GA4 privacy settings you need to configure (GDPR edition)

Let's be clear upfront: GA4 is not automatically GDPR compliant. It has features that help you comply, but compliance depends on how you implement it.

Here's what you need to configure and understand.

GA4's privacy features

GA4 was built with privacy in , more so than Universal Analytics. Here's what's built in:

But having these features isn't the same as being compliant. You need to configure them correctly.

Step 1: Configure data retention

GA4 limits how long it stores user-level data in exploration reports.

How to set it

1. Go to Admin → Data Settings → Data Retention
2. Choose between:
   • 2 months (more privacy-focused)
   • 14 months (more analytical flexibility)
3. Toggle "Reset user data on new activity" based on your needs

What this affects

GDPR note: Shorter retention aligns with the "storage limitation" principle: don't keep data longer than necessary. But 14 months is defensible for most legitimate business purposes.

Want longer retention?

Link to BigQuery. BigQuery export gives you raw data that you control and can store as long as legally permitted. See our BigQuery integration guide.

Step 2: Implement Consent Mode

Consent Mode is how GA4 knows what the user consented to. It's essential for GDPR compliance.

What Consent Mode does

When a user:

• Grants consent → Full tracking enabled
• Denies consent → Sends cookieless pings (no user identification)
• Hasn't decided yet → Waits or defaults based on your settings

The two modes

Advanced mode maintains ~70% of your data through behavioral modeling while respecting user choices.

Implementation

1. Get a Consent Management Platform (CMP)

   • Popular options: Cookiebot, OneTrust, Iubenda, Cookie Script
   • The CMP shows the consent banner and manages preferences

2. Configure gtag for Consent Mode

   // Default consent state (before user decides)
   gtag('consent', 'default', {
     'ad_storage': 'denied',
     'ad_user_data': 'denied',
     'ad_personalization': 'denied',
     'analytics_storage': 'denied',
     'wait_for_update': 500
   });
   
   // When user consents
   gtag('consent', 'update', {
     'ad_storage': 'granted',
     'ad_user_data': 'granted',
     'ad_personalization': 'granted',
     'analytics_storage': 'granted'
   });
   

3. Or use GTM with your CMP

   • Most CMPs have GTM templates
   • Follow your CMP's documentation

Consent signals explained

For GDPR, you need consent for all of these.

Step 3: Handle Google Signals

Google Signals enables cross-device tracking for logged-in Google users. It also provides demographic data.

The trade-off

• Enabled: Better cross-device insights, demographics data
• Disabled: More privacy-focused, fewer user identification concerns

How to configure

1. Go to Admin → Data Settings → Data Collection
2. Toggle Google signals data collection as appropriate

GDPR considerations

Some privacy advocates argue Google Signals creates additional data sharing concerns. If you're being very conservative, disable it. If you need cross-device analytics, keep it on with proper consent.

Step 4: Configure internal traffic filters

Don't track your own team. It's unnecessary data collection and skews your analytics.

1. Go to Admin → Data Streams → [Stream] → Configure tag settings
2. Click Define internal traffic
3. Add IP addresses or ranges
4. Go to Admin → Data Settings → Data Filters
5. Activate the internal traffic filter

Step 5: Set up data deletion capabilities

GDPR gives users the "right to erasure." GA4 lets you delete specific users' data.

How to delete user data

1. Go to Admin → Data Deletion
2. Choose deletion type:
   • Delete data for a specific user
   • Delete data for a date range

Using User Explorer

1. Go to Explore → User Explorer
2. Find the user (by their analytics ID)
3. Use the delete option

Important: You can only delete based on GA4's user identifiers. If a user requests deletion, you need to match their request to a GA4 user ID somehow.

Step 6: Review data sharing settings

Check what data GA4 shares with Google.

1. Go to Admin → Account Settings → Account Data Sharing Settings
2. Review each option:
   • Benchmarking
   • Technical support
   • Account specialists
   • Google products & services

Disable what you're not comfortable with. At minimum, review each setting and make a conscious choice.

The legal requirements

What GDPR requires for analytics

Your privacy policy

You must disclose:

• That you use Google Analytics
• What data you collect
• Why you collect it
• How users can opt out
• How long you retain data
• Any data transfers outside EU

The EU-US data transfer question

GA4 data often goes to US servers. This has been legally contentious.

Current status

The EU-US Data Privacy Framework (DPF) provides a legal basis for transfers. Google participates in this framework. But the DPF alone doesn't make you compliant.

What you should do

1. Enable EU data residency (if available in your plan)
2. Document your legal basis for transfers
3. Keep up with regulatory changes (this landscape shifts)
4. Consider regional alternatives if needed for certain use cases

Compliance checklist

Run through this:

Configuration:

• Data retention set appropriately (2 or 14 months)
• Consent Mode implemented
• CMP properly configured
• Internal traffic filtered
• Google Signals setting reviewed
• Data sharing settings reviewed

Legal/Process:

• Privacy policy updated
• Cookie banner implemented
• Process for data deletion requests
• Staff trained on handling requests
• Documentation of data processing purposes

Technical:

• Default consent state is "denied"
• Consent updates trigger correctly
• Testing verified in DebugView

Alternative approaches

If GDPR compliance with GA4 feels too complex:

1. Privacy-focused alternatives: Plausible, Fathom, Simple Analytics (EU-hosted, cookieless)
2. Server-side tagging: More control over data flow
3. BigQuery + custom dashboards: Own your data completely

We've written about GA4 vs privacy-first alternatives if you want to compare.

Need simpler analytics?

If privacy configuration is overwhelming, check out Analayer. We connect to your GA4 data and present it cleanly, so you focus on insights while maintaining your privacy setup.