Back to overview
Google AnalyticsFADPTracking

Setting Up Google Analytics 4 in Line with the Swiss FADP: Step by Step

Google Analytics 4 is the most widely used analytics tool on Swiss websites — and it can be run lawfully, provided the setup is right. Six steps, from consent and Consent Mode V2 to the privacy policy.

Aiara Team··9 min read
Setting Up Google Analytics 4 in Line with the Swiss FADP: Step by Step

«Are we actually still allowed to use Google Analytics?» I hear this question from Swiss SMEs and agencies almost every week — usually accompanied by half-remembered headlines about bans in Austria and France. The short answer: yes, Google Analytics 4 (GA4) can be operated lawfully in Switzerland. The longer answer: only if you get six things right. That is exactly what we cover here.

Why Google Analytics 4 is sensitive from a data protection perspective

GA4 transfers personal data to Google LLC in the United States — that is the core of the problem, not measurement as such. Cookie identifiers, device information and behavioural data qualify as personal data under both the Federal Act on Data Protection (FADP) and the European General Data Protection Regulation (GDPR) as soon as they can be linked to a person. That raises two questions: is the tracking itself permissible — and may the data be sent to the US?

On the first question, the FADP and the GDPR broadly agree: audience measurement is allowed, but not unconditionally. It requires transparency, valid consent and a contract with the service provider — more on all of that in the six steps below.

On the second question, the situation has relaxed considerably, and this is often overlooked. Since 15 September 2024, the Swiss Federal Council has recognised the US as a country with an adequate level of data protection — but only for companies certified under the Swiss–U.S. Data Privacy Framework. Google LLC is certified. Transfers to Google are therefore permitted without you having to put additional safeguards such as standard contractual clauses in place. The well-known «Google Analytics is illegal» decisions from Austria and France date from 2022 — from the era before the framework, and they concerned the old Universal Analytics. Anyone citing them against GA4 today is arguing from an outdated legal position.

Still, that is only half an all-clear. The framework solves the transfer question and nothing else. Consent, a data processing agreement, data minimisation and transparency remain your responsibility — and that is precisely where most installations fail. The six steps below cover all of it. If you want to read up on the two laws first, see our guides on the FADP and the GDPR.

Step 1: Obtain consent before GA4 loads

The GA4 script may only load after the visitor has actively agreed in the cookie banner — this is the single most important rule. The Federal Data Protection and Information Commissioner (FDPIC) states in his cookie guidelines that analytics tracking which builds usage profiles requires consent. Under the GDPR the matter is even clearer: no consent, no analytics cookie.

In practice this means the banner must technically block the GA4 tag until the «Statistics» category has been accepted. A banner that merely informs while GA4 has long since fired in the background is worthless — and that is exactly the pattern I see most often in audits. You can check it yourself: open the browser developer tools, watch the network tab, reload the page. If requests to Google Analytics domains appear before you have clicked anything in the banner, the script loads too early.

The design of the banner itself matters too: «Decline» must be as easy as «Accept», and pre-ticked boxes invalidate the consent. Also document every decision — who consented to which category, and when? Without that log you cannot prove valid consent if it is ever challenged. Clean consent is the foundation — every further step builds on it.

Step 2: Wire up Google Consent Mode V2

Consent Mode V2 translates the banner decision into four signals that Google services understand — and it is mandatory as soon as you run Google Ads alongside GA4 with users from the European Economic Area (EEA). The signals analytics_storage, ad_storage, ad_user_data and ad_personalization must default to «denied» and may only switch to «granted» after consent.

How the implementation works in detail — Basic vs. Advanced mode, the default configuration, typical mistakes — is covered in our dedicated guide to Google Consent Mode V2. For the GA4 setup, this much suffices: your cookie banner must set the four signals correctly, otherwise GA4 either measures nothing at all or — worse — measures without valid consent.

Step 3: Limit data retention to 2 or 14 months

GA4 stores user-level event data for a limited period by default — in the property settings, under data retention, you choose between 2 and 14 months. This is one of the few places where GA4 accommodates the principle of data minimisation out of the box: more than 14 months is simply not available in the standard version.

Which option is right? From a pure data protection perspective: 2 months. If you want year-over-year comparisons in explorations, you need 14 months — that is also defensible, as long as your privacy policy states the period transparently. Worth knowing: the setting only affects the detailed event and user data used for your own analyses. The aggregated standard reports — page views per month, traffic sources — are retained regardless, because they no longer contain individual profiles.

While you are there, also check the setting that resets the retention period on new activity: if it is active, the clock restarts with every visit. For consistent data minimisation it should be switched off.

Step 4: Make a deliberate decision on Google signals and advertising features

Google signals are an active choice, not a default — and for most Swiss websites the right answer is: leave them off. If you activate the signals, Google links visits to your website with the Google accounts of signed-in users. That enables cross-device analysis, demographic reports and remarketing audiences — but it also means considerably more data flows to Google for advertising purposes.

If you switch the signals on, you need three things: your users' consent to personalised advertising (the ad_personalization signal in Consent Mode), a corresponding notice in your privacy policy, and a genuine use case. That last point is where things usually go wrong — many installations have the advertising features enabled without ever having run a remarketing campaign. Then you are collecting data without a purpose, which conflicts with the proportionality principle of the FADP. The rule of thumb: only activate what you demonstrably use.

Step 5: Accept the Data Processing Terms

Google processes your analytics data on your behalf — the law requires a contract for that, and you conclude it directly in the account settings. Google provides the so-called Data Processing Terms for this: the data processing agreement (DPA) for Google's advertising and analytics products. You will find the acceptance in the account settings of your GA4 property; that is also where you enter your organisation's contact details.

It sounds like a formality, but it is an obligation: Article 9 FADP and Article 28 GDPR require a contractual basis for any processing by a processor. Without accepted terms, Google processes your visitor data without a contract — a defect that stands out immediately in any data protection review. When a DPA is required in general and what to look out for is explained in our article on data processing agreements.

Step 6: Update your privacy policy

Your privacy policy must fully disclose your use of GA4 — if you measure, you have to say so. Specifically, the analytics paragraph should cover: the purpose (audience measurement and improving the site), the provider (Google LLC, or Google Ireland Limited as the European contracting party), consent as the legal basis, the cookies set and their lifetimes, the retention period you chose, the transfer to the US with a reference to the certification under the Data Privacy Framework — and a note that consent can be withdrawn at any time via the cookie settings.

If you have activated Google signals, add the paragraph on personalised advertising. How a complete privacy policy is structured and what else the FADP requires is shown in our guide to creating a privacy policy.

IP anonymisation: already the default in GA4

You do not need to configure IP anonymisation in GA4 — there simply is no switch for it any more. Anyone who worked with Universal Analytics will remember the anonymizeIp flag that had to be set manually and was easily forgotten. GA4 does not log IP addresses in the first place: Google uses them briefly on receipt for geolocation at city or region level and then discards them. A popular checklist item from old data protection audits — «IP anonymisation enabled?» — is therefore obsolete. If a consultant flags this point as a defect in your GA4 setup, they are working from an outdated checklist.

Is that enough for the GDPR?

Largely yes — the six steps also cover the GDPR requirements, because the European rules are stricter on analytics and served as the benchmark throughout this guide. Consent before loading, the ability to withdraw, a data processing agreement, transparency in the privacy policy: those are exactly the points European supervisory authorities examine when they look at analytics.

Two specifics remain for Swiss companies with EU customers. First, the GDPR requires consent without exception — the possibility discussed under the FADP of basing certain measurements on an overriding interest does not hold for EU visitors. Second, companies without an EU establishment that regularly track people in the EU may need an EU representative under Article 27 GDPR. What else applies when your website targets the EU market is summarised in our GDPR guide.

Embedding GA4 the compliant way with Aiara

With Aiara, the technical steps in this guide take care of themselves. The cookie banner automatically blocks GA4 until consent is given, sets the four Consent Mode V2 signals correctly and logs every decision in an audit-proof way. The legal text generator produces the matching analytics paragraph for your privacy policy in four languages — including the Data Privacy Framework reference. What remains are the account settings Google will not let anyone take off your hands: choose the data retention period, accept the Data Processing Terms, make a deliberate decision on Google signals. Three clicks, once — and your GA4 is set up cleanly.

Frequently Asked Questions

Is Google Analytics 4 allowed in Switzerland?

Yes — provided the setup is right. You need consent via the cookie banner before the script loads, correctly configured Consent Mode signals, accepted Data Processing Terms as your data processing agreement, and a paragraph in your privacy policy. The transfer to the US has been covered since 15 September 2024 by the Swiss–U.S. Data Privacy Framework, because Google LLC is certified under it.

Do I need consent for Google Analytics?

Yes. GA4 sets cookies and builds usage profiles — under the FDPIC's cookie guidelines, and even more clearly under the GDPR, that requires active consent. The script may only load after the visitor has agreed in the banner. A banner that fires GA4 the moment the page loads is the most common mistake in practice.

What does the Data Privacy Framework mean for Google Analytics?

Since 15 September 2024, the Swiss Federal Council has recognised the US as a country with an adequate level of data protection — but only for companies certified under the Swiss–U.S. Data Privacy Framework. Google LLC is certified. Data transfers to Google are therefore permitted without additional safeguards such as standard contractual clauses. The framework only solves the transfer question, though — consent, contract and transparency remain your responsibility.

Do I have to enable IP anonymisation in GA4?

No — it cannot be enabled at all, because it is the default. Unlike Universal Analytics with its anonymizeIp flag, GA4 does not log IP addresses. Google uses the IP address only briefly for geolocation at city or region level and then discards it. That configuration step simply no longer exists.

Which data retention period should I set in GA4?

For user-level event data, GA4 offers only two options: 2 or 14 months. From a data minimisation perspective, 2 months is the cleanest choice. If you need year-over-year comparisons in explorations, choose 14 months — that is also defensible, as long as your privacy policy states it transparently. The aggregated standard reports are unaffected by this setting.

Ready for clean cookie consent?

Aiara handles cookie banners, privacy policies and legal notices for your website — FADP and GDPR compliant.

Discover Aiara