<aside>
ℹ️ This guide provides step-by-step instructions for configuring Google Analytics 4 in different privacy configurations and how these configurations must be reflected in the Consenter Manager when configuring your Consent Banner.
Step 1: Choose which configuration matches your demands and configure GA4 accordingly
Step 2: Configure the Consent Banner in the Consenter Manager accordingly
Step 3: Explain how you use Google Analytics 4 in your privacy policy
</aside>
Google Analytics 4 (GA4) is Google's analytics platform that deploys a JavaScript tracking tag on websites and apps to collect visitor behaviour, session data, and event-based interaction data. Depending on configuration, GA4 can range from a basic anonymous analytics tool to a fully integrated cross-device advertising measurement platform linked to Google's wider advertising ecosystem. The configurations below cover the most privacy-relevant settings and their corresponding mappings in the Customer Panel (CP).
Note on IP addresses in GA4: GA4 does not log or store individual IP addresses in any configuration. For EU-based traffic, IP addresses are used solely to derive coarse geolocation data (city, region, country) on EU-based servers, then immediately discarded before being forwarded to Analytics processing servers. This behaviour is automatic and cannot be disabled. Accordingly, IP address is not a configurable privacy dimension in GA4 and does not appear as a differentiating factor between the configurations below.
| # | Configuration Area | Where in GA4 | Configuration A — Low Risk | Configuration B — Medium Risk | Configuration C — Higher Risk |
|---|---|---|---|---|---|
| 1 | Consent Mode implementation | Google Tag Manager (GTM) or gtag.js — Consent Mode default commands; CMP integration | Basic Consent Mode — GA4 tag blocked entirely until consent is granted; no data sent before consent; no cookieless pings | Basic Consent Mode — GA4 tag blocked entirely until consent is granted; no data sent before consent; no cookieless pings | Advanced Consent Mode v2 — GA4 tag fires in limited mode without consent; cookieless pings sent to Google for conversion and behaviour modelling even when consent is denied; all four signals (analytics_storage, ad_storage, ad_user_data, ad_personalization) transmitted to Google |
| 2 | Google Signals | Admin → Data Settings → Data Collection → Enable Google signals data collection | Disabled | Disabled | Enabled — cross-device data collected from signed-in Google users with Ads Personalisation turned on; demographics and interests reporting activated; third-party advertising identifiers used for cross-website and cross-device audience building |
| 3 | User identification | Implemented via gtag.js or GTM (user_id parameter); Admin → Data Display → Reporting Identity |
Disabled — anonymous sessions only; visitors identified solely by the first-party GA4 client ID (_ga cookie) as a device-level identifier |
User ID implemented — persistent first-party identifier sent to GA4 for authenticated (logged-in) users; enables cross-session and cross-device journey stitching for identified users; Reporting Identity set to "By User-ID, Google signals, then Device ID" | User ID implemented; user-provided data collection optionally enabled (hashed first-party data, e.g. email, matched with Google accounts for enhanced conversions and cross-device attribution) |
| 4 | Google Ads linkage and remarketing | Admin → Product Links → Google Ads Linking; Admin → Data Settings → Data Collection → Advertising Reporting Features | Not linked | Not linked | Google Ads account linked; remarketing audiences created in GA4 and shared with Google Ads; Advertising Reporting Features enabled; data sharing with Google products may be enabled (not recommended!) |
| 5 | Granular location and device data | Admin → Data Settings → Data Collection → Granular location and device data collection | Disabled — city-level location (latitude/longitude), device brand, device model, and device name not collected; only country- and region-level data retained | Disabled — city-level location (latitude/longitude), device brand, device model, and device name not collected; only country- and region-level data retained | Enabled (default) — city-level location (latitude/longitude of city), device brand, device model, and device name collected |
| 6 | Data retention (user-level data) | Admin → Data Settings → Data Retention | 2 months (default minimum) | 14 months (maximum for standard GA4) | 14 months (maximum for standard GA4) |
| 7 | Processing location | Google infrastructure / account settings | EU initial collection (EU-based servers for EU traffic; IP discarded before forwarding); further processing by Google LLC (US); potential US government access via CLOUD Act | EU initial collection (EU-based servers for EU traffic; IP discarded before forwarding); further processing by Google LLC (US); potential US government access via CLOUD Act | EU initial collection (EU-based servers for EU traffic; IP discarded before forwarding); further processing by Google LLC (US); SCCs available via Google Ads Data Processing Terms; potential US government access via CLOUD Act |
Use this configuration when GA4 is used solely for anonymous website analytics without any user identification, advertising features, or cross-device tracking. Basic Consent Mode is implemented — the GA4 tag is blocked entirely until the visitor grants consent, meaning no data whatsoever reaches Google before a positive consent decision. Google Signals is disabled, so no cross-device tracking via Google's advertising identifiers takes place. No User ID is implemented; visitors are tracked only by the first-party GA4 client ID stored in the _ga cookie, scoped to the website domain. No Google Ads account is linked. Granular location and device data collection is disabled, so only country- and region-level location data is derived. User-level data is retained for 2 months.
EU-based traffic is collected via EU-based servers before being forwarded to Google's processing infrastructure, and IP addresses are discarded before any logging occurs. However, as Google LLC is a US-based enterprise, all data processed by Google remains potentially subject to access by US government authorities under the CLOUD Act, regardless of where initial collection takes place. This should be disclosed as a potential US data transfer in the consent banner.
Google acts as a data processor under the Google Ads Data Processing Terms, which are accepted via Admin → Account Settings. Standard Contractual Clauses (SCCs) are incorporated into these terms for international data transfers.
Use this configuration when GA4 is used for website analytics including cross-session and cross-device identification for authenticated users. Basic Consent Mode is still used — the GA4 tag is blocked until consent is granted. Google Signals is disabled. A User ID is implemented by the website operator and sent to GA4 when a visitor is logged into their account on the website, enabling cross-session and cross-device journey stitching for identified users. This allows GA4 to associate multiple sessions, browser instances, or devices with a single known user, provided that user is authenticated. No Google Ads account is linked, and no advertising features are active. Granular location and device data collection remains disabled. User-level data is retained for 14 months.
EU traffic routing and IP handling are the same as in Configuration A. As Google LLC is a US-based enterprise, the CLOUD Act applies in all cases. This should be disclosed as a potential US data transfer in the consent banner.
Google acts as a data processor under its standard Data Processing Terms.
Use this configuration when GA4 is deployed as part of a full advertising measurement stack integrated with Google Ads. Advanced Consent Mode v2 is implemented — the GA4 tag fires in a limited mode even when a visitor has declined consent, sending cookieless pings (without accessing browser storage or setting cookies) to Google's servers for statistical conversion and behaviour modelling. This means that even non-consenting visitors contribute anonymised signal data to Google's modelling processes.