Google Analytics 4 is one of the most widely deployed analytics tools on the web. Getting the disclosure right means accurately describing what data GA4 collects, why it is used, and how visitors can control it. It also means verifying the full stack from the outside: whether GA4 loads only through your CMP and tag manager, whether those tools listen to the consent signal, and whether anything still reaches Google when the visitor opts out. A correct-looking GA4 or Consent Mode setting inside a vendor dashboard is not the same as proof on the live site.
Last reviewed by Lokker Privacy Engineering
Not legal advice
The example language on this page is provided for educational purposes only. It is not legal advice and does not create an attorney-client relationship. Privacy laws vary by jurisdiction, sector, and the specific technologies you deploy. Always have a qualified privacy counsel or attorney review your privacy policy language to ensure it accurately reflects your actual data practices and complies with applicable law. Policy text alone does not make you compliant: your technical controls must match what the policy describes.
Data collection
This is what your privacy policy needs to describe. Be specific: vague references to "usage data" or "technical information" are not sufficient in most jurisdictions.
IP address (typically anonymized or truncated)
Unique client identifier stored in the _ga cookie
Page URLs and navigation paths
Event data including scroll depth, clicks, form interactions, and purchases
Device type, browser, operating system, and screen resolution
Approximate geographic location derived from IP
Session duration, bounce rate, and engagement metrics
Google Signals data when enabled (cross-device linking for signed-in Google users)
Processing purposes
Privacy laws require you to specify the purpose for each category of data processing. These are the purposes typically associated with Google Analytics 4.
Website analytics and performance measurement
Understanding visitor behavior and content engagement
Improving site usability and content strategy
Conversion tracking and campaign attribution
Aggregate audience reporting
Jurisdiction notes
These are representative notes, not exhaustive legal guidance. Laws continue to evolve and your counsel should review the current requirements for each jurisdiction where your visitors reside.
United States
Under the CCPA and CPRA, GA4 data sharing with Google for cross-context behavioral advertising may constitute a "sale" or "sharing" of personal information. If Google Signals or advertising features are enabled, your policy should describe the opt-out right and your obligation to honor GPC signals. California residents must be able to exercise opt-out of sale and sharing.
EU and UK (GDPR)
Under the GDPR and ePrivacy Directive, GA4 requires a valid legal basis. Most sites use consent, which means GA4 must not fire before an explicit opt-in from visitors in the EU and UK. Your policy must identify Google Ireland Limited as a data processor or controller (depending on configuration), state the legal basis, and reference the data transfer mechanism (Standard Contractual Clauses) for data routed to Google US infrastructure.
Sector-specific (Healthcare)
Healthcare organizations subject to HIPAA should review whether GA4 is deployed on patient-facing pages. The HHS OCR guidance issued in 2022 and updated in 2024 clarified that tracking pixels on healthcare websites may constitute impermissible disclosures of PHI. A HIPAA-compliant proxy such as Freshpaint may be needed before GA4 can be used on patient-facing properties.
Example language
The examples below are starting points for discussion with legal counsel. They are not approved or jurisdiction-complete language. Your policy must accurately reflect your actual technical configuration and comply with the laws of the jurisdictions where your visitors reside.
Cookie or analytics table row
Google Analytics 4 (Google LLC): Measures website traffic, page engagement, and conversion events. Stores a unique visitor identifier in the _ga cookie. Data is processed by Google Ireland Limited and may be transferred to Google LLC in the United States under Standard Contractual Clauses. Retention: 13 months by default.
Full third-party disclosure paragraph
We use Google Analytics 4, provided by Google LLC ("Google"), to analyze how visitors interact with this website. Google Analytics 4 uses cookies and other tracking technologies to collect information about your visits, including pages viewed, time spent, scroll depth, and click events. This information is used to compile reports about website activity and to help us improve the website. The data collected is processed by Google on our behalf and may be transferred to and stored on Google servers in the United States. We have configured Google Analytics 4 to anonymize IP addresses before transmission where technically supported. If you are located in a jurisdiction where consent is required before analytics processing, Google Analytics 4 will only run after you have provided explicit consent through our consent management platform. You may opt out of Google Analytics tracking at any time by using the Google Analytics Opt-out Browser Add-on or by adjusting your preferences in our consent center.
Configuration checklist
An accurate policy is only useful if the technical controls behind it work correctly. These are the configuration points to verify for Google Analytics 4.
Assign GA4 to the "Analytics" or "Performance" consent category in your CMP, not "Strictly Necessary" or "Functional."
Configure Google Consent Mode v2 if you use Google properties, and confirm your CMP sends ad_storage, analytics_storage, ad_user_data, and ad_personalization correctly in every state. Do not treat Consent Mode alone as opt-out enforcement: in reject and GPC states, your tag manager should prevent GA4 and related Google tags from loading, not only send denied signals while scripts still run.
In opt-in markets (EU, UK), verify that no requests reach Google endpoints in the no-interaction or reject state by running Lokker Consent Validator across those consent flows.
If Google Signals is enabled, the advertising and targeting consent category must also be required before GA4 activates, not just analytics consent.
In California, if advertising features are enabled, your tag manager rule should block GA4 advertising features when GPC is detected or when the visitor has opted out of sale and sharing.
Do not rely on GA4 admin or Google's Consent Mode documentation alone. Test whether GA4 is deployed only via your intended CMP and tag manager path, and whether that path stops on reject and GPC in a real browser session.
Policy vs practice
These are common gaps between Google Analytics 4 privacy policy language and what actually happens in the browser. Checking only inside each SaaS admin (CMP, tag manager, or vendor console) rarely answers whether the full stack works together. Lokker tests from the outside: consent state, tag firing, and network requests viewed as one system.
What the policy says
Many policies state that Consent Mode v2 ensures GA4 does not collect data when visitors decline analytics consent.
Policies typically describe GA4 as collecting usage and technical data, without disclosing Google Signals or cross-device linking.
Policies state that visitors can opt out of analytics via the site's consent center.
Policies describe GA4 as consent-gated, implying it loads only after the visitor accepts analytics cookies.
Teams review compliance inside Google Analytics or the Consent Mode dashboard and conclude everything is correctly configured.
What Lokker validates
In Advanced Consent Mode, GA4 may still send cookieless pings to Google on reject. Lokker checks whether any GA4 or Google measurement endpoint is contacted after the visitor declines, not just whether the Consent Mode flags are set.
When Google Signals is enabled, behavioral data is associated with signed-in Google users across devices. Lokker detects Signals-related endpoint calls and flags whether the policy omits this material processing activity.
Lokker runs an automated reject flow and checks whether any GA4 network request still occurs. A preference recorded in the CMP is not the same as technical enforcement at the network layer.
If GA4 initializes before the CMP has recorded a decision, data is collected before consent is possible. Lokker tests the first-visit timing window to detect pre-consent tag firing.
Each vendor console shows its own settings, not end-to-end behavior. Lokker validates the full chain: CMP decision, tag manager firing rule, and GA4 network call, observed from the browser outward as one system.
Consent Validator tests your site from the outside, not inside each vendor admin. It runs automated flows across accept, reject, no-interaction, and GPC states and checks whether Google Analytics 4 loads through your CMP and tag manager, whether consent signals are honored, and whether any call to that vendor still occurs when the visitor has opted out.
Questions
References
Regulatory guidance, enforcement decisions, and legal cases referenced on this page.
Regulatory guidance
CNIL (French Data Protection Authority)
European Data Protection Board
Explore further
Same category
Validate technical compliance
Confirm that GA4 and Google Consent Mode behave the way your policy describes, not just the way the Google dashboard claims.