---

name: ga4-privacy-compliance description: Expert guidance for GA4 privacy and compliance including GDPR, CCPA, Consent Mode v2, data deletion, and privacy settings. Use when implementing Consent Mode, ensuring GDPR compliance, handling data deletion requests, configuring consent banners, or implementing privacy-first tracking. Covers consent parameters (ad_user_data, ad_personalization), data retention, IP anonymization, and compliance workflows.

GA4 Privacy and Compliance

Overview

GA4 provides privacy-focused features for GDPR, CCPA, and global privacy regulations including Consent Mode, data controls, and compliance workflows.

When to Use This Skill

Invoke this skill when:

• Implementing Consent Mode v2 for GDPR compliance
• Setting up consent banners and consent management platforms (CMPs)
• Configuring privacy settings for EU/EEA users
• Handling GDPR/CCPA data deletion requests
• Implementing privacy-first tracking strategies
• Setting consent parameters (ad_storage, analytics_storage)
• Configuring data retention policies
• Managing user opt-outs and privacy requests
• Working with consent management platforms (OneTrust, Cookiebot)
• Implementing server-side consent tracking
• Debugging consent mode implementation
• Ensuring regulatory compliance for analytics

Core Capabilities

Consent Mode v2

What is Consent Mode: Google's API for communicating user consent status to GA4, Google Ads, and other Google tags.

Consent Parameters (v2):

1. ad_storage

   • Purpose: Advertising cookies (remarketing, conversion tracking)
   • Values: "granted" | "denied"

2. analytics_storage

   • Purpose: Analytics cookies (GA4 tracking)
   • Values: "granted" | "denied"

3. ad_user_data (NEW in v2)

   • Purpose: User data sharing for advertising
   • Values: "granted" | "denied"

4. ad_personalization (NEW in v2)

   • Purpose: Personalized advertising
   • Values: "granted" | "denied"

Additional Parameters:

1. personalization_storage

   • Purpose: Website personalization
   • Values: "granted" | "denied"

2. functionality_storage

   • Purpose: Essential site functionality
   • Values: "granted" | "denied"

3. security_storage

   • Purpose: Security features (fraud prevention)
   • Values: "granted" | "denied"

Implementing Consent Mode

Basic Implementation (gtag.js):

Step 1: Set Default Consent State (BEFORE gtag.js)

Copy<script>
  // Set default consent to denied
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}

  gtag('consent', 'default', {
    'ad_storage': 'denied',
    'ad_user_data': 'denied',
    'ad_personalization': 'denied',
    'analytics_storage': 'denied'
  });

  // Configure GA4
  gtag('config', 'G-XXXXXXXXXX');
</script>

<!-- Load gtag.js -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX"></script>

Step 2: Update Consent After User Choice

Copy// When user accepts all cookies
gtag('consent', 'update', {
  'ad_storage': 'granted',
  'ad_user_data': 'granted',
  'ad_personalization': 'granted',
  'analytics_storage': 'granted'
});

// When user accepts only analytics
gtag('consent', 'update', {
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'analytics_storage': 'granted'
});

// When user denies all
gtag('consent', 'update', {
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'analytics_storage': 'denied'
});

GTM Implementation:

Method 1: Using Consent Mode Template

1. Install CMP Template (OneTrust, Cookiebot, etc.)
2. Configure default consent in template
3. Template auto-updates consent on user choice

Method 2: Manual GTM Setup

Create Consent Initialization Tag:

1. Tag Type: Custom HTML
2. Code:

Copy<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('consent', 'default', {
    'ad_storage': 'denied',
    'analytics_storage': 'denied',
    'ad_user_data': 'denied',
    'ad_personalization': 'denied'
  });
</script>

1. Trigger: Consent Initialization - All Pages
2. Tag firing priority: 999 (fires first)

Create Consent Update Tag (on user acceptance):

1. Tag Type: Custom HTML
2. Code: gtag('consent', 'update', ...)
3. Trigger: Custom event from CMP (e.g., consent_granted)

Regional Settings

EU-Specific Consent:

Copygtag('consent', 'default', {
  'ad_storage': 'denied',
  'analytics_storage': 'denied'
}, {
  'region': ['AT', 'BE', 'BG', 'HR', 'CY', 'CZ', 'DK', 'EE', 'FI', 'FR', 'DE', 'GR', 'HU', 'IE', 'IT', 'LV', 'LT', 'LU', 'MT', 'NL', 'PL', 'PT', 'RO', 'SK', 'SI', 'ES', 'SE', 'GB']
});

gtag('consent', 'default', {
  'ad_storage': 'granted',
  'analytics_storage': 'granted'
}, {
  'region': ['US-CA']  // California - CCPA
});

Consent Mode Behavior

When analytics_storage = "denied":

• GA4 uses cookieless pings
• No client_id stored in cookies
• Modeling used to fill gaps
• Limited user tracking
• Session duration not tracked

When analytics_storage = "granted":

• Full GA4 tracking enabled
• Cookies stored
• client_id persists
• Complete user journey tracking

Conversion Modeling: When consent denied, GA4 uses:

• Machine learning to estimate conversions
• Aggregated, anonymized data
• Behavioral modeling
• "Modeled" label in reports

Data Retention Settings

Path: Admin → Data Settings → Data Retention

Options:

• 2 months (default)
• 14 months

Applies To:

• User-level data in Explorations
• Event-level data in Explorations
• Does NOT affect standard reports

Reset on New Activity:

• ON: Timer resets when user returns (rolling window)
• OFF: Data deleted based on original collection date

GDPR Compliance:

• Shorter retention = more privacy-focused
• Document retention policy in privacy policy
• Consider BigQuery export for longer storage

Data Deletion Requests

User Right to Deletion (GDPR Article 17):

Deleting User Data:

1. Admin → Data Settings → Data Deletion Requests
2. Create Deletion Request
3. Choose deletion parameter:
   • User ID: Delete by user_id
   • Client ID: Delete by client_id (user_pseudo_id)
   • App Instance ID: Delete by app instance
4. Enter identifier value
5. Choose date range or "All time"
6. Submit request

Processing:

• Takes up to 72 hours
• Deletes ALL events for that identifier
• Cannot be undone
• Confirmation email sent when complete

Best Practice:

• Maintain deletion request log
• Respond to requests within 30 days (GDPR requirement)
• Document process in privacy policy

IP Anonymization

GA4 Default Behavior:

• GA4 does NOT log or store IP addresses
• IP used only for geo-location derivation
• No additional anonymization needed

Unlike Universal Analytics:

• No anonymize_ip parameter needed
• Privacy-first by design
• IP address never in reports or exports

Google Signals

What It Enables:

• Demographics reporting (age, gender)
• Interests reporting
• Cross-device tracking (without User ID)
• Remarketing audiences

Privacy Implications:

• Requires user consent for personalized ads
• Subject to data thresholds
• User opt-out via Ads Settings

Enabling: Admin → Data Settings → Data Collection → Google Signals

Recommendation:

• Enable only with proper consent
• Respect user opt-outs
• Document in privacy policy

Data Thresholds

What Are Thresholds: GA4 applies thresholds to reports when:

• Small user counts could reveal individual identity
• Google Signals enabled
• User demographics requested

When Applied:

• Small audience sizes
• Rare combinations of dimensions
• Reports show "(thresholded)" or data withheld

Managing Thresholds:

• Disable Google Signals (if not needed)
• Use broader date ranges
• Aggregate dimensions
• Export to BigQuery for unthresholded data

Consent Management Platforms (CMPs)

Popular CMPs:

• OneTrust
• Cookiebot
• Termly
• Osano
• TrustArc

GTM CMP Templates: Most CMPs provide GTM templates:

1. Community Template Gallery → Search CMP name
2. Install template
3. Configure CMP settings
4. Auto-updates consent to GA4

Example: Cookiebot Integration

1. Install Cookiebot tag on site
2. Install Cookiebot template in GTM
3. Template auto-sets default consent
4. Updates consent based on user choice
5. No manual gtag('consent') needed

GDPR Compliance Checklist

• Privacy policy updated with GA4 usage
• Cookie consent banner implemented
• Consent Mode v2 configured (all 4 parameters)
• Default consent set to "denied" for EU users
• Consent updates on user acceptance
• Data retention configured (2 or 14 months)
• Data deletion process documented
• User opt-out mechanism available
• Google Signals consent obtained (if enabled)
• Cross-border data transfer disclosures
• DPA (Data Processing Agreement) with Google signed
• Regular privacy audit schedule

CCPA Compliance

Requirements:

• Allow users to opt out of "sale" of personal information
• Provide "Do Not Sell My Personal Information" link
• Honor Global Privacy Control (GPC)

Implementation:

Copy// Detect GPC signal
if (navigator.globalPrivacyControl) {
  gtag('consent', 'update', {
    'ad_storage': 'denied',
    'ad_user_data': 'denied',
    'ad_personalization': 'denied',
    'analytics_storage': 'granted'  // Analytics OK, ads denied
  });
}

GTM Variable for GPC:

1. Variable Type: JavaScript Variable
2. Global Variable Name: navigator.globalPrivacyControl
3. Use in Consent Mode logic

Testing Consent Mode

Verification Steps:

1. DebugView Test:

   • Enable DebugView
   • Before consent: Check analytics_storage = denied
   • After consent: Check analytics_storage = granted

2. Check Event Parameters:

   • Events should include consent status
   • Look for gcs parameter (Google Consent State)

3. Cookie Inspection:

   • Before consent: No _ga cookie
   • After consent: _ga cookie set

4. GTM Preview:

   • Verify Consent Initialization tag fires first
   • Verify GA4 tag respects consent
   • Verify consent update tags fire on user action

Chrome DevTools:

Copy// Check current consent state
dataLayer.filter(item => item[0] === 'consent')

Server-Side Consent

Measurement Protocol with Consent:

Copy{
  "client_id": "client_123",
  "consent": {
    "ad_storage": "denied",
    "analytics_storage": "granted",
    "ad_user_data": "denied",
    "ad_personalization": "denied"
  },
  "events": [...]
}

Best Practice:

• Pass consent status from frontend to backend
• Include in all Measurement Protocol requests
• Store user consent preferences in database

Integration with Other Skills

• ga4-setup - Privacy settings during property setup
• ga4-gtag-implementation - Implementing Consent Mode with gtag.js
• ga4-gtm-integration - GTM Consent Mode setup
• ga4-data-management - Data retention and deletion
• ga4-user-tracking - User ID and privacy considerations
• ga4-measurement-protocol - Server-side consent parameters

References

• references/consent-mode-complete.md - Complete Consent Mode v2 implementation guide
• references/gdpr-compliance.md - GDPR compliance requirements and workflows
• references/ccpa-compliance.md - CCPA compliance guide
• references/cmp-integrations.md - Integrating popular consent management platforms

Quick Reference

Consent Parameters (v2):

• ad_storage: Advertising cookies
• analytics_storage: Analytics cookies
• ad_user_data: User data sharing (NEW)
• ad_personalization: Personalized ads (NEW)

Set Default (Before Consent):

Copygtag('consent', 'default', {
  'ad_storage': 'denied',
  'analytics_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied'
});

Update After User Accepts:

Copygtag('consent', 'update', {
  'ad_storage': 'granted',
  'analytics_storage': 'granted',
  'ad_user_data': 'granted',
  'ad_personalization': 'granted'
});

Data Deletion: Admin → Data Deletion Requests → Create