Google Analytics and cookie consent

Image of Iron Brands

Published on Feb 12, 2024 and edited on Aug 23, 2024 by Iron Brands

Handling consent in Google Analytics is complicated. The rules for cookie consent vary from country to country. And even when you figure out what rules apply, it can be tricky to set up Google Analytics in a compliant way.

  1. Do I need consent for cookies?
  2. Do I need consent for Google Analytics 4 as well?
  3. How do I collect consent?
  4. How do I collect consent in Google Analytics?
  5. How do I set up a “do not sell” button in Google Analytics?
  6. How do I honor do-not-track requests in Google Analytics?
  7. This all sounds needlessly complicated
  8. How do I set up a CMP correctly?
  9. How can I design a cookie banner with a good opt-in rate?
  10. What if visitors reject cookies?
  11. Final Thoughts
Logo of MichelinMichelin chose Simple AnalyticsJoin them

Here is how to get started with Google Analytics and cookie consent!

Cookie consent is a minefield, but in the EU the situation is fairly clear: the ePrivacy Directive and the GDPR require opt-in consent for cookies.

The same goes for the European Economic Area where the GDPR applies (read: all EU countries plus Iceland, Liechtenstein, and Norway) and countries with privacy laws similar to the GDPR, such as the UK and Brazil.

Other countries have more lax rules. For instance, federal US law does not require consent for cookies- but some States laws such as the CCPA have stricter rules.

It gets more confusing than that. The law sometimes requires consent in some situations, but not others. For instance, the US COPPA limits what you can do with cookies when monitoring children.

Bottom line, this is a complicated question and the answer depends on both the legislation and the scenario at hand. But for the EU, the answer is clear: Google Analytics requires consent in the EU. We also created an interactive map that provides information per country.

Yes, you do- at least in the EU. Google Analytics 4 is not a cookieless solution. It does not support third-party cookies but still uses first-party cookies that require consent under EU law.

Note that privacy-friendly website analytics tools, like Simple Analytics, do not require consent and therefore need no cookie banners.

The most practical way to collect consent is through a cookie banner. This banner must provide clear information on what the cookies are for and provide a clear and easy option to reject them.

Websites typically rely on third party software called Consent Management Platforms (CMP) to handle consent. Most CMPs are well integrated with Google Analytics, so getting them to work together is not too much of a pain.

Please note that EU consent is always, with no exception, opt-in consent. In practical terms, your visitor needs to click some sort of “yes, give me cookies” button. Giving them the option to opt-out is not enough!

  • Use a Consent Management Platform (CMP): Implement a CMP on your website. This platform will display a consent banner to users and allow them to choose their preferences regarding cookie usage and data collection.
  • Configure Your CMP: It is up to you to ensure that your CMP is set up in a GDPR-compliant way! Don't assume that the work is done just because you have a CMP. Among other things, you need to make sure that your cookie banner provides a clear option to reject cookies,and provides transparent information on cookie use
  • Configure GA4 for Consent Mode: In GA4, you can enable Consent Mode, from the GA4 property setting. Consent mode allows you to adjust how Google Analytics behaves based on the consent given by the user.
  • Modify Your GA4 Configuration: Adjust your GA4 configuration to respect the consent choices made by users. This typically involves modifying the analytics tag on your website to check for consent status before firing. For example you can set up triggers based on consent status in Google Tag Manager.
  • Test Your Implementation: Finally, make sure to test your implementation thoroughly to ensure that analytics behaves correctly based on the consent given.
  • Regularly Review and Update: Laws and regulations may change, so regularly review and update your consent management process as necessary.

Some of these steps depend on the CMP and Google Analytics integrations you use. Unfortunately, there is no script you can copy and paste. Refer to documentation from Google Analytics and your CMP to know what code you need in your specific case. However, a general rule is that your website must call the consent code before placing cookies. Otherwise, cookies will be placed regardless of user preference, which is illegal in countries that require consent.

How do I set up a “do not sell” button in Google Analytics?

Some privacy laws such as the CCPA require an opt-out option for the sale of personal information. This can be done by implementing a cookie opt-out mechanism:

  • Develop a mechanism on your website (like a button or a link in your privacy policy page) that allows users to express their wish to opt out of Google Analytics tracking.
  • Utilize Google Analytics' JavaScript API to respect this opt-out choice. When a user opts out, you can set a flag in your website's cookie or local storage to remember this preference, Modify your Google Analytics tracking code to check for this opt-out flag before sending any data.
  • Alternatively, you can use a cookie-based solution where setting a specific cookie will instruct the Google Analytics JavaScript not to send any information to Google Analytics for that user. Please notice that this solution still uses cookies: it may be non-compliant with some privacy laws and it is very, very likely to not be compliant with EU law.

Please note that opt-out mechanisms will not comply with EU law. The ePrivacy Directive requires opt-in consent!.

Finally, keep in mind that sometimes you may want to still use cookies and collect data for web analytics. In such cases, you should look to implement a mechanism that prevents data sharing rather than cookie use. This will likely need to be implemented in the software that you integrate with GA rather than in the GA script itself.

How do I honor do-not-track requests in Google Analytics?

Google Analytics does not automatically recognize do-not-track requests, which is rather infuriating. You need to roll up your sleeves and do the work yourself:

  • Detect DNT Settings: First, use JavaScript to detect if the user has enabled DNT in their browser. You can check the DNT status using navigator.doNotTrack in JavaScript, which returns 1 if DNT is enabled.
  • Conditionally Load GA4: Before initializing your GA4 tracking code, call a function to determine if DNT is enabled. If it is, skip the initialization of GA4.
  • Server-Side Handling: Alternatively, handle the DNT status on the server side. If a DNT request is detected, your server can modify the page to either not include the GA4 tracking code or to include a modified version that disables data sending.

There is no requirement to honor DNT requests for EU users, but if you want to do it anyway, we strongly suggest that you handle the DNT status-server side. Detecting DNT through JavaScript is a little iffy under the ePrivacy Directive and it is better to err on the side of caution.

This all sounds needlessly complicated

Google decided not to deal with consent management in Google Analytics, leaving it up to the customer to find a compliant CMP and figure out how to integrate it with Google Analytics.

This has some advantages: it affords the customer a lot of flexibility and gives them the option to handle consent management in-house, should they have the required know-how. On the flip side, it makes Google Analytics harder to use because no single, copy-paste code will make GA work with their CMPs and integrations of choice.

How do I set up a CMP correctly?

Using a CMP does not ensure that you are collecting valid consent. A CMP gives you the tools you need to handle consent but it is up to you to configure it correctly.

For instance, in order to comply with the GDPR, you need to:

  • explain clearly what your cookies are for
  • provide a link to your privacy policy
  • offer a clearly visible “reject” button on the first layer

Requirements may differ for other legislations. For instance, California has no opt-in consent rules, but some websites (not all! See our blog on the CCPA) are required to honor do-not-track signals and offer an opt-out option for data sales (and yes, that includes web analytics!).

Most CMPs swear that they are ready out-of-the-box and already configured to comply with certain legislations, but it is still better to be careful- some CMPs have been known to play a little fast and loose with the rules in the past.

Bottom line:

  • understand what requirements you need to comply with
  • ensure that the CMP accommodates those requirements

By breaking the law.

And no, that is not a good idea- but that's the only way to do it in the EU.

CMP vendors would have you believe that there is some secret magic formula for a GDPR compliant cookie banner with sky high opt-in rates. That’s not how it works! There are several tricks you can use to boost your opt-in rates, but they are shady at best and flat out illegal at worst.

European regulators recently took a stance on the thorny issues of cookie banner design. They stated loud and clear that many widely abused design tricks are GDPR violations.

If you want to comply with the law, don’t hide the “reject all” button in a second or third layer of your cookie notice. Don’t force the users to “customize” twenty different confusing settings, hoping that they will just get tired and just click “accept all”. Don’t hide your “reject” button with small or low-contrast fonts. Don’t offer dumb options like “save”- this is a cookie banner, not a video game.

A GDPR compliant cookie banner offers the user a visible, immediately available, clearly worded option to reject unneeded trackers. It's as simple as giving the users a big, visible "no, I do not want your cookies" button.

Of course, this kind of banner will also give you low opt-in rates. This is a feature, not a bug: if the user doesn't want to be tracked, you cannot track them. Manipulating them with obscure, deceptive UIs won't fly with EU regulators.

You can learn more about website analytics without cookies here.

What if visitors reject cookies?

You web analytics performance suffers- no way around it.

The data gap from cookie rejection is quite significant and impactful for analytics accuracy. Google Analytics can also collect data in other ways but cookies are how it pieces all the data together to figure out the user journey and collect vital metrics like unique visitors.

Final Thoughts

TL;DR: there is a trade-off between GDPR compliance and opt-in rates. There is no clever way around it.

Setting up Google Analytics is more complicated than it needs to be and can be quite burdensome for smaller organizations. GA also suffers from a significant data gap due to cookie rejection.

Simple Analytics is a more intuitive and privacy-friendly solution! You can install it and configure it with a few lines of code. With its intuitive UI and built-in AI assistant, you can get started in no time.

We are also proud that our product is privacy friendly and GDPR compliant! We give you all the insights we need without collecting personal data. This policy respects the user's privacy and prevents any compliance headache!

If this sounds good to you, feel free to give us a try!

GA4 is complex. Try Simple Analytics

GA4 is like sitting in an airplane cockpit without a pilot license

Start 14-day trial