12 KiB
12 KiB
name, description
| name | description |
|---|---|
| ga4-privacy-compliance | Expert guidance for GA4 privacy and compliance including GDPR, CCPA, Consent Mode v2, data deletion, and privacy settings. Use when implementing Consent Mode, ensuring GDPR compliance, handling data deletion requests, configuring consent banners, or implementing privacy-first tracking. Covers consent parameters (ad_user_data, ad_personalization), data retention, IP anonymization, and compliance workflows. |
GA4 Privacy and Compliance
Overview
GA4 provides privacy-focused features for GDPR, CCPA, and global privacy regulations including Consent Mode, data controls, and compliance workflows.
When to Use This Skill
Invoke this skill when:
- Implementing Consent Mode v2 for GDPR compliance
- Setting up consent banners and consent management platforms (CMPs)
- Configuring privacy settings for EU/EEA users
- Handling GDPR/CCPA data deletion requests
- Implementing privacy-first tracking strategies
- Setting consent parameters (ad_storage, analytics_storage)
- Configuring data retention policies
- Managing user opt-outs and privacy requests
- Working with consent management platforms (OneTrust, Cookiebot)
- Implementing server-side consent tracking
- Debugging consent mode implementation
- Ensuring regulatory compliance for analytics
Core Capabilities
Consent Mode v2
What is Consent Mode: Google's API for communicating user consent status to GA4, Google Ads, and other Google tags.
Consent Parameters (v2):
-
ad_storage
- Purpose: Advertising cookies (remarketing, conversion tracking)
- Values: "granted" | "denied"
-
analytics_storage
- Purpose: Analytics cookies (GA4 tracking)
- Values: "granted" | "denied"
-
ad_user_data (NEW in v2)
- Purpose: User data sharing for advertising
- Values: "granted" | "denied"
-
ad_personalization (NEW in v2)
- Purpose: Personalized advertising
- Values: "granted" | "denied"
Additional Parameters:
-
personalization_storage
- Purpose: Website personalization
- Values: "granted" | "denied"
-
functionality_storage
- Purpose: Essential site functionality
- Values: "granted" | "denied"
-
security_storage
- Purpose: Security features (fraud prevention)
- Values: "granted" | "denied"
Implementing Consent Mode
Basic Implementation (gtag.js):
Step 1: Set Default Consent State (BEFORE gtag.js)
<script>
// Set default consent to denied
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('consent', 'default', {
'ad_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied',
'analytics_storage': 'denied'
});
// Configure GA4
gtag('config', 'G-XXXXXXXXXX');
</script>
<!-- Load gtag.js -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX"></script>
Step 2: Update Consent After User Choice
// When user accepts all cookies
gtag('consent', 'update', {
'ad_storage': 'granted',
'ad_user_data': 'granted',
'ad_personalization': 'granted',
'analytics_storage': 'granted'
});
// When user accepts only analytics
gtag('consent', 'update', {
'ad_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied',
'analytics_storage': 'granted'
});
// When user denies all
gtag('consent', 'update', {
'ad_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied',
'analytics_storage': 'denied'
});
GTM Implementation:
Method 1: Using Consent Mode Template
- Install CMP Template (OneTrust, Cookiebot, etc.)
- Configure default consent in template
- Template auto-updates consent on user choice
Method 2: Manual GTM Setup
Create Consent Initialization Tag:
- Tag Type: Custom HTML
- Code:
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('consent', 'default', {
'ad_storage': 'denied',
'analytics_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied'
});
</script>
- Trigger: Consent Initialization - All Pages
- Tag firing priority: 999 (fires first)
Create Consent Update Tag (on user acceptance):
- Tag Type: Custom HTML
- Code:
gtag('consent', 'update', ...) - Trigger: Custom event from CMP (e.g.,
consent_granted)
Regional Settings
EU-Specific Consent:
gtag('consent', 'default', {
'ad_storage': 'denied',
'analytics_storage': 'denied'
}, {
'region': ['AT', 'BE', 'BG', 'HR', 'CY', 'CZ', 'DK', 'EE', 'FI', 'FR', 'DE', 'GR', 'HU', 'IE', 'IT', 'LV', 'LT', 'LU', 'MT', 'NL', 'PL', 'PT', 'RO', 'SK', 'SI', 'ES', 'SE', 'GB']
});
gtag('consent', 'default', {
'ad_storage': 'granted',
'analytics_storage': 'granted'
}, {
'region': ['US-CA'] // California - CCPA
});
Consent Mode Behavior
When analytics_storage = "denied":
- GA4 uses cookieless pings
- No client_id stored in cookies
- Modeling used to fill gaps
- Limited user tracking
- Session duration not tracked
When analytics_storage = "granted":
- Full GA4 tracking enabled
- Cookies stored
- client_id persists
- Complete user journey tracking
Conversion Modeling: When consent denied, GA4 uses:
- Machine learning to estimate conversions
- Aggregated, anonymized data
- Behavioral modeling
- "Modeled" label in reports
Data Retention Settings
Path: Admin → Data Settings → Data Retention
Options:
- 2 months (default)
- 14 months
Applies To:
- User-level data in Explorations
- Event-level data in Explorations
- Does NOT affect standard reports
Reset on New Activity:
- ON: Timer resets when user returns (rolling window)
- OFF: Data deleted based on original collection date
GDPR Compliance:
- Shorter retention = more privacy-focused
- Document retention policy in privacy policy
- Consider BigQuery export for longer storage
Data Deletion Requests
User Right to Deletion (GDPR Article 17):
Deleting User Data:
- Admin → Data Settings → Data Deletion Requests
- Create Deletion Request
- Choose deletion parameter:
- User ID: Delete by user_id
- Client ID: Delete by client_id (user_pseudo_id)
- App Instance ID: Delete by app instance
- Enter identifier value
- Choose date range or "All time"
- Submit request
Processing:
- Takes up to 72 hours
- Deletes ALL events for that identifier
- Cannot be undone
- Confirmation email sent when complete
Best Practice:
- Maintain deletion request log
- Respond to requests within 30 days (GDPR requirement)
- Document process in privacy policy
IP Anonymization
GA4 Default Behavior:
- GA4 does NOT log or store IP addresses
- IP used only for geo-location derivation
- No additional anonymization needed
Unlike Universal Analytics:
- No
anonymize_ipparameter needed - Privacy-first by design
- IP address never in reports or exports
Google Signals
What It Enables:
- Demographics reporting (age, gender)
- Interests reporting
- Cross-device tracking (without User ID)
- Remarketing audiences
Privacy Implications:
- Requires user consent for personalized ads
- Subject to data thresholds
- User opt-out via Ads Settings
Enabling: Admin → Data Settings → Data Collection → Google Signals
Recommendation:
- Enable only with proper consent
- Respect user opt-outs
- Document in privacy policy
Data Thresholds
What Are Thresholds: GA4 applies thresholds to reports when:
- Small user counts could reveal individual identity
- Google Signals enabled
- User demographics requested
When Applied:
- Small audience sizes
- Rare combinations of dimensions
- Reports show "(thresholded)" or data withheld
Managing Thresholds:
- Disable Google Signals (if not needed)
- Use broader date ranges
- Aggregate dimensions
- Export to BigQuery for unthresholded data
Consent Management Platforms (CMPs)
Popular CMPs:
- OneTrust
- Cookiebot
- Termly
- Osano
- TrustArc
GTM CMP Templates: Most CMPs provide GTM templates:
- Community Template Gallery → Search CMP name
- Install template
- Configure CMP settings
- Auto-updates consent to GA4
Example: Cookiebot Integration
- Install Cookiebot tag on site
- Install Cookiebot template in GTM
- Template auto-sets default consent
- Updates consent based on user choice
- No manual gtag('consent') needed
GDPR Compliance Checklist
- Privacy policy updated with GA4 usage
- Cookie consent banner implemented
- Consent Mode v2 configured (all 4 parameters)
- Default consent set to "denied" for EU users
- Consent updates on user acceptance
- Data retention configured (2 or 14 months)
- Data deletion process documented
- User opt-out mechanism available
- Google Signals consent obtained (if enabled)
- Cross-border data transfer disclosures
- DPA (Data Processing Agreement) with Google signed
- Regular privacy audit schedule
CCPA Compliance
Requirements:
- Allow users to opt out of "sale" of personal information
- Provide "Do Not Sell My Personal Information" link
- Honor Global Privacy Control (GPC)
Implementation:
// Detect GPC signal
if (navigator.globalPrivacyControl) {
gtag('consent', 'update', {
'ad_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied',
'analytics_storage': 'granted' // Analytics OK, ads denied
});
}
GTM Variable for GPC:
- Variable Type: JavaScript Variable
- Global Variable Name:
navigator.globalPrivacyControl - Use in Consent Mode logic
Testing Consent Mode
Verification Steps:
-
DebugView Test:
- Enable DebugView
- Before consent: Check
analytics_storage = denied - After consent: Check
analytics_storage = granted
-
Check Event Parameters:
- Events should include consent status
- Look for
gcsparameter (Google Consent State)
-
Cookie Inspection:
- Before consent: No
_gacookie - After consent:
_gacookie set
- Before consent: No
-
GTM Preview:
- Verify Consent Initialization tag fires first
- Verify GA4 tag respects consent
- Verify consent update tags fire on user action
Chrome DevTools:
// Check current consent state
dataLayer.filter(item => item[0] === 'consent')
Server-Side Consent
Measurement Protocol with Consent:
{
"client_id": "client_123",
"consent": {
"ad_storage": "denied",
"analytics_storage": "granted",
"ad_user_data": "denied",
"ad_personalization": "denied"
},
"events": [...]
}
Best Practice:
- Pass consent status from frontend to backend
- Include in all Measurement Protocol requests
- Store user consent preferences in database
Integration with Other Skills
- ga4-setup - Privacy settings during property setup
- ga4-gtag-implementation - Implementing Consent Mode with gtag.js
- ga4-gtm-integration - GTM Consent Mode setup
- ga4-data-management - Data retention and deletion
- ga4-user-tracking - User ID and privacy considerations
- ga4-measurement-protocol - Server-side consent parameters
References
- references/consent-mode-complete.md - Complete Consent Mode v2 implementation guide
- references/gdpr-compliance.md - GDPR compliance requirements and workflows
- references/ccpa-compliance.md - CCPA compliance guide
- references/cmp-integrations.md - Integrating popular consent management platforms
Quick Reference
Consent Parameters (v2):
ad_storage: Advertising cookiesanalytics_storage: Analytics cookiesad_user_data: User data sharing (NEW)ad_personalization: Personalized ads (NEW)
Set Default (Before Consent):
gtag('consent', 'default', {
'ad_storage': 'denied',
'analytics_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied'
});
Update After User Accepts:
gtag('consent', 'update', {
'ad_storage': 'granted',
'analytics_storage': 'granted',
'ad_user_data': 'granted',
'ad_personalization': 'granted'
});
Data Deletion: Admin → Data Deletion Requests → Create