I live in Munich, run analytics projects across the EU, and have watched the same consent banner get approved in France, questioned in Italy, and rewritten in Germany — all in the same quarter. On paper, the GDPR and ePrivacy Directive apply equally everywhere. In practice, the national regulators enforcing them disagree on what valid consent looks like, which analytics setups are exempt, and which third-country transfers are still lawful after Schrems II.
This guide maps the three toughest regulators for product analytics — CNIL in France, Garante in Italy, BfDI plus the 16 state DPAs in Germany — and shows where they diverge, what each has fined companies for, and how to build a banner that survives all three.
Why the Same Law Produces Three Different Outcomes
The GDPR sets the baseline; each member state then layers national cookie and telecom laws on top. France has Loi Informatique et Libertés. Italy has the Codice della Privacy. Germany has the TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz), in force since December 2021.
These national layers define what “consent” means in practice — and their supervisory authorities (DPAs) decide which banners meet that definition. The CNIL, Garante, and BfDI have each published guidance that contradicts the others on at least three points, covered below.
CNIL (France) — Strict on UX, Flexible on Exemption
The CNIL is the most publicly active analytics regulator in Europe. Since 2021 it has fined Google €150M and Meta €60M for reject buttons that were harder to find than accept buttons.
Two rules matter most for analytics teams:
- Refusing must be as easy as accepting. Same button size, same color contrast, same number of clicks. Burying “Refuse” in a sub-menu is the violation pattern that gets fined.
- The “exempt analytics” list. CNIL publishes a list of tools (Matomo self-hosted, Piwik PRO EU cloud, AT Internet with a proxy, and a handful of others) that can run without consent if configured with IP truncation, no cross-site tracking, and 13-month retention.
The exemption is a real option. I’ve used Matomo self-hosted with the CNIL profile on three French clients — no banner needed for basic traffic analytics, and it sidesteps the whole Schrems II conversation.
Garante (Italy) — Bans Over Fines
The Garante prefers cease-and-desist orders over cash fines. Its defining move was the June 2022 order against a publisher using Google Analytics Universal, which effectively banned GA in Italy without EU-only data residency.
Three Garante-specific rules:
- Scrolling is not consent. The Garante has explicitly rejected “continuing to browse implies consent” banners since 2021. Only active opt-in counts.
- First-party aggregated analytics is the exemption bar. Not CNIL’s pre-approved list — Italy requires that data never reach a third-party processor in an identifiable form.
- Pay-or-consent walls are rejected. The Garante has ruled these walls are not “freely given” consent. CNIL and BfDI allow them in narrow cases; Italy does not.
If you ship the same banner across FR/IT/DE, Italy is where it most often breaks.
BfDI and LfDI (Germany) — Sixteen Opinions in One Country
Germany has no single analytics regulator. The BfDI covers federal and telecom issues; each of the 16 German states has its own LfDI for anything else — and they disagree with each other.
The North Rhine-Westphalia LfDI has fined retailer Notebooksbilliger €10M for excessive employee monitoring. The Bavarian BayLDA takes a lighter stance on Google Analytics. The Hamburg DPA is historically the most hostile to US data transfers.
The one thing all 16 agree on is TTDSG §25: storing or reading anything on a user’s device (cookies, localStorage, fingerprints) requires strict opt-in unless the storage is “strictly necessary” for the service the user requested. Analytics is never strictly necessary in German legal reading.
Practical takeaway: if your users are in multiple German states, assume the strictest interpretation. For a Munich-based ecommerce client in 2024 we defaulted to the BayLDA guidance and layered a Hamburg-compatible fallback for users resolving there via GeoIP — overkill in most places, exactly right in two.
Side-by-Side: What Each Regulator Fines For
The same UX choice can be fine in one country and a violation in another. Here’s the breakdown across five common banner patterns:
Three patterns survive everywhere: equal-weight accept/reject buttons, explicit opt-in (no scroll-as-consent), and no banner at all when using a CNIL-exempt analytics setup. Everything else has at least one regulator that will fine or block you.
Third-Country Transfers: Schrems II in Enforcement
Post-Schrems II and the EU-US Data Privacy Framework (July 2023), cross-border data transfers to the US are lawful again — but only for certified Data Privacy Framework participants, and only while the DPF is not challenged in court. Each regulator has signaled a different level of trust:
- CNIL — Accepts DPF-certified transfers if SCCs are in place as a fallback. Still recommends proxying IPs for GA4.
- Garante — Has not explicitly blessed the DPF. Italian enforcement actions from 2022-2023 remain the most aggressive, and teams still treat Italy as a “US data is risky” jurisdiction.
- BfDI and state LfDIs — Divided. The Berlin DPA accepts the DPF; the Hamburg DPA is publicly skeptical. If your users are in Hamburg, expect questions.
The safe move for pan-EU analytics in 2026 remains EU-hosted tooling (Matomo, Plausible, Piwik PRO EU region) where the question never arises.
A Decision Tree That Works Across All Three
The first question — does it transfer data outside the EU — decides whether you have a hard problem (Italy) or an easy one. The second — equal-weight banner — is the only one that works uniformly across all three regulators. Answer both before picking a vendor, not after.
Practical Setup: What I Actually Ship
For a new pan-EU product launch today I default to one of two configurations:
- Exempt mode: Matomo or Piwik PRO self-hosted in the EU, CNIL-exempt profile, no banner, IP truncated. Works in FR, questionable but defensible in IT, restricted in DE (TTDSG still applies to local storage).
- Consented mode: GA4 with Consent Mode v2, equal-weight banner, server-side tagging via EU-based GTM server, DPF-certified transfers. Works in all three countries but depends on banner UX quality.
For German-only products I skip GA4 entirely — the TTDSG friction isn’t worth the data gain over Matomo.
FAQ
Is GA4 still legal in the EU in 2026?
Yes, but conditionally. Google Analytics 4 is lawful in France, Germany, and most of the EU with proper consent and Data Privacy Framework certification. Italy still treats it with suspicion without EU-only data residency guarantees. The safest setup is Consent Mode v2 plus server-side tagging via an EU-hosted GTM server.
Which EU country is the strictest on analytics consent?
For enforcement volume, France (CNIL) issues the most fines and the largest. For banning specific tools, Italy (Garante) has been the most aggressive, blocking Google Analytics Universal in 2022. Germany is the most fragmented — 16 state regulators plus the federal BfDI, with no unified stance, so compliance depends on where your users are based.
Can I use the same consent banner across France, Italy, and Germany?
Yes, if it meets all three requirements simultaneously: equal-weight accept/reject buttons, no scroll-as-consent, explicit opt-in with granular category controls, and a reject option in the first layer. Most banners built for French compliance pass Italian and German checks too, but German-only sites need additional TTDSG compliance for any local storage.
What is the CNIL exempt analytics list?
The CNIL publishes a list of analytics tools that can operate without user consent if configured to specific standards: IP truncation, no cross-site tracking, 13-month retention maximum, and no data sharing. Matomo self-hosted, Piwik PRO EU cloud, and AT Internet with proxy are on the list. This exemption does not extend to Italy or Germany.
Do legitimate interest and analytics consent overlap?
Rarely. The ePrivacy Directive requires consent for storing or reading cookies, which covers almost all analytics. Legitimate interest under GDPR Article 6 only applies to processing that happens after the cookie is already lawfully set. In practice, legitimate interest does not replace the ePrivacy consent requirement for cookie-based analytics.
Where to Go Next
Start with your deployment map: list every country where you have users, then check which regulator applies. For pan-EU products the fastest path is a CNIL-compliant banner plus EU-hosted analytics — it’s the intersection that passes all three. For teams already on GA4, the question becomes banner UX and DPF certification status of your setup. Neither path is quick, but both are durable.