🚨 What Changed in March 2024?
Google announced major changes to how analytics and ads work in the EU:
Before March 2024:
Cookie consent was “recommended”
Most marketers ignored it
Google Ads worked fine either way
After March 2024:
Consent Mode v2 is mandatory for EU traffic
Without it, Google Ads loses:
Remarketing audiences
Customer Match
Conversion tracking (partially)
Personalized advertising
Smart Bidding becomes significantly less effective
The Bottom Line:
Implement Consent Mode v2, or your EU campaigns suffer.
🔐 Understanding Consent Mode v2
Consent Mode is Google’s framework for respecting user privacy choices.
The 4 Consent Types (v2):
1. ad_storage
Controls ads cookies (remarketing, audience building)
Required for: Building audiences, Google Ads remarketing
When denied: No remarketing, limited audience building
2. analytics_storage
Controls analytics cookies (GA4 tracking)
Required for: User-level tracking, engagement metrics
When denied: Aggregated data only
3. ad_user_data (NEW in v2)
Controls sending user data to Google for advertising
Required for: Conversion tracking, Smart Bidding signals
When denied: Limited conversion data shared with Google Ads
4. ad_personalization (NEW in v2)
Controls personalized advertising
Required for: Showing personalized ads to users
When denied: Generic ads only
🛠️ Implementing Consent Mode v2 (Step-by-Step)
Step 1: Set Default Consent State (BEFORE GA4 Loads)
This code MUST load BEFORE your GA4 tag:
<!-- Consent Mode: Default State (Deny All) --><script> // Define dataLayer and gtag function window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);}
// Set default consent to 'denied' (most privacy-friendly) gtag('consent', 'default', {
'ad_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'analytics_storage': 'denied', 'functionality_storage': 'denied', 'personalization_storage': 'denied', 'security_storage': 'granted', // Usually always granted 'wait_for_update': 500 // Wait 500ms for consent choice }); // Optional: Region-specific defaults (all EU countries) gtag('consent', 'default', {
'ad_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'analytics_storage': 'denied', 'region': ['AT','BE','BG','HR','CY','CZ','DK','EE','FI','FR','DE','GR','HU','IE','IT','LV','LT','LU','MT','NL','PL','PT','RO','SK','SI','ES','SE']
}); // For US (California - CCPA), you might use different defaults gtag('consent', 'default', {
'ad_storage': 'granted', // Unless user opts out 'analytics_storage': 'granted', 'region': ['US-CA']
});</script><!-- THEN load GA4 --><script async src="<https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX>"></script><script> gtag('js', new Date()); gtag('config', 'G-XXXXXXXXXX');</script>
Critical: Consent defaults MUST be set BEFORE GA4 loads. Otherwise, GA4 will fire with ‘granted’ consent.
Your banner needs to offer users clear choices:
<div id="cookieConsent" class="cookie-banner"> <div class="cookie-content"> <h3>🍪 Cookie Preferences</h3> <p>We use cookies to improve your experience. Choose your preferences:</p> <div class="cookie-options"> <label> <input type="checkbox" id="analytics-cookies" checked> <strong>Analytics Cookies</strong> <span>Help us understand how you use our site</span> </label> <label> <input type="checkbox" id="marketing-cookies"> <strong>Marketing Cookies</strong> <span>Enable personalized ads and content</span> </label> </div> <div class="cookie-buttons"> <button onclick="acceptAllCookies()">Accept All</button> <button onclick="acceptSelectedCookies()">Save Preferences</button> <button onclick="rejectAllCookies()">Reject All</button> </div> <a href="/privacy-policy" class="cookie-policy-link">Privacy Policy</a> </div></div><style> .cookie-banner {
position: fixed; bottom: 0; left: 0; right: 0; background: #fff; padding: 20px; box-shadow: 0 -2px 10px rgba(0,0,0,0.1); z-index: 9999; display: none; }
.cookie-banner.show {
display: block; }
.cookie-content {
max-width: 1200px; margin: 0 auto; }
.cookie-options {
margin: 15px 0; }
.cookie-options label {
display: block; margin: 10px 0; cursor: pointer; }
.cookie-buttons {
margin-top: 15px; }
.cookie-buttons button {
padding: 10px 20px; margin-right: 10px; border: none; border-radius: 4px; cursor: pointer; }
.cookie-buttons button:first-child {
background: #4285f4; color: white; }
</style>
Step 3: Update Consent Based on User Choice
// Show banner if user hasn't made a choicewindow.addEventListener('load', function() {
var consentChoice = localStorage.getItem('cookie_consent'); if (!consentChoice) {
document.getElementById('cookieConsent').classList.add('show'); } else {
// Apply saved consent applySavedConsent(consentChoice); }
});// Accept all cookiesfunction acceptAllCookies() {
gtag('consent', 'update', {
'ad_storage': 'granted', 'ad_user_data': 'granted', 'ad_personalization': 'granted', 'analytics_storage': 'granted' }); localStorage.setItem('cookie_consent', 'all'); localStorage.setItem('cookie_consent_date', new Date().toISOString()); hideBanner(); // Optional: Track consent given gtag('event', 'consent_given', {
'consent_type': 'all' });}
// Accept only selected cookiesfunction acceptSelectedCookies() {
var analyticsAccepted = document.getElementById('analytics-cookies').checked; var marketingAccepted = document.getElementById('marketing-cookies').checked; gtag('consent', 'update', {
'analytics_storage': analyticsAccepted ? 'granted' : 'denied', 'ad_storage': marketingAccepted ? 'granted' : 'denied', 'ad_user_data': marketingAccepted ? 'granted' : 'denied', 'ad_personalization': marketingAccepted ? 'granted' : 'denied' }); var consentType = analyticsAccepted && marketingAccepted ? 'all' : analyticsAccepted ? 'analytics_only' : marketingAccepted ? 'marketing_only' : 'none'; localStorage.setItem('cookie_consent', consentType); localStorage.setItem('cookie_consent_date', new Date().toISOString()); hideBanner(); gtag('event', 'consent_given', {
'consent_type': consentType
});}
// Reject all cookiesfunction rejectAllCookies() {
gtag('consent', 'update', {
'ad_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'analytics_storage': 'denied' }); localStorage.setItem('cookie_consent', 'none'); localStorage.setItem('cookie_consent_date', new Date().toISOString()); hideBanner(); gtag('event', 'consent_given', {
'consent_type': 'none' });}
// Apply saved consent on page loadfunction applySavedConsent(choice) {
switch(choice) {
case 'all': gtag('consent', 'update', {
'ad_storage': 'granted', 'ad_user_data': 'granted', 'ad_personalization': 'granted', 'analytics_storage': 'granted' }); break; case 'analytics_only': gtag('consent', 'update', {
'analytics_storage': 'granted', 'ad_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied' }); break; case 'none': gtag('consent', 'update', {
'ad_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'analytics_storage': 'denied' }); break; }
}
function hideBanner() {
document.getElementById('cookieConsent').classList.remove('show');}
// Allow users to change preferences laterfunction showCookiePreferences() {
document.getElementById('cookieConsent').classList.add('show'); // Pre-select current preferences var currentConsent = localStorage.getItem('cookie_consent'); if (currentConsent === 'all' || currentConsent === 'analytics_only') {
document.getElementById('analytics-cookies').checked = true; }
if (currentConsent === 'all' || currentConsent === 'marketing_only') {
document.getElementById('marketing-cookies').checked = true; }
}
Step 4: Add “Manage Preferences” Link to Footer
<!-- In your website footer --><footer> <a href="#" onclick="showCookiePreferences(); return false;"> Cookie Preferences
</a> <a href="/privacy-policy">Privacy Policy</a></footer>
🚫 What Data You CANNOT Send to GA4
This is where most marketers mess up. Sending PII (Personal Identifiable Information) to GA4 violates:
Google’s Terms of Service
GDPR (fines up to €20M)
CCPA
User trust
❌ NEVER Send to GA4:
Personal Information:
Email addresses
Phone numbers
Full names (first + last)
Home addresses
Social security numbers
Government ID numbers
Financial Information:
Credit card numbers
Bank account numbers
Payment details
Health Information:
Medical conditions
Prescriptions
Health records
Authentication:
Passwords
Security answers
API keys
✅ What You CAN Send:
Hashed/Anonymized Identifiers:
// ❌ BAD: Raw emailgtag('set', 'user_properties', {
'email': '[email protected]' // NEVER DO THIS});// ✅ GOOD: Hashed user IDgtag('set', 'user_properties', {
'user_id': 'user_abc123', // Hashed or database ID 'customer_segment': 'premium'});
Aggregate/Categorical Data:
// ✅ These are OKgtag('set', 'user_properties', {
'user_type': 'customer', // Category 'subscription_tier': 'pro', // Category 'age_range': '25-34', // Range, not exact age 'location_city': 'New York', // City OK, not street address 'industry': 'technology', // Professional category 'company_size': '50-200' // Range});
🔍 Auditing Your GA4 for PII
Run this audit NOW:
Step 1: Check User Properties
- Admin → Custom Definitions → Custom Dimensions
- Review each dimension name
- Flag any that might contain PII
Step 2: Check Event Parameters
- Admin → Events → Modify event
- Review parameter names
- Common violations:
- "user_email"
- "phone_number"
- "customer_name"
- "billing_address"
Step 3: Check URL Parameters
- Reports → Engagement → Pages and screens
- Look at page_location values
- Check for:
- Emails in URLs ([email protected])
- Names in URLs (/profile/john-smith)
- Phone numbers in URLs
Step 4: Use DebugView
- Enable debug mode
- Trigger events
- Inspect all parameters
- Look for accidental PII inclusion
📋 GDPR Compliance Checklist
Legal Requirements (EU Traffic):
[ ] Cookie consent banner displayed before tracking
[ ] Clear opt-in required (pre-checked boxes are illegal)
[ ] Granular consent options (separate analytics vs marketing)
[ ] Easy opt-out mechanism (cookie preferences link)
[ ] Privacy policy updated with:
What data is collected
How it’s used
How long it’s retained
Third parties it’s shared with (Google)
User rights (access, deletion, portability)
[ ] Data Processing Amendment signed with Google
[ ] Consent expires after 12-13 months (require re-consent)
[ ] Right to erasure process documented
[ ] Data deletion requests handled via GA4 API
Privacy Policy Must Include:
## Analytics and CookiesWe use Google Analytics 4 to understand how visitors use our website.
**What We Collect:**
- Pages you visit
- How long you stay
- What you click on
- Device type and browser
- General location (city/country level)
**What We DON'T Collect:**
- Your name or email address
- Your exact location
- Sensitive personal information
**Your Choices:**
You can:
- Opt out of analytics cookies (click Cookie Preferences)
- Request deletion of your data (email [email protected])
- Export your data (email [email protected])
**Data Retention:**
We retain your data for 14 months, then it's automatically deleted.
**Third Parties:**
Your data is processed by:
- Google LLC (analytics)
- [List other services]**Your Rights:**
Under GDPR, you have the right to:
- Access your data
- Delete your data
- Export your data
- Object to processing
🇺🇸 CCPA/CPRA Compliance (California)
California has its own privacy law (CCPA/CPRA):
Requirements:
[ ] “Do Not Sell My Personal Information” link on homepage
[ ] Easy opt-out mechanism for data sales
[ ] Privacy policy includes CCPA disclosures
[ ] Respond to deletion requests within 45 days
[ ] Respond to access requests within 45 days
Implementation:
<!-- Footer link required by CCPA --><footer> <a href="/do-not-sell">Do Not Sell My Personal Information</a> <a href="/privacy-policy">Privacy Policy</a></footer>
Opt-Out Page:
<h1>Do Not Sell My Personal Information</h1><p>Under the California Consumer Privacy Act (CCPA), you have the right to opt out of the sale of your personal information.</p><button onclick="optOutOfDataSales()">Opt Out</button><script>function optOutOfDataSales() {
// Deny all ad-related consent gtag('consent', 'update', {
'ad_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied' }); localStorage.setItem('ccpa_opt_out', 'true'); alert('You have opted out of data sales.');}
</script>
🎯 Maintaining Performance with Privacy
Myth: Privacy compliance kills conversion tracking. Reality: You can be privacy-first AND performance-driven.
Conversion Modeling
When users deny consent, GA4 uses conversion modeling:
Machine learning fills in gaps
Estimates conversions from denied-consent users
Provides Google Ads with Smart Bidding signals
How to enable:
1. Admin → Data Display → Reporting Identity
2. Select: Blended (uses modeling)
3. ✅ Include all available data
Server-Side Tagging
For maximum privacy + performance:
Benefits:
First-party cookies (harder to block)
Better ad blocker resistance
More control over data
Improved page load speed
Setup:
Set up Google Tag Manager Server Container
Configure custom domain (e.g., analytics.yoursite.com)
Route GA4 data through your server
Maintain full control
✅ Privacy Compliance Checklist
Immediate Actions:
[ ] Implement Consent Mode v2
[ ] Add cookie consent banner
[ ] Update privacy policy
[ ] Audit for PII in events
[ ] Add “Cookie Preferences” link to footer
[ ] Add “Do Not Sell” link (if serving California)
Within 30 Days:
[ ] Sign Data Processing Amendment with Google
[ ] Document data deletion process
[ ] Train team on PII guidelines
[ ] Set up consent expiration (13 months)
[ ] Create process for data access requests
Ongoing:
[ ] Monthly audit for PII
[ ] Review privacy policy quarterly
[ ] Monitor consent rates
[ ] Respond to deletion requests <45 days
[ ] Stay updated on privacy law changes
🚀 Testing Your Implementation
Step 1: Test Consent Mode
1. Clear cookies and localStorage
2. Visit your site
3. Check: Cookie banner appears?
4. Click "Reject All"
5. Open DevTools → Network tab
6. Filter for "collect"
7. Check: No GA4 requests should fire (or only ping requests)
8. Now click "Accept All"
9. Check: GA4 requests now fire normally
Step 2: Verify in GA4 DebugView
1. Enable debug mode
2. Test with consent denied
3. Check events in DebugView
4. Should see: Limited data or no events
5. Accept consent
6. Check: Full events now appear
Step 3: Check Google Ads
1. Google Ads → Tools → Conversions
2. Check imported GA4 conversions
3. Should see: Conversions still tracking (via modeling)
4. Check audience building still works
📊 Monitor Consent Rates
Track how many users accept/reject cookies:
// Already included in the code abovegtag('event', 'consent_given', {
'consent_type': 'all' // or 'analytics_only', 'none'});// View in GA4:// Reports → Events → consent_given// Add: event_parameter (consent_type)// Typical benchmarks:// - Accept All: 40-60%// - Analytics Only: 10-20%// - Reject All: 30-40%
If rejection rate is high:
Simplify your banner
Explain benefits clearly
Make “Accept” button more prominent (legally allowed)
Ensure banner isn’t annoying
📥 Download Week 3 Resources
Privacy Compliance Checklist (CSV)
🚀 Next Week Preview
Week 4: Advanced GA4 - Audiences, Predictive Analytics, and BigQuery
In the final week, we’re going advanced:
Building high-performing audiences
Using predictive metrics (likely purchasers)
BigQuery export and custom analysis
Custom attribution modeling
Looker Studio dashboards
About This Series:
This is Week 3 of our 4-week GA4 Audit Series:
✅ Week 3: Privacy-First Analytics (You are here)
Week 4: Advanced GA4 Features
Join the Community: I’m building a community of AI-driven marketers. We share:
Advanced GA4 tips
Automation workflows
Real campaign results
Battle-tested guides