GA4 Privacy and Compliance

Overview

GA4 provides privacy-focused features for GDPR, CCPA, and global privacy regulations including Consent Mode, data controls, and compliance workflows.

When to Use This Skill

Invoke this skill when:

Implementing Consent Mode v2 for GDPR compliance
Setting up consent banners and consent management platforms (CMPs)
Configuring privacy settings for EU/EEA users
Handling GDPR/CCPA data deletion requests
Implementing privacy-first tracking strategies
Setting consent parameters (ad_storage, analytics_storage)
Configuring data retention policies
Managing user opt-outs and privacy requests
Working with consent management platforms (OneTrust, Cookiebot)
Implementing server-side consent tracking
Debugging consent mode implementation
Ensuring regulatory compliance for analytics

Core Capabilities

Consent Mode v2

What is Consent Mode: Google's API for communicating user consent status to GA4, Google Ads, and other Google tags.

Consent Parameters (v2):

ad_storage
- Purpose: Advertising cookies (remarketing, conversion tracking)
- Values: "granted" | "denied"
analytics_storage
- Purpose: Analytics cookies (GA4 tracking)
- Values: "granted" | "denied"
ad_user_data (NEW in v2)
- Purpose: User data sharing for advertising
- Values: "granted" | "denied"
ad_personalization (NEW in v2)
- Purpose: Personalized advertising
- Values: "granted" | "denied"

Additional Parameters:

personalization_storage
- Purpose: Website personalization
- Values: "granted" | "denied"
functionality_storage
- Purpose: Essential site functionality
- Values: "granted" | "denied"
security_storage
- Purpose: Security features (fraud prevention)
- Values: "granted" | "denied"

Implementing Consent Mode

Basic Implementation (gtag.js):

Step 1: Set Default Consent State (BEFORE gtag.js)

<script>
  // Set default consent to denied
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}

  gtag('consent', 'default', {
    'ad_storage': 'denied',
    'ad_user_data': 'denied',
    'ad_personalization': 'denied',
    'analytics_storage': 'denied'
  });

  // Configure GA4
  gtag('config', 'G-XXXXXXXXXX');
</script>

<!-- Load gtag.js -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX"></script>

Step 2: Update Consent After User Choice

// When user accepts all cookies
gtag('consent', 'update', {
  'ad_storage': 'granted',
  'ad_user_data': 'granted',
  'ad_personalization': 'granted',
  'analytics_storage': 'granted'
});

// When user accepts only analytics
gtag('consent', 'update', {
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'analytics_storage': 'granted'
});

// When user denies all
gtag('consent', 'update', {
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'analytics_storage': 'denied'
});

GTM Implementation:

Method 1: Using Consent Mode Template

Install CMP Template (OneTrust, Cookiebot, etc.)
Configure default consent in template
Template auto-updates consent on user choice

Method 2: Manual GTM Setup

Create Consent Initialization Tag:

Tag Type: Custom HTML
Code:

<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('consent', 'default', {
    'ad_storage': 'denied',
    'analytics_storage': 'denied',
    'ad_user_data': 'denied',
    'ad_personalization': 'denied'
  });
</script>

Trigger: Consent Initialization - All Pages
Tag firing priority: 999 (fires first)

Create Consent Update Tag (on user acceptance):

Tag Type: Custom HTML
Code: gtag('consent', 'update', ...)
Trigger: Custom event from CMP (e.g., consent_granted)

Regional Settings

EU-Specific Consent:

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'analytics_storage': 'denied'
}, {
  'region': ['AT', 'BE', 'BG', 'HR', 'CY', 'CZ', 'DK', 'EE', 'FI', 'FR', 'DE', 'GR', 'HU', 'IE', 'IT', 'LV', 'LT', 'LU', 'MT', 'NL', 'PL', 'PT', 'RO', 'SK', 'SI', 'ES', 'SE', 'GB']
});

gtag('consent', 'default', {
  'ad_storage': 'granted',
  'analytics_storage': 'granted'
}, {
  'region': ['US-CA']  // California - CCPA
});

Consent Mode Behavior

When analytics_storage = "denied":

GA4 uses cookieless pings
No client_id stored in cookies
Modeling used to fill gaps
Limited user tracking
Session duration not tracked

When analytics_storage = "granted":

Full GA4 tracking enabled
Cookies stored
client_id persists
Complete user journey tracking

Conversion Modeling: When consent denied, GA4 uses:

Machine learning to estimate conversions
Aggregated, anonymized data
Behavioral modeling
"Modeled" label in reports

Data Retention Settings

Path: Admin → Data Settings → Data Retention

Options:

2 months (default)
14 months

Applies To:

User-level data in Explorations
Event-level data in Explorations
Does NOT affect standard reports

Reset on New Activity:

ON: Timer resets when user returns (rolling window)
OFF: Data deleted based on original collection date

GDPR Compliance:

Shorter retention = more privacy-focused
Document retention policy in privacy policy
Consider BigQuery export for longer storage

Data Deletion Requests

User Right to Deletion (GDPR Article 17):

Deleting User Data:

Admin → Data Settings → Data Deletion Requests
Create Deletion Request
Choose deletion parameter:
- User ID: Delete by user_id
- Client ID: Delete by client_id (user_pseudo_id)
- App Instance ID: Delete by app instance
Enter identifier value
Choose date range or "All time"
Submit request

Processing:

Takes up to 72 hours
Deletes ALL events for that identifier
Cannot be undone
Confirmation email sent when complete

Best Practice:

Maintain deletion request log
Respond to requests within 30 days (GDPR requirement)
Document process in privacy policy

IP Anonymization

GA4 Default Behavior:

GA4 does NOT log or store IP addresses
IP used only for geo-location derivation
No additional anonymization needed

Unlike Universal Analytics:

No anonymize_ip parameter needed
Privacy-first by design
IP address never in reports or exports

Google Signals

What It Enables:

Demographics reporting (age, gender)
Interests reporting
Cross-device tracking (without User ID)
Remarketing audiences

Privacy Implications:

Requires user consent for personalized ads
Subject to data thresholds
User opt-out via Ads Settings

Enabling: Admin → Data Settings → Data Collection → Google Signals

Recommendation:

Enable only with proper consent
Respect user opt-outs
Document in privacy policy

Data Thresholds

What Are Thresholds: GA4 applies thresholds to reports when:

Small user counts could reveal individual identity
Google Signals enabled
User demographics requested

When Applied:

Small audience sizes
Rare combinations of dimensions
Reports show "(thresholded)" or data withheld

Managing Thresholds:

Disable Google Signals (if not needed)
Use broader date ranges
Aggregate dimensions
Export to BigQuery for unthresholded data

Consent Management Platforms (CMPs)

Popular CMPs:

OneTrust
Cookiebot
Termly
Osano
TrustArc

GTM CMP Templates: Most CMPs provide GTM templates:

Community Template Gallery → Search CMP name
Install template
Configure CMP settings
Auto-updates consent to GA4

Example: Cookiebot Integration

Install Cookiebot tag on site
Install Cookiebot template in GTM
Template auto-sets default consent
Updates consent based on user choice

ga4-privacy-compliance

Como adicionar

Cole no README do seu repo

Skills relacionadas

xlsx

mem-search

weekly-digests

how-it-works

Receba novas skills de Dados e Análise toda segunda