Privacy-First Analytics · GDPR, Consent Mode & Cookieless

The General Data Protection Regulation (GDPR), effective from May 2018 and enforced by data protection authorities across the EU, applies to any processing of personal data about EU residents — including the personal data processed by analytics tools. Analytics cookies set by GA4, identifiers used for cross-device tracking, and IP addresses processed for geographic reporting can all constitute personal data under GDPR's broad definition.

GDPR requires a legal basis for processing personal data. For analytics, the two most commonly invoked bases are: Consent (Article 6(1)(a)) and Legitimate Interests (Article 6(1)(f)). The appropriate basis depends on the specific processing activity:

• Consent is required for: setting analytics cookies that persist across sessions; cross-site tracking; linking analytics data to personally identifiable user profiles; processing that enables re-identification of users from analytics data.
• Legitimate interests may be arguable for: aggregated, anonymous analytics that cannot re-identify individual users; short-lived session analytics that do not persist across sessions; analytics strictly necessary for the security and performance of the service. Note: legitimate interests for analytics is contested — several EU data protection authorities have concluded that consent is required for GA analytics. The ICO (UK) guidance recommends consent for analytics cookies.

Based on published regulatory guidance from the ICO (Information Commissioner's Office, UK) and EDPB (European Data Protection Board), the following analytics activities require explicit consent in most EU/UK contexts:

A Consent Management Platform (CMP) is the software layer that presents the consent banner to users, records their consent choices, and communicates those choices to analytics and marketing tags so they can adjust their collection behaviour accordingly.

For GA4 specifically, the CMP must support Google Consent Mode v2 — firing the four consent signals (analytics_storage, ad_storage, ad_user_data, ad_personalization) based on the user's consent choices. Google maintains a list of Certified CMPs that support Consent Mode v2 in the Consent Mode documentation. These include Cookiebot (by Usercentrics), OneTrust, Sirdata, and approximately 80 others as of 2024.

CMP selection considerations

• Google Consent Mode v2 certification — mandatory for GA4 + Google Ads
• IAB TCF 2.2 compliance (for advertisers using the IAB Transparency and Consent Framework)
• Geo-targeted banner display (shows consent banner only in jurisdictions that require it)
• A/B testing capability (for consent rate optimisation — banner design affects consent rates significantly)
• Integration with the tag management platform (GTM or direct)

When a user declines analytics consent with Consent Mode implemented, GA4 does not set the _ga cookie and does not send personal data to Google. Instead, it sends a "cookieless hit" — a small HTTP request containing no user identifier, no session data, and no detailed event parameters. This cookieless hit records that a conversion or interaction occurred, without identifying who performed it.

Google's modelling system uses these cookieless signals (alongside patterns from consenting users in aggregate) to model the behaviour of non-consenting users. This produces "modelled conversions" — estimated conversion counts for the population of non-consenting users based on statistical inference from the consenting population's behaviour patterns. GA4 reports include both observed conversions (measured directly from consenting users) and modelled conversions, with the combined total displayed in conversion columns.

The accuracy of modelled conversions depends on: the proportion of users who consent (lower consent rates mean more reliance on modelling, which introduces more uncertainty); the consistency of behaviour between consenting and non-consenting users (if consenting users behave differently from non-consenting users, modelling accuracy decreases); and the volume of consenting users (more data = better model).

Even with Consent Mode modelling, analytics data in high-GDPR-compliance environments is incomplete. The magnitude of the gap depends on the consent rate — the proportion of users who accept analytics cookies. Sites in heavily regulated categories (financial services, healthcare, public sector) or with particularly privacy-aware audiences may see consent rates as low as 30–50%. At 50% consent, at least half of all traffic and conversions are modelled rather than observed.

Independent validation of GA4 data quality in consent-constrained environments is important. Methods for validation:

• Compare GA4 session counts to server-side request logs — server logs record every request regardless of consent. If GA4 shows 40% fewer sessions than server logs, the gap is your measurement loss.
• Compare GA4 conversion data to actual business transactions (order management system, CRM records). If GA4 reports 1,000 purchases but the OMS shows 1,400, the gap reveals the measurement shortfall.
• Use Google's Consent Mode diagnostic report in GA4 to see the ratio of observed to modelled conversions — this directly shows the measurement gap you are working with.

Server-side tagging moves tag execution from the user's browser (client-side) to a server controlled by the website owner. Instead of the user's browser loading tags from multiple third-party servers, the browser sends data to a first-party server endpoint, which then forwards the data to the appropriate destinations (GA4, Google Ads, Meta Pixel, etc.).

Benefits of server-side tagging

• Improved data quality. Browser-based ad blockers and browser privacy features (Safari ITP) primarily block third-party cookies and third-party scripts. Server-side tagging avoids these blocks by using first-party domains — some data that would be blocked client-side can be collected server-side.
• Better page performance. Loading all tags from one first-party endpoint is faster than loading multiple third-party scripts — reducing page load time.
• Data control and governance. All data passes through a server you control before reaching third-party vendors — allowing PII scrubbing, data filtering, and consent enforcement before data leaves your environment.

Google Tag Manager supports server-side tagging (GTM server container) — a separate container type that runs on a cloud server (Google Cloud Platform or any cloud provider). Implementation requires server infrastructure and is more complex than client-side tagging, typically requiring developer involvement.

First-party data — data collected directly from users through your own properties with their knowledge and consent — is the foundation of privacy-resilient measurement. Unlike third-party data (data collected by other parties and shared with you) or cookie-based tracking (which is constrained by consent and browser restrictions), first-party data collected with proper consent is not subject to the same limitations.

Building first-party data assets

• User authentication (User ID). When users create accounts and log in, GA4 can receive a User ID that enables cross-device measurement (GA4's User ID feature, which requires user consent). Authenticated users can be measured across sessions and devices without relying on cookies.
• Email collection. Building an email list with proper consent creates an owned audience that can be used for marketing without third-party data dependencies.
• CRM data. Customer records in a CRM contain first-party purchase, engagement, and preference data that can be used for audience building (Customer Match in Google Ads) and analytics enrichment.
• Progressive profiling. Gradually collecting preference and behavioural data through consented interactions (surveys, preference centres, form completions) builds a first-party profile that improves personalisation and measurement over time.

Google's Privacy Sandbox (privacysandbox.com) is an initiative to replace third-party cookies in Chrome with privacy-preserving alternatives — APIs that enable advertising and measurement use cases without exposing individual browsing histories to third parties. Google delayed the deprecation of third-party cookies in Chrome multiple times through 2024, ultimately announcing in July 2024 that it would not fully deprecate third-party cookies in Chrome but instead provide user choice — allowing users to opt into maintaining existing cookie behaviour.

The Privacy Sandbox APIs remain relevant for advertisers and analytics practitioners because they represent the longer-term direction of privacy-preserving measurement:

• Attribution Reporting API. Enables conversion attribution without sharing user-level data across sites — using a privacy budget and differential privacy to prevent individual identification.
• Topics API. Replaces interest-based advertising audiences with browser-calculated topic interests that are shared with advertisers without exposing browsing history.
• CHIPS (Cookies Having Independent Partitioned State). Allows third-party cookies that are partitioned by the top-level site — preventing cross-site tracking while allowing functional cookies (login, shopping cart persistence) on embedded iframes.

The California Consumer Privacy Act (CCPA), effective January 2020 and amended by the California Privacy Rights Act (CPRA) effective January 2023, applies to businesses collecting personal information about California residents above certain size thresholds. For analytics, CCPA requires: a clear privacy notice explaining what data is collected and how it is used; a "Do Not Sell or Share My Personal Information" opt-out mechanism; and the ability to honour consumer data access and deletion requests.

UK GDPR (UK's post-Brexit data protection framework, which closely mirrors EU GDPR) applies to data processing about UK residents. The ICO is the UK's data protection regulator and has published specific guidance on analytics cookies and the consent requirements. The UK GDPR consent standard is substantively the same as EU GDPR — freely given, specific, informed, and unambiguous consent — making UK GDPR analytics compliance requirements essentially equivalent to EU GDPR requirements for practical purposes.

A practical privacy-aware measurement framework for 2026:

• Layer 1: Consent-gated direct measurement. GA4 with Consent Mode v2 — measures consenting users directly, models non-consenting users through Consent Mode. Provides the most granular data about consenting users.
• Layer 2: Server-side validation. Server-side request logs or a privacy-preserving server-side analytics tool provides consent-independent session volume data — useful as a sanity check and gap estimation tool.
• Layer 3: First-party data enrichment. User ID implementation for authenticated users; CRM data for customer journey completion beyond the website visit; email engagement data for customer retention measurement.
• Layer 4: Aggregated market measurement. Marketing Mix Modelling (MMM) for long-term channel budget allocation decisions that do not rely on individual-user-level attribution — using aggregate market data, spend data, and outcome data to estimate channel effectiveness at the portfolio level without user-level tracking.