A small ecommerce store in Germany got a 15,000 euro fine last year. Not for a data breach. Not for spam. They were running Google Analytics without proper cookie consent. The tracking loaded before visitors agreed to anything, and a privacy complaint made it official.
This is not rare anymore. Privacy enforcement is real, and the rules are not optional.
Why This Matters
Fines are not theoretical. GDPR penalties can reach 4% of annual revenue or 20 million euros, whichever is higher. Even small businesses face four and five figure fines when complaints are filed. Austrian, French, and Italian regulators have all ruled against standard GA implementations.
Your visitors expect it. Over 40% of European users reject non-essential cookies when given the choice. Respecting that choice is not just legal, it builds trust. People notice when sites ignore their preferences.
GA4 changed the landscape. When Google sunset Universal Analytics, GA4 introduced new privacy features like consent mode, data retention controls, and cookieless measurement. But these features only work if you actually configure them.
It affects your data quality too. If you are collecting data without consent, that data might need to be deleted later. Building reports on shaky legal ground means you could lose your historical data in a compliance cleanup.
How to Do It
Step 1: Enable IP anonymization. In GA4, IP addresses are anonymized by default, which is good. Verify this in your property settings. If you migrated from Universal Analytics, double check that the old property is not still running alongside GA4.
Step 2: Set up consent mode. Google’s Consent Mode lets GA4 adapt its behavior based on user choices. When someone declines cookies, GA4 collects anonymized, cookieless pings instead of full tracking. Set this up through Google Tag Manager:
- Enable consent mode in your GTM container
- Set default consent state to “denied” for EU visitors
- Connect your consent banner to update the consent state on user action
Step 3: Configure data retention. In GA4 Admin, go to Data Settings and set your retention period. The minimum is 2 months, and the maximum is 14 months. Choose the shortest period that meets your reporting needs.
Step 4: Sign the Data Processing Agreement. In GA4 Admin under Account Settings, accept Google’s data processing terms. This is legally required under GDPR and takes about 30 seconds.
Step 5: Update your privacy policy. List Google Analytics by name. Explain what data you collect, why, and how users can opt out. Link to Google’s privacy policy and mention the Google Analytics opt-out browser extension.
The Easier Way
Privacy compliance makes analytics harder to navigate because consent gaps create holes in your data. ClawAnalytics helps you make sense of what you do have by letting you ask targeted questions:
- “How much traffic are we losing to cookie consent rejection?”
- “What is our conversion rate for users who accepted tracking?”
- “Show me trends for the last 90 days excluding low-confidence data”
Instead of manually building segments to work around consent gaps, you describe what you need and get answers that account for your actual data situation.
Quick Wins
- Audit your current setup today. Open your site in an incognito window. Does GA load before you interact with any consent banner? If yes, you have a compliance problem right now.
- Use Google Tag Manager. It makes consent mode integration much simpler than hardcoded tracking scripts. Migration takes an afternoon.
- Turn off Google Signals if you do not need it. This feature links GA data with Google ad profiles and creates additional privacy obligations. Disable it in GA4 under Data Settings unless you actively use it.
- Document everything. Keep a record of when you enabled consent mode, what your retention settings are, and when you signed the DPA. If a regulator asks, you want receipts.
- Test from an EU IP. Use a VPN to check that your consent banner appears correctly for European visitors. Some setups only show banners to certain regions and misconfigure the geo-targeting.
