Consent Mode signals not reaching GA4
GA4 receives Consent Mode signals through the dataLayer. If the CMP sends the signal too late or in the wrong format, GA4 may operate in an unconstrained mode regardless of visitor choice.
Marketing and Analytics
GA4 Consent Mode v2 requires correct configuration. Lokker confirms whether you have it.
Google Analytics 4 is the most widely deployed web analytics tool. Its Consent Mode v2 framework provides a mechanism for handling consent signals from a CMP, but implementing it correctly is not automatic. Configuration errors are common and often invisible in GA4 reporting. Lokker tests what GA4 actually sends to Google in each consent state, independent of what the measurement configuration reports.
Marketing and Analytics
Google Analytics 4
Google Analytics 4 is a web and app analytics platform that collects user behavioral data and integrates with Google's advertising ecosystem through Consent Mode v2 for consent-aware data collection.
Trademark
Google Analytics 4 is a trademark of Google LLC. Lokker is not affiliated with or endorsed by Google LLC.
Quick answer
Google Analytics 4 (GA4) can be used in a GDPR-compliant way, but compliance requires specific configuration steps including Consent Mode v2, data residency settings, and IP anonymization. GA4 is not GDPR-compliant by default. Organizations in the EU or targeting EU users must enable Consent Mode so GA4 adjusts its data collection based on user consent signals, store data in EU data centers where available, configure data retention to the shortest period appropriate, and ensure that no personal data is passed in event parameters or URL paths. Even with Consent Mode enabled, behavioral modeling (where GA4 estimates conversions from non-consenting users) may raise questions under strict interpretations of GDPR. Independent validation of what GA4 actually sends before and after consent is the only way to confirm the configuration works as expected.
Risk and failure modes
Consent Mode v2 requires correct implementation, not just enablement
Enabling Consent Mode v2 in your CMP does not automatically mean it is working correctly. Each Google tag needs to be individually validated against the consent state, and the modeling behavior in denied states needs to be understood.
Modeling mode data still transmitted in denied state
When consent is denied, GA4 in Consent Mode v2 sends cookieless pings for modeling. Regulators in some jurisdictions have questioned whether this modeling data transmission itself requires consent.
Google Ads tags sharing the same consent signals
GA4 and Google Ads tags often share consent signals from the same GTM configuration. A misconfiguration that allows GA4 to fire may simultaneously allow Google Ads remarketing to fire.
Consent and configuration
GA4 consent configuration needs to be verified at the network layer
GA4 reporting shows what data was collected, not what was blocked. Network-layer testing shows what requests GA4 actually sent to Google in each consent state, including in the modeling mode that operates when consent is denied.
The `gtag('consent', 'update')` call sequence needs to fire before any GA4 measurement events when consent changes.
The default consent state in the `gtag('consent', 'default')` call needs to match the legal requirements for the jurisdictions your site serves.
GA4's integration with Google Ads through Linked Accounts means consent changes affecting GA4 may also affect Google Ads remarketing behavior.
Regional compliance
GDPR requires opt-in before GA4 full measurement mode
European DPAs have issued guidance on Google Analytics specifically, with some authorities previously ruling that standard GA use violated GDPR data transfer rules. GA4 with Consent Mode v2 addresses some of these concerns, but only when correctly implemented and tested. Under California law as amended by the CPRA, GPC must be honored as an opt-out signal for data sale and sharing, including sharing with Google for advertising purposes, and the California Privacy Protection Agency (CPPA) enforces these obligations.
How Lokker helps
How Lokker validates GA4 consent behavior
Lokker runs each consent flow and inspects the GA4 requests sent to Google, confirming whether Consent Mode v2 is operating correctly, what data is transmitted in modeling mode, and whether GPC signals stop full measurement.
GA4 consent state validation
Consent Validator tests GA4 across every consent state, including GPC, and reports what measurement requests fire in each state so you can confirm Consent Mode v2 is working as intended.
Explore Consent ValidatorPortfolio-wide GA4 detection and drift
Privacy Edge scans every property for GA4 and flags sites where the measurement ID appears without corresponding Consent Mode configuration, scoring each site against analytics tracker risk.
Explore Privacy EdgeExplore Lokker
Products that address Google Analytics 4 privacy risk
Each product links to its full details so you can explore features, view a demo, and understand how it applies to your Google Analytics 4 deployment.
Validation
Consent Validator
Validates GA4 Consent Mode v2 behavior across accept, reject, and GPC states.
Explore Consent ValidatorIntelligence
Privacy Edge
Detects GA4 across all properties and flags deployments without Consent Mode configuration.
Explore Privacy EdgeMarketing and Analytics
Other marketing and analytics tools
Side-by-side comparisons
Compare Google Analytics 4 against alternatives
Evaluating Google Analytics 4 alongside other options? Our comparison guides score each tool on privacy defaults, HIPAA BAA availability, GDPR data residency, GPC support, and consent compliance posture.
Privacy policy guidance
How to disclose Google Analytics 4 in your privacy policy
Our privacy policy disclosure guide explains what data Google Analytics 4 collects, how to describe it in a cookie notice or privacy policy, jurisdiction notes, and example language for discussion with counsel.
Frequently Asked Questions
Common questions about Google Analytics 4
Is Google Analytics 4 GDPR compliant?
GA4 is not GDPR-compliant by default. To use GA4 in a GDPR-compliant way, you need to implement Consent Mode v2 to adjust data collection based on user consent, configure EU data residency where available, set appropriate data retention periods, and ensure no personal data passes through event parameters or URL paths. Independent verification of what GA4 sends before and after consent is required because configuration in the GA4 interface does not guarantee network-layer compliance.
What is GA4 Consent Mode and is it enough for GDPR?
GA4 Consent Mode v2 tells GA4 whether the user has consented to analytics and advertising. When consent is denied, GA4 uses behavioral modeling to estimate conversions rather than tracking individuals. Whether this satisfies GDPR depends on your jurisdiction and interpretation: some data protection authorities have issued guidance that even modeled data creates compliance risk. Consent Mode is a necessary component but not a complete substitute for a privacy review of your full GA4 configuration.
Does Google Analytics violate GDPR?
Several European data protection authorities, including those in Austria, France, Italy, and Denmark, have found that using Google Analytics without adequate safeguards violates GDPR, primarily because GA4 sends personal data (IP addresses, cookie values) to US-based Google servers, which does not meet GDPR data transfer requirements without additional safeguards. Google's updated Consent Mode v2 and EU data residency options address some but not all of these concerns.
Next step
Validate Google Analytics 4 consent behavior across your portfolio
Lokker runs automated browser-level consent flows and scans the network layer to confirm whether Google Analytics 4 fires in states where it should not.