Google Analytics GA4 Breaks Data Security Laws
Google Analytics GA4 Breaks Data Security Laws

Google Analytics GA4 Breaks Data Security Laws

In theory, Google analytics has Google consent mode. It has its own control over your data collection set up on your site. But it does not protect the privacy of the end-user and doesn’t strictly follow GDPR or CCPR regulations. Even if the end-user explicitly selects “No” or “Never” for being tracked, Google Analytics still continues to collect data.

Table of Contents

Google Analytics GA4 Consent

Google applies Google consent mode that is not a Consent management platform. Like Onetrust, Cookiebot, Didomi etc. These tools show a banner when a visitor first arrives at the site. These tools collect and save a visitor’s consent by providing an explanation of what kind of technologies are used for data collection by providing explicit opt-in/opt-out, saving these choices for the customer and later allowing the customer to change or edit consent choices later if they wish to.

After that organization is responsible as the data manager/processor for your info and how it gets integrated CMP with other tools the like TikTok pixel, hotjar, FB, Analytics

Google Analytics consent mode is available in all GTM tags. You can access it under Advanced settings -> Consent Settings. It says the tag you use must be ‘consent aware’ in order to do anything with these settings. As you know google has 4 products: Floodlight, ads, Analytics & conversion linker.

Google consent mode in GTM for Analytics tracking:

In this consent section, only Built-in Consents checks are available. It’s just to inform you what consent settings can be used in the Tag setup like ad_storage & analytics_storage. This built-in consent can’t be modified. So logic of what data to send and when is determined by Google.

Google Hits Break Privacy Laws

This is the biggest concern with this minimal setup in Google Tag Manager, Google is continuing to collect data when the visitor has explicitly mentioned not to track. The same is also explained in the official documentation. The idea is to collect “anonymized” data from non-consenting visitors so that they can create a behavioral model in Google Analytics. As I have shared the same in my Reporting Identity Post

Most important is that non-consented data collected does not get to your Google Analytics account – it is for Google use only, they just provide you insights on that. The data hit sent is the same as regular hit level tracking in Google analytics just following the anonymization process.

Google Analytics GA4 consent data

Modeling in GA4

“When users don’t grant consent to the use of Analytics cookies or equivalent app identifiers, events are not associated with a persistent user identifier. For example, if Analytics collects 10 pageview events, it can’t observe and report whether that’s 10 users or 1 user. Instead, Analytics applies machine learning to estimate the behavior of those users based on the behavior of similar users who do accept analytics cookies or equivalent app identifiers.”

Point to Note:

Google Analytics GA4 consent

In the context of GDPr/CCPR/ePR, this is a citizen’s right to privacy written into EU Charter of Fundamental Rights (Article 7) Applied to web analytics collecting visitor data, it is generally accepted to mean that the website controller should ask its visitors for explicit consent before collecting any personal data. Personal data means any data that can directly or indirectly identify the individual. this is also given to anonymous data points.

How to Block Google Ghost Hits

To stop Google consent mode from collecting data when it should not, you have to strictly apply settings and it requires additional consent for the tag to fire:

This Requires additional consent & allows you to force Built-in checks only to evaluate if they are explicitly set to true. You have to add the same check names as the built-in checks. Then the built-in checks will only be used if these are explicitly set by the visitor i.e. consented. If required, this setting can also be used to add different consent requirements e.g. personalization_storage that must also be evaluated as true for the tag to fire.

To override Google Behaviour and block from using unconsented data, you must force the tag to require explicit consent before any data is sent. For this, you require additional consent management platforms.


If any visitor explicitly mentioned they don’t want to be tracked or any of their data or activity on app/site to use in any way. If you as a data processor still continue to collect that info, then you deliberately break the GDPR law.

“The approach that Google has adopted with, consent mode is that it is legitimate for them to collect data without consent, so long as no cookie is set – but it’s for Google eyes only. That is, the data collected via the Google tags is not shared with the Google Analytics user. However, consent is not about the technology used i.e. whether a cookie is set or not, it’s about the right to privacy. Google’s whole approach simply smells bad.”

(Visited 33 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *