ConsentMark
Free Scan
Google Analytics (GA4) logo
AnalyticsHigh complexity

Google Analytics (GA4)

by Google

All product names, logos, and trademarks are the property of their respective owners. Their inclusion here is for identification purposes only and does not imply endorsement by Obscurity Ltd.

Sets cookies
Yes
Sends PII
No
Cross-site tracking
No
Consent required
Analytics
Transfer mechanism
EU-US Data Privacy Framework
Cookies
_ga_ga_XXXXX

Overview

Google's event-based web and app analytics platform, replacing Universal Analytics since July 2023. Collects page views, scrolls, clicks, and custom events, sending measurement payloads to Google servers for reporting and audience building. Present on over 70% of the top million sites and deeply integrated with Google Ads and BigQuery.

Detection capabilities

Signature count
5
Detection methods
network
Property types
hostnameparampathname

Consent Mode v2

Consent Mode v2

Google Consent Mode v2 signal requirements for this tag.

analytics_storagerequired
ad_storagenot used
ad_user_datanot used
ad_personalizationnot used

Performance impact

Performance Impact

Script size
45 KB
Requests per page
4

Common mistakes

  • 1Firing GA4 before obtaining valid consent on EU/UK domains - the most common violation found in governance audits
  • 2Not enabling Consent Mode v2, preventing cookieless ping mode when consent is denied
  • 3Leaving the default 14-month data retention unchanged when policy requires shorter retention
  • 4Failing to disable Google Signals when cross-device tracking is not needed - Signals shares data with Google's ad network
  • 5Configuring cross-domain measurement without understanding that it exposes the client ID via the _gl linker parameter

Compliance considerations

Sets first-party cookies (_ga, _ga_XXXXX) and sends measurement data to Google servers in the United States.

Consent: Explicit consent typically required under GDPR/ePrivacy before firing on EU/UK sites. Multiple DPAs have issued enforcement decisions - Austrian DSB (Dec 2021) and French CNIL (Feb 2022) found standard implementations transferred personal data without adequate safeguards.

International transfers: EU-US Data Privacy Framework (July 2023) provides a legal basis - verify your Google entity's DPF self-certification.

Consent Mode v2: Allows cookieless pings when consent is denied, but these may still constitute personal data processing in some jurisdictions.

Configuration: Ensure your CMP blocks the tag until analytics consent is granted. Review data retention, IP anonymisation, and Google Signals settings against your DPIA.

Related services

Amplitude

amplitude

AnalyticsLow risk

1 detection signature

Azure Application Insights

azure-application-insights

AnalyticsMedium risk

3 detection signatures

Cloudflare Analytics

cloudflare-analytics

AnalyticsLow risk

2 detection signatures

Contentsquare

contentsquare

AnalyticsLow risk

1 detection signature

Scan your site for Google

Run a free Consentmark scan to see how Google is loading on your site, whether it respects consent, and where governance gaps exist across your wider tag estate.

Start a free scan