Is Google Analytics legal in Sweden in 2026?
Short answer: yes, if you get a number of things right. The more honest answer: for most Swedish sites it is easier to sidestep the question entirely. Here are both paths, grounded in what IMY actually said in 2023 and what they have followed up with in 2025.
The short answer
Google Analytics 4 can be used legally in Sweden under specific technical and legal conditions. It requires Consent Mode v2 that actually works, a cookie banner that follows IMY's 2025 practice, a short retention period, IP anonymization, a signed DPA with Google and a legal basis resting on the EU-US Data Privacy Framework adequacy decision.
That is a lot of conditions. On top of that, the DPF is under legal challenge. For the majority of Swedish sites it is simpler to pick a tool that makes no third-country transfers at all. This guide explains both paths. You choose the one that fits you.
IMY's four decisions in 2023 and what they actually said
In July 2023 the Swedish data protection authority (IMY) published decisions against four Swedish companies that used Google Analytics. The conclusion was the same in all four: the transfer of personal data to the US via GA4 violated GDPR.
- Tele2: an administrative fine of 12 million kronor.
- CDON: an administrative fine of 300,000 kronor.
- Coop: no fine, an injunction to stop using the tool. Judged to have cooperated actively.
- Dagens Industri: an injunction to stop using the tool.
What matters is not the amounts but the reasoning. IMY held that the technical safeguards Google offered (IP anonymization, truncated data sets, signed SCCs) were not in themselves enough to neutralize the risk that US intelligence services could gain access to EU citizens' data. That reasoning is grounded directly in the Schrems II ruling from 2020, where the Court of Justice of the EU invalidated Privacy Shield.
- Jul 2020Schrems II
The Court of Justice of the EU invalidates Privacy Shield. The US becomes a third country without an adequate level of protection.
- 2022Italy, France, Austria
Three EU data protection authorities ban GA4. Sets the precedent for IMY.
- Jul 2023IMY decisions in Sweden
Four Swedish companies are found liable. Administrative fines between 0 and 12 million kronor.
- Jul 2023EU-US Data Privacy Framework
The European Commission adopts a new adequacy decision. GA4 becomes technically legal again, under conditions.
- Apr 2025IMY takes on cookie banners
IMY criticizes Warner Music, ATG and Aller Media for asymmetric consent banners.
- OngoingSchrems III
A new legal challenge has been filed against the DPF. A ruling is expected within 2 to 4 years.
What it takes for GA4 to be legal today
The DPF adequacy decision provides the legal basis for the transfer. But adequacy alone is not enough to keep a Swedish GA4 installation in the clear when IMY comes reviewing. Seven requirements you need to be able to tick off:
- Consent Mode v2 implemented and verified. Not just installed. You must be able to show that tracking pixels do not fire until the user actively clicks consent. Many CMP installations fail here because the default state sends "denied" while still loading gtag.js.
- A cookie banner that follows IMY's 2025 practice. "Reject" must be as clear as "Accept". The reject button may not be hidden behind a link or require two clicks. Withdrawing consent must be at least as easy as giving it.
- A short retention period. The GA4 default is 14 months. Set it down to two months. Weekly and monthly reporting gets by fine on that.
- IP anonymization enabled and verified. GA4 anonymizes IPs by default since 2023, but verify that no custom configurations send the full address.
- A DPA signed under GDPR Art. 28. Found in the Google Analytics admin under Account Settings → Data Processing Terms. It must be actively accepted.
- A privacy policy that lists Google as a sub-processor with a reference to the DPF certification.
- A cookie policy that describes which cookies GA4 sets (_ga, _ga_*, _gid) and how long they live.
If any of these steps is missing, you are legally in the same place CDON and Tele2 were in 2022.
Where the risk sits
The DPF adequacy decision is not carved in stone. Max Schrems, the lawyer behind Schrems I and Schrems II, has already filed a new legal challenge known as Schrems III. It argues that US surveillance law has not materially changed since 2020, and that the DPF therefore carries the same legal defect Privacy Shield did.
The latest rulings from the Court of Justice of the EU indicate that the court takes the arguments seriously. A realistic time horizon for a Schrems III ruling is 2 to 4 years. If the DPF is invalidated, Swedish GA4 users land overnight in the same legal situation as in 2022. The assessment could also become retroactive: data transferred during the DPF period may come to be regarded as unlawfully processed.
It is not an acute risk. But it is not a risk you want to inherit either.
The cookie-banner data loss nobody talks about
Most GA4 guides focus on "how do we configure this so it is legal". They rarely talk about what you lose in the analytics itself as a consequence.
Cookie banners lose measurable amounts of data. Studies from France, Germany and Sweden point to 30 to 60 percent of mobile visitors rejecting cookie banners or closing the tab. In GA4 you never see it. Rejected visitors simply are not counted at all. You think your mobile conversion is low when half of your visitors never got the chance to be counted.
Sites that switch to cookie-free analytics consistently report more visitors than GA4 showed the same week. That is not new traffic. It is data GA4 never got to see because of the banner loss. We have written more about that effect in the cookie-banner visitor loss.
If you take the "reconfigure GA4" route you solve the legal problem but not the measurement problem. You keep measuring a subset of your audience. That is central to the decision below.
When GA4 is enough, and when it is not
GA4 is still the right tool if:
- Google Ads attribution is central to your revenue. Cookie-free analytics does not read gclid and does not connect to Google Ads accounts. That part cannot be replaced.
- You need cross-device user ID for logged-in flows. A persistent identifier is not compatible with cookie-free tracking.
- Custom events and deep e-commerce integration are everything to you. GA4 has deep integration with enhanced ecommerce. It is possible with cookie-free analytics but not as seamless.
GA4 is the wrong tool if:
- You run a site for the public sector, healthcare, education, or B2B with compliance-reviewing customers.
- Your mobile traffic is at least half of your total traffic and you make decisions based on the numbers.
- You would rather not stand in the middle of a potential Schrems III scramble.
- You want a privacy policy that does not require a cookie banner.
Decision matrix: keep, reconfigure or switch
Three situations, three answers. Choose based on where you actually stand today.
Keep it as it is
For teams that already have Consent Mode v2 implemented and verified, a CMP that follows IMY's 2025 practice, two-month retention and no compliance pressure from larger customers or the public sector. A legal grey zone, but a zone that may be good enough.
Reconfigure GA4
The technical debt of building out Consent Mode v2 properly is high but manageable. Budget 2 to 4 weeks of work for a mid-sized site. The result is a legitimate GA4 setup that still carries the banner loss. Legal risk shrinks, the data blind spot remains.
Switch to cookie-free analytics
For the majority of Swedish sites, the simplest path. A tool that uses no cookies has no banner to get past, no third-country transfer to defend, no Schrems III risk to inherit. Migration typically takes under an hour.
How Spårlös fits into the picture
We built Spårlös for the third option. Cookie-free, EU-hosted architecture, a Swedish DPA, F-skatt and VAT-inclusive SEK pricing. A 1.4 KB tracker, 90-second setup, 14-day Pro trial with no card required.
It is honest to say that Plausible, Fathom, Matomo and Umami are also legitimate privacy-first alternatives. The difference lies in the Swedish-specific touch points: a DPA in Swedish, support in Swedish, invoicing to Swedish standards, and a product roadmap we steer ourselves from Sweden. For municipalities, regions, healthcare and B2B customers working with Swedish procurement templates, that carries weight.
If you want to see what an actual migration looks like, we have written a step-by-step guide in Switch from Google Analytics in 2026. You lose gclid tracking. You get back the visitors the banner loss took from you.
Take something concrete with you
Our DPA is pre-filled, references Swedish law and lists all sub-processors openly. Download it, email it to your DPO or IT manager, start the conversation with a document in hand.
Summary: your checklist
- Decide: keep, reconfigure or switch (the matrix above)
- If you keep it: document why, including your Consent Mode v2 status
- If you reconfigure: budget 2 to 4 weeks of work plus follow-up
- If you switch: run in parallel with GA4 for 2 to 3 days to verify the numbers
- Verify that Consent Mode v2 actually blocks pixels without consent
- Set GA4 retention to 2 months, not the default 14
- Check that your cookie banner follows IMY's 2025 practice (symmetrical buttons)
- Accept the DPA in the Google Analytics admin if you have not already
- Update your privacy policy and cookie policy if anything has changed
Frequently asked questions
Is GA4 legal if I have Consent Mode v2?
It counts toward the assessment, but it is not the whole answer. Consent Mode v2 solves the problem of pixels firing without consent. It does not solve the fact that Google remains your data processor, that the data is handled by a company subject to US law, and that the transfer rests on the DPF adequacy decision, which is under legal challenge. Consent Mode v2 is a requirement, not an answer.
What happens if the Court of Justice of the EU invalidates the DPF?
Then Swedish GA4 users land overnight in the same legal situation as in 2022. The Schrems II ruling was the previous version of that situation, and the IMY decisions of 2023 were the consequence. The risk is not acute today, but a realistic time horizon for a Schrems III ruling is 2 to 4 years. Companies that migrate before then avoid redoing the whole exercise under pressure.
Is a CMP enough to be safe with IMY?
No. A CMP is the tool that manages consent. IMY’s 2025 criticism of Warner Music, ATG and Aller Media was about HOW it was used, not whether they had one. The design must be symmetrical (a "Reject" option as clear as "Accept"), consent must be easy to withdraw, and dark patterns are not allowed. A CMP plus a bad configuration is still a bad configuration.
Can IMY fine me even with a correctly configured GA4 setup?
In practice it is unlikely as long as the DPF stands, you have a valid DPA with Google, short retention, a working Consent Mode v2 implementation and a banner that follows the 2025 practice. IMY typically issues an injunction first. An administrative fine only comes if you fail to act on that injunction. The road from a correct GA4 setup to a fine always runs through IMY’s formal process, never directly.
Which retention period is safe?
Two months is the shortest GA4 allows and the one we recommend for minimal risk. The default is 14 months. Two months goes a long way for weekly and monthly reporting. If you need historical comparisons further back, export monthly aggregated data to a local CSV or BigQuery. Personal data gets deleted, aggregates are kept.
We are not lawyers. We have, however, built a product that addresses exactly this problem and helped companies through the migration. If you need to go deeper into the legal side, consult a GDPR lawyer. If you need a practical shortcut, email [email protected].
Further reading: Did you get a warning from IMY? · Schrems II in practice · Spårlös vs Google Analytics · You own your data.