How to Check if Google Analytics 4 is GDPR Compliant
A comprehensive guide to auditing your GA4 setup, understanding Consent Mode v2, and ensuring you don't track users before they give explicit consent.
Introduction to GA4 and the GDPR
Google Analytics 4 (GA4) is the most widely used web analytics platform in the world. However, because it collects user data, IP addresses (even though anonymized by default in GA4), and sets identifiers to track user journeys across sessions, it falls under the strict regulations of the General Data Protection Regulation (GDPR) in the European Union, as well as the ePrivacy Directive (the "Cookie Law").
Under the GDPR, you cannot drop non-essential tracking cookies or run tracking scripts that process personal data until the user has given explicit, informed, and unambiguous consent. In the past, many websites loaded Google Analytics the moment a user landed on the page. Today, doing so can expose you to significant fines from European data protection authorities.
Furthermore, with the introduction of the Digital Markets Act (DMA), Google now strictly enforces **Google Consent Mode v2**. If you want to use advanced features like remarketing or conversion modeling in Google Ads, you must pass explicit consent signals (`ad_storage` and `analytics_storage`) back to Google.
What Cookies Does Google Analytics Set?
When GA4 initializes and is allowed to set cookies, it primarily drops first-party cookies to distinguish unique users and sessions. Here is a breakdown of the most common cookies associated with Google Analytics:
| Cookie Name | Duration | Purpose | GDPR Category |
|---|---|---|---|
| _ga | 2 years | Used to distinguish users. This is the primary GA4 identifier. | Analytics |
| _ga_<container-id> | 2 years | Used to persist session state. | Analytics |
| _gid | 24 hours | Used to distinguish users (older Universal Analytics legacy, sometimes seen). | Analytics |
Because these cookies are categorized as **Analytics**, they are strictly **non-essential**. You must block them until the user clicks "Accept" on your consent banner.
How to Manually Test Your GA4 Implementation
If you want to verify that your website complies with the GDPR regarding Google Analytics, you can perform a manual audit using your browser's developer tools. This process takes time but is an essential skill for web developers.
- Open an Incognito Window: This ensures you don't have any leftover cookies or previous consent states saved.
- Open Developer Tools: Right-click anywhere on the page and select "Inspect" or press
F12. - Navigate to the Application/Storage Tab: In Chrome, go to the "Application" tab. Expand the "Cookies" section on the left sidebar and select your website's domain.
- Check for Early Cookies: Before you interact with the cookie banner, the list of cookies should be mostly empty. If you see
_gaor_ga_<id>here, your website is violating the GDPR. GA4 fired before consent was given. - Check the Network Tab: Go to the "Network" tab, type
collectorgoogle-analyticsinto the filter box, and refresh the page. If a network request is sent to Google Analytics before you accept cookies (unless it's a heavily anonymized Consent Mode ping), you have an issue. - Accept Cookies and Verify: Now, click "Accept" on your consent banner. You should immediately see the
_gacookies appear in the Application tab, and network requests should fire.
While manual testing is thorough, it is incredibly tedious, especially if you manage multiple websites or need to periodically monitor for regressions when new scripts are added to Google Tag Manager.
The Fastest Way to Test: Using ConsentScope
Instead of manually digging through the Chrome Developer Tools, network tabs, and cookie panels every time you deploy an update, you can automate this entire process using **ConsentScope**.
ConsentScope is a dedicated Chrome Extension built specifically for GDPR and privacy auditing. It runs automatically in the background when you visit a website and acts as a watchdog for your compliance.
- Pre-Consent Detection: ConsentScope highlights exactly which scripts fired and which cookies were set *before* you interacted with the cookie banner. If GA4 fires too early, it gets flagged in bright red.
- Consent Mode Verification: See at a glance if Google Consent Mode is active and what default state (granted or denied) was passed for `analytics_storage`.
- Comprehensive Scanning: It doesn't just check cookies; it monitors localStorage, sessionStorage, and third-party script injections.
- Detailed Reports: Export your findings to PDF or CSV to send to your clients or compliance team.
With ConsentScope, what used to take 10 minutes of manual clicking now takes 5 seconds. You load the page, open the extension, and immediately see your compliance score.
Conclusion
Implementing Google Analytics 4 is no longer as simple as copy-pasting a snippet into your <head> tag. You are legally obligated to respect user privacy and adhere to the GDPR. By understanding the cookies GA4 sets, implementing a robust Consent Management Platform (CMP), and utilizing Google Consent Mode v2, you can gather valuable analytics data legally.
Regular auditing is key. Whether you choose to do it manually or speed up your workflow with an automated tool like ConsentScope, ensure that "pre-consent tracking" is entirely eliminated from your website.