Skip to main content
Google Analytics (GA4) logo
Analytics High complexity

Google Analytics (GA4)

by Google

Sets cookies
Yes
Sends PII
No
Cross-site tracking
No
Consent required
Analytics
Transfer mechanism
EU-US Data Privacy Framework
Cookies
_ga_ga_XXXXX

Overview

Google's event-based web and app analytics platform, replacing Universal Analytics since July 2023. Collects page views, scrolls, clicks, and custom events, sending measurement payloads to Google servers for reporting and audience building. Present on over 70% of the top million sites and deeply integrated with Google Ads and BigQuery.

Detection Capabilities

Signature count
4
Detection methods
network

Consent Mode v2

Consent Mode v2

Google Consent Mode v2 signal requirements for this tag.

analytics_storage required
ad_storage not used
ad_user_data not used
ad_personalization not used

Performance Impact

Performance Impact

Script size
45 KB
Requests per page
4

Common Mistakes

  • 1 Firing GA4 before obtaining valid consent on EU/UK domains - the most common violation found in governance audits
  • 2 Not enabling Consent Mode v2, preventing cookieless ping mode when consent is denied
  • 3 Leaving the default 14-month data retention unchanged when policy requires shorter retention
  • 4 Failing to disable Google Signals when cross-device tracking is not needed - Signals shares data with Google's ad network
  • 5 Configuring cross-domain measurement without understanding that it exposes the client ID via the _gl linker parameter

Compliance Considerations

Sets first-party cookies (_ga, _ga_XXXXX) and sends measurement data to Google servers in the United States.

Consent: Explicit consent typically required under GDPR/ePrivacy before firing on EU/UK sites. Multiple DPAs have issued enforcement decisions - Austrian DSB (Dec 2021) and French CNIL (Feb 2022) found standard implementations transferred personal data without adequate safeguards.

International transfers: EU-US Data Privacy Framework (July 2023) provides a legal basis - verify your Google entity's DPF self-certification.

Consent Mode v2: Allows cookieless pings when consent is denied, but these may still constitute personal data processing in some jurisdictions.

Configuration: Ensure your CMP blocks the tag until analytics consent is granted. Review data retention, IP anonymisation, and Google Signals settings against your DPIA.

Related Services

Amplitude

Analytics

Med Amplitude

Product analytics and customer data platform. Tracks user behaviour events, builds behavioural cohorts, and provides funnel, retention, and journey analysis. Used by product teams for feature adoption analysis, experimentation, and data governance.

1 detection signature

Azure Application Insights

Analytics

High Azure Application Insights

Azure Application Insights is a performance monitoring and diagnostics service within Microsoft Azure Monitor that provides real user monitoring (RUM), application performance management (APM), and error tracking for web applications. Its JavaScript SDK collects browser-side telemetry including page load times, dependency call performance, unhandled exceptions, and user session data. Application Insights is widely deployed by enterprise organisations that use the Microsoft Azure cloud platform, particularly in financial services, healthcare, and public sector contexts. While primarily a development and operations tool, its client-side SDK collects data from end-user browsers that may constitute personal data under GDPR, placing it in scope for governance review.

3 detection signatures

Cloudflare Analytics

Analytics

Med Cloudflare Analytics

Privacy-focused web analytics from Cloudflare that measures page views and visitors without using client-side cookies or collecting personal data. Built into the Cloudflare network infrastructure, providing basic traffic metrics.

2 detection signatures

Contentsquare

Analytics

High Contentsquare

Contentsquare is a digital experience analytics platform that captures detailed user interaction data including clicks, scrolls, hovers, and session replays to provide insights into how visitors navigate websites and mobile apps. The platform uses zone-based heatmaps, journey analysis, and frustration scoring to identify UX issues and conversion bottlenecks. Following its acquisition of Hotjar in 2021, Contentsquare operates across both enterprise and SMB segments. Contentsquare's deep interaction capture makes it one of the most data-intensive analytics tags commonly deployed on regulated websites, and its ability to record detailed session behaviour requires careful governance to prevent inadvertent capture of sensitive personal data.

1 detection signature

Need help governing Google Analytics (GA4)?

Our governance diagnostic identifies compliance gaps across your entire tag estate.

Start your Governance Diagnostic