Are Google Analytics and the Meta Pixel even legal?
Verdict: Pixel: consent, always · Analytics: consent or hard-privacy config
The two most-installed trackers in Europe sit on different legal footings — and both fail the way most sites run them: firing before you’ve clicked anything.
Both read and write on your device, so ePrivacy Art. 5(3) governs before the GDPR even starts. The Meta Pixel — third-party tracking feeding ad targeting — has no strictly-necessary argument: prior consent, full stop, and a fine record to match; sites embedding it on sensitive pages (health portals, banks) have produced the ugliest cases, because the pixel ships browsing context to Meta regardless of whether you have an account. Google Analytics is the nuanced one: after Schrems II, several DPAs (Austria, France, Italy leading) ruled GA transfers unlawful as then configured — the storm calmed with the Data Privacy Framework and GA4’s EU-tuned settings, but the consent question stayed: most regulators want consent for cross-site analytics, tolerating only genuinely privacy-hardened, first-party statistics (IP truncation, no ad linking, short retention) — the reason self-hosted tools like Matomo market themselves as the consent-free option. What this means for you as a visitor: a banner you rejected should mean zero GA/Pixel requests — check in a private window with the network tab or a tracker-blocking extension; sites firing before consent are violating, name-ably (banner rules). Wearing your site-owner hat: the webshop checklist ranks this the number-one small-business enforcement risk — configure consent mode properly or pick the boring self-hosted option and skip the banner theater entirely.
Verified against the sources above on 18 July 2026. Information, not legal advice.