question centres on a specific point: does sending a degraded HTTP ping (without cookie, without identifier) constitute access to the user's device within the meaning of Art. 82? Google considers these pings as non-identifying [17]. Several experts consider that firing tags before consent presents a risk of non-compliance [18]. To date, no data protection authority has issued a formal decision.

For advertisers who choose Advanced mode, Server-Side Tagging offers a way to mitigate this risk: the proxy intercepts pings and removes residual data before they reach Google.

EU-US Tensions: Is the DPF Sustainable?

The Data Privacy Framework (DPF) is the third transatlantic agreement governing the transfer of personal data to the United States. The two previous ones were invalidated by the Court of Justice of the European Union:

Agreement	Period	Outcome
Safe Harbor	2000–2015	Invalidated by the CJEU (Schrems I)
Privacy Shield	2016–2020	Invalidated by the CJEU (Schrems II)
Data Privacy Framework	2023–?	In force, CJEU appeal filed Oct. 2025

The DPF holds, but its foundations are weakened

The DPF, adopted in 2023, remains in force. Over 3,500 US companies are certified under it, and data transfers to Google tools (GA4, Google Ads) are covered by this framework.

The PCLOB: the weakened link

The adequacy decision explicitly relied on the PCLOB (Privacy and Civil Liberties Oversight Board), an independent oversight body for intelligence programmes. In January 2025, the Trump administration removed three of its five members, depriving it of the required quorum [19]. Despite a court ruling that the removals were illegal, the D.C. Circuit Court of Appeals blocked the reinstatement [20]. The PCLOB remains non-operational to date.

Towards a Schrems III?

An appeal was filed at the CJEU in October 2025 against the adequacy decision. The argument: the dismantling of the PCLOB weakens the independent oversight safeguards on which the DPF was validated. If the Court follows this reasoning, the DPF could be invalidated, like its two predecessors [21].

The current political climate between the US and the EU (trade tensions, tariffs, questioning of certain transatlantic cooperations) adds a layer of uncertainty. This is not a theoretical risk: it is a documented scenario that has already occurred twice. Advertisers who rely exclusively on US-based tools for measurement and activation should plan for alternatives, or at the very least structure a modular architecture.

Artificial intelligence is now integrated into measurement and advertising tools. GA4 uses models to fill data gaps caused by consent (conversion modelling, predictive audiences). Performance Max and Demand Gen rely on AI for bid optimisation and targeting [22].

On the regulatory side, two texts overlap:

The GDPR applies whenever an AI system processes personal data (training, inference, profiling). Art. 22 gives individuals the right not to be subject to a fully automated decision with significant effects.
The AI Act adds transparency and documentation obligations, classified by risk level. High-risk AI systems (including certain credit scoring or recruitment tools) have had specific obligations since August 2026.

Open Questions for Advertisers

The CNIL has published practical guides on the topic [6]. Three points deserve attention:

Legal basis for training: legitimate interest is accepted as a possible legal basis for training an AI model on personal data, but with strict conditions (impact assessment, minimisation, documentation).
GA4 modelling: GA4's behavioural and conversion models process data from Consent Mode. The legal basis for this processing by Google has not been formally clarified by European authorities.
Shared responsibility: when an advertiser uses AI-generated audiences (Performance Max, Demand Gen), the processing of personal data is shared between the advertiser and Google. The advertiser cannot disclaim responsibility by invoking the provider's technology.

This topic is still developing. The first decisions by data protection authorities on the GDPR/AI Act interplay are expected in the coming months. We are monitoring this matter and will update this section as decisions are made.

The EdgeAngel View

Analytics compliance is a technical, evolving and foundational topic. Between the uncertainties around the DPF, the rollout of the AI Act and the shift to CNIL self-assessment, this is not a one-time exercise. Every regulatory change impacts advertisers' ability to measure, optimise and activate their data.

Our conviction: invest in a modular architecture. The best-prepared advertisers are those who have built a data stack where components are interchangeable. If a measurement tool is banned or degraded tomorrow, you can pivot without starting from scratch. This is the modern data stack principle applied to compliance: CMP, collection, processing, activation, each layer can evolve independently.

Document everything. Your CMP choices, your Consent Mode configuration (Basic or Advanced), your Server-Side purge rules, your legal bases per processing activity. The CNIL self-assessment era requires being able to justify every decision. This documentation is not a bureaucratic exercise: it is your agility lever. When the framework evolves, you know exactly what needs to be adapted.

Privacy by design, without losing the business thread. The balance between data protection and marketing performance is not a compromise: it is engineering. Advertisers who over-protect without thinking lose visibility. Those who ignore the topic expose themselves to sanctions and technical debt. The right balance depends on your industry, your risk exposure, and your activation levers.

This is our daily work at EdgeAngel: providing each advertiser with the analytical framework to define their own approach, with full knowledge of the implications.

So, EdgeAngel, What Should We Do?

Concretely, here are the four workstreams we recommend to every advertiser.

1. A CMP That Actually Works (Web and App)

The choice of platform (Didomi, Axeptio, OneTrust, Cookiebot, or our own solution Cooki Consent...) and its configuration are not binary topics. The opt-in rate directly depends on the quality of implementation: wording, design, display timing, refusal management.
Objective: maximise informed consent while respecting your users. Every opt-in percentage point gained means more data to drive your marketing.
This is a subject of expertise in its own right, not a checkbox.

2. Document Your Choices and Consent Strategy

Which tools do you use? On what legal basis? What Consent Mode configuration (Basic / Advanced) and why? What data do you collect, to which recipients?
This documentation is your safety net in case of a CNIL audit and your agility lever when the regulatory framework evolves.

3. Define Your Framework: Exemption, Consent Mode, Server-Side

Consent Mode Basic: the strictest configuration. Tags only fire with explicit consent. Compliant, but you lose visibility over non-consented traffic.
Consent Mode Advanced: degraded pings feed Google's modelling. More data, but an unresolved legal risk. It is a choice to assume and document.
Server-Side Tagging: its primary benefits are improved collection quality, web performance (fewer client-side scripts), and first-party data activation (server-side enrichment, direct connection to advertising APIs). It is also a lever for establishing a more controlled GDPR framework: control over transmitted data, removal of personal data before transfer, and potential for consent exemption. A foundational investment, relevant for organisations that want to take back control of their entire data stack.

4. Audit and Monitor Regularly

The framework is moving. DPF, PCLOB, AI Act, CNIL guidelines: a minimum annual audit is essential to verify that your configuration remains aligned.
Audit your tag plan: do you know precisely what personal data leaves your website and to which recipients? That is the first question in case of an audit.
Implement structured regulatory monitoring. This is not a nice-to-have. It is a prerequisite for managing with confidence.

Sources and References

🏅 Why Trust Us on These Topics?

Didomi Gold Partner: EdgeAngel is one of the few agencies certified by Didomi, Europe's leading CMP. We support our clients with implementation, optimisation, and consent rate management.
Cooki Consent: our own consent management solution, designed for advertisers seeking a lightweight and compliant alternative.
60+ advertisers supported on Server-Side, Consent Mode, and analytics compliance issues since 2020.
Learn more about EdgeAngel →

Need help with privacy and analytics?

Compliance audit, Server-Side deployment, Consent Mode strategy: we help advertisers build a compliant and high-performing measurement setup.