Google Analytics and cookie consent

Image of Iron Brands

Published on Feb 12, 2024 and edited on Feb 20, 2024 by Iron Brands

Handling consent in Google Analytics is complicated. The rules for cookie consent vary from country to country. And even when you figure out what rules apply, it can be tricky to set up Google Analytics in a compliant way.

  1. Do I need consent for cookies?
  2. Do I need consent for Google Analytics 4 as well?
  3. How do I collect consent?
  4. How do I collect consent in Google Analytics?
  5. How do I set up a “do not sell” button in Google Analytics?
  6. How do I honor do-not-track requests in Google Analytics?
  7. This all sounds needlessly complicated
  8. How do I set up a CMP correctly?
  9. How can I design a cookie banner with a good opt-in rate?
  10. Final Thoughts
Logo of the Government of the United KingdomThe UK Government chose Simple AnalyticsJoin them

Here is how to get started with Google Analytics and cookie consent!

Cookie consent is a minefield. In the EU the situation is fairly clear: the ePrivacy Directive and the GDPR require opt-in consent for cookies.

The same goes for the European Economic Area, because the GDPR also applies to EEA members (read: all EU countries plus Iceland, Liechtenstein, and Norway). This is also the case for countries such as the UK and Brazil, which have privacy laws that closely align with the GDPR.

Other countries have more lax rules: for instance, there is no requirement for opt-in or even opt-out consent in US law, although State laws sometimes have more restrictive rules. For instance, the CCPA mandates an opt-out option, but only for certain websites.

It gets more confusing than that, because the law sometimes requires consent in some situations, but not others. For instance, the US COPPA limits what you can do with cookies when monitoring children.

Bottom line, this is a complicated question and the answer depends on both the legislation and the scenario at hand. But for the EU, the answer is clear: Google Analytics requires consent in the EU. We also created an interactive map that provides information per country.

Yes, you do- at least in the EU. Google Analytics 4 is not a cookieless solution. It does not support third-party cookies but still uses first-party cookies that require consent under EU law.

Note that privacy-friendly website analytics tools, like Simple Analytics, do not require consent and therefore no cookiebanner is needed.

The most practical way to collect consent is through a cookie banner. This banner must provide clear information on what the cookies are for and provide a clear and easy option to reject them.

Websites typically rely on third party software called Consent Management Platforms (CMP) to handle consent. Luckily, most CMPs are integrated with Google Analytics, so getting them to work together is not too much of a pain.

Please note that EU consent is always, with no exception, opt-in consent. In practical terms, your visitor needs to click some sort of “yes, give me cookies” button. Giving them the option to opt-out is not enough!

  • Use a Consent Management Platform (CMP): Implement a CMP on your website. This platform will display a consent banner to users and allow them to choose their preferences regarding cookie usage and data collection.
  • Configure Your CMP: It is up to you to ensure that your CMP is set up in a GDPR-compliant way! Don't assume that the work is done just because you have a CMP. Among other things, you need to make sure that your cookie banner provides a clear option to reject cookies, and provides transparent information on their use
  • Configure GA4 for Consent Mode: In GA4, you can enable Consent Mode, which allows you to adjust how Google Analytics behaves based on the consent given by the user. This can be done in the GA4 property settings.
  • Modify Your GA4 Configuration: Adjust your GA4 configuration to respect the consent choices made by users. This typically involves modifying the analytics tag on your website to check for consent status before firing. For example, using Google Tag Manager, you can set up triggers based on consent status.
  • Test Your Implementation: Finally, make sure to test your implementation thoroughly to ensure that analytics behaves correctly based on the consent given.
  • Regularly Review and Update: Laws and regulations may change, so regularly review and update your consent management process as necessary.

Step 4 depends on the CMP and Google Analytics integrations you use, so there is no single script you can copy and paste. Refer to documentation from Google Analytics and your CMP to know what code you need in your specific case. However, a general rule is that your website must call the consent code before placing cookies. Otherwise, cookies will be placed regardless of user preference, which is illegal in some countries.

How do I set up a “do not sell” button in Google Analytics?

Some privacy laws such as the CCPA require an opt-out option for the sale of personal information. Here is how you can implement an opt-out option:

  • Develop a mechanism on your website (like a button or a link in your privacy policy page) that allows users to express their wish to opt out of Google Analytics tracking.
  • Utilize Google Analytics' JavaScript API to respect this opt-out choice. When a user opts out, you can set a flag in your website's cookie or local storage to remember this preference, and modify your Google Analytics tracking code to check for this opt-out flag before sending any data.
  • Alternatively, you can use a cookie-based solution where setting a specific cookie will instruct the Google Analytics JavaScript not to send any information to Google Analytics for that user.

Needless to say, you need to make sure that this solution works with any CMP or GA integration you might be using.

Again, this will not comply with EU law. The GDPR and the ePrivacy Directive require opt-in consent!

How do I honor do-not-track requests in Google Analytics?

Google Analytics does not automatically recognize do-not-track requests, which is rather infuriating. So, you need to roll up your sleeves and do the work yourself:

  • Detect DNT Settings: First, use JavaScript to detect if the user has enabled DNT in their browser. You can check the DNT status using navigator.doNotTrack in JavaScript, which returns 1 if DNT is enabled.
  • Conditionally Load GA4: Before initializing your GA4 tracking code, call a function to determine if DNT is enabled. If it is, skip the initialization of GA4.
  • Server-Side Handling: Alternatively, handle the DNT status on the server side. If a DNT request is detected, your server can modify the page to either not include the GA4 tracking code or to include a modified version that disables data sending.

There is no requirement to honor DNT requests for EU users, but if you want to do it anyway, we strongly suggest that you handle the DNT status-server side. Detecting DNT through JavaScript is a little iffy under the ePrivacy Directive and it is better to err on the side of caution.

This all sounds needlessly complicated

Google decided not to deal with consent management in Google Analytics, leaving it up to the customer to find a compliant CMP and figure out how to integrate it with Google Analytics.

This has some advantages: it affords the customer a lot of flexibility and gives them the option to handle consent management in-house, should they have the required know-how. On the flip side, it makes Google Analytics harder to use because no single, copy-paste code will make GA work with their CMPs and integrations of choice.

How do I set up a CMP correctly?

Please keep in mind that using a CMP does not ensure that you are collecting valid consent. A CMP gives you the tools you need to handle consent, but it is up to you to configure it correctly.

For instance, in order to comply with the GDPR, you need to:

  • explain clearly what your cookies are for
  • provide a link to your privacy policy
  • offer a clearly visible “reject” button on the first layer

Requirements may differ for other legislations. For instance, California has no opt-in consent rules, but some websites (not all! See our blog) are required to honor do-not-track signals and offer an opt-out option for data sales (and yes, that includes web analytics!).

Most CMPs swear that they are ready out-of-the-box and already configured to comply with certain legislations, but it is still better to be careful- some CMPs have been known to play a little fast and loose with the rules in the past.

Bottom line:

  • understand what requirements you need to comply with
  • ensure that the CMP accommodates those requirements

By breaking the law- simple as that.

CMP vendors would have you believe that there is some secret magic formula for a GDPR compliant cookie banner with sky high opt-in rates, but that’s not how it works. There are several tricks you can use to boost your opt-in rates, but they are shady at best and flat out illegal at worst.

European regulators took a stance on the thorny issues of cookie banner design and clarified that many widely abused design tricks are GDPR violations. If you want to comply with the law, don’t hide the “reject all” button in a second or third layer of your cookie notice. Don’t force the users to “customize” their preferences so that you can throw twenty different settings at them, hoping that they will get tired and just click “accept all”. Don’t hide your “reject” button with small or low-contrast fonts and don’t offer dumb options like “save”.

A GDPR compliant cookie banner offers the user a visible, immediately available, clearly worded option to reject unneeded trackers. This kind of banner will also give you low opt-in rates because people do not like being tracked. Learn more about website analytics without cookies here.

Final Thoughts

TL;DR: there is a trade-off between GDPR compliance and opt-in rates. There is no clever way around it.

Setting up Google Analytics is more complicated than it needs to be and can be quite burdensome for smaller organizations. Simple Analytics is a more intuitive and privacy-friendly solution! You can install it and configure it with a few lines of code. With its intuitive UI and built-in AI assistant, you can get started in no time.

We are also proud that our product is privacy friendly and GDPR compliant! We give you all the insights we need without collecting personal data. This policy respects the user's privacy and prevents any compliance headache!

If this sounds good to you, feel free to give us a try!

GA4 is complex. Try Simple Analytics

GA4 is like sitting in an airplane cockpit without a pilot license

Start 14-day trial