Overview
This check validates that your Google Analytics tags comply with the user's privacy preferences as captured by your Consent Management Platform (CMP). With the introduction of Google Consent Mode (v2), Google Analytics tags can adjust their data-collection behavior dynamically based on whether a user has granted or denied consent for analytics_storage and ad_storage.
Beyond standard banner interactions, a comprehensive Audit must also account for Opted-out Audits (verifying the withdrawal of consent) and GPC Signal Audits (honoring browser-level privacy signals automatically).
Why it is Important
Ensuring tags honor consent is a critical requirement for legal compliance and data ethics:
Legal Compliance: Under regulations like GDPR (Europe), CCPA/CPRA (California), and DMA (Digital Markets Act), firing tracking tags without explicit user consent can lead to significant legal fines.
GPC Mandates: In many US states, ignoring the Global Privacy Control (GPC) signal is considered a violation of the "Right to Opt-Out," making GPC Signal Audits a legal necessity.
Consent Mode Accuracy: If Google Analytics is configured for Consent Mode, it should send "pings" instead of full cookies when consent is denied. If tags ignore this and set cookies anyway, you are in violation of privacy protocols.
Brand Trust: Users expect their privacy choices—whether made on a banner or via browser settings—to be respected. Detecting tags that fire prematurely or ignore "denied" statuses is essential for maintaining user trust.
Implementation
We have made implementing these checks for consent compliance simple by using ObservePoint Journeys to automate the testing of three critical scenarios:
1. The Consent Mode (v2) Audit
The Journey interacts with the CMP banner and verifies that analytics_storage, ad_user_data, and ad_personalization states are correctly updated in the Data Layer, and that GA4 tags react accordingly.
2. The Opted-out Audit
This check simulates a user who initially visits the site and chooses to "Reject All" or "Opt-out." The audit confirms:
Zero-Persistence: No tracking cookies (like
_gaor_gid) are dropped.State Transition: If a user opts out mid-session via a "Privacy Settings" link, the audit ensures the tags immediately switch to a denied state.
3. The GPC Signal Audit
This validates that your site respects Global Privacy Control. The Journey is configured to broadcast a GPC signal (where navigator.globalPrivacyControl = true). The audit verifies:
Automatic Recognition: The CMP recognizes the signal without the user needing to click the banner.
Pre-emptive Suppression: Google Analytics tags are automatically restricted or suppressed based on the browser's global preference.
Remediation
If Google Analytics tags are not honoring consent settings, investigate these common configuration gaps:
Check GTM Consent Settings: Ensure "Consent Overview" is enabled in Google Tag Manager. Verify that GA tags have the correct "Built-in Consent" checks (e.g.,
analytics_storage).Fix GPC Mapping: Ensure your CMP is configured to "Respect Global Privacy Control" and that it correctly maps this signal to a
deniedstatus for your analytics tags.Fix Tag Firing Triggers: Ensure tags are not firing on the "Initialization" trigger if your CMP requires a manual click. Use a custom event trigger provided by your CMP (e.g.,
cookie_consent_update).Update to Consent Mode v2: Ensure your GTM template or
gtag.jsscript is updated to support thead_user_dataandad_personalizationparameters.Audit "Default" States: Check that your default consent state is set to
deniedin your header script. If the default isgranted, tags will fire immediately upon page load before the user (or GPC signal) can make a choice.
Conclusion
Privacy is no longer optional in digital analytics. A truly compliant implementation must move beyond the basic cookie banner to include Opted-out Audits and GPC Signal Audits.
By using ObservePoint Journeys to automate these complex scenarios, you ensure your Google Analytics implementation respects every user's choice—whether they make it on your banner or through their browser settings.