GDPR and GA4: What Your Analytics Setup Needs to Do Right

The Core Requirement: No Tracking Before Consent

Under GDPR, analytics tracking that involves personal data, including the storage of cookies containing user identifiers, requires explicit, informed, freely given consent before it occurs.

GA4's standard implementation sets a first party cookie (_ga) that contains a unique client ID on the first page load.

Without Consent Mode implemented correctly, this happens regardless of what the user has or has not clicked on the cookie banner.

The compliance requirement is that GA4 should not set persistent cookies, and should not send events containing user identifiers, until consent for analytics is confirmed.

Consent Mode v2 provides the mechanism for this: when analytics_storage is set to denied, GA4 withholds cookie setting and replaces full event tracking with consent aware pings.

Verifying that this behaviour is actually happening in your implementation, not just that your CMP is installed, is the key audit step.

Data Minimisation and Retention Settings

GDPR's data minimisation principle applies to what you collect, not just how you collect it.

GA4 properties should be reviewed for unnecessary data collection: are you capturing IP addresses that could be used for geolocation at a level of precision that is not needed?

Is Google Signals enabled, which allows Google to associate GA4 data with signed in Google accounts for cross device tracking, and have you assessed whether this aligns with the consent users gave?

GA4's data retention setting defaults to two months, which can be extended to fourteen months in the property settings.

For GDPR compliance, you should consciously choose the retention period rather than accepting defaults, and document the legal basis for retaining data for that period.

Longer retention periods require a clearer legitimate interest or consent basis.

Data Processing Agreements and Transfer Compliance

GA4 processes data on Google's servers, which means you need a valid Data Processing Agreement with Google in place. That is handled through Google's current terms and data processing terms, but the details still matter.

If you are operating in the EU or serving EU users, you need to ensure your GA4 data is processed under appropriate legal mechanisms for international data transfers.

Google updated its Data Processing Terms following the Schrems II ruling and the subsequent EU-US Data Privacy Framework.

You should confirm your Google Analytics account has the current Google data processing terms accepted and that any account level settings required by your policy are configured.

Running a periodic audit of these configuration settings alongside your technical tracking audit ensures both the legal and technical layers of compliance stay in sync.