Most businesses using GA4 and ad tracking in Europe are not fully GDPR compliant. This is not because they are careless — it is because the requirements are genuinely complex and the guidance from regulators is not always clear.
This checklist covers what you actually need to have in place. It is not legal advice. If you are making specific compliance decisions, work with a data protection advisor. But this will tell you where the gaps are.
Consent management
[ ] You have a Consent Management Platform (CMP) active on your site (Cookiebot, OneTrust, Usercentrics, or similar)
[ ] The CMP loads before any analytics or ad tracking scripts
[ ] Cookies and tracking scripts are blocked by default until the user makes a choice
[ ] The consent banner does not use dark patterns: no pre-ticked boxes, no "Accept all" button that is visually dominant over "Reject" or "Manage settings"
[ ] Users can withdraw consent as easily as they gave it
[ ] You are storing consent records with timestamps and version information
[ ] Your consent records are accessible if a regulator asks
Consent Mode v2
[ ] Google Consent Mode v2 is active on your site
[ ] You have set a default consent state (all denied) before any Google tags fire
[ ] Your CMP is configured to push consent updates to the data layer when users make a choice
[ ] GA4 is configured to fire in basic/ping mode for non-consented users (to enable modelling)
[ ] Google Ads tags respect ad_storage, ad_user_data, and ad_personalization consent signals
[ ] You have verified in GTM Preview that consent signals are updating correctly after user choices
Data collection and retention
[ ] GA4 data retention is set appropriately (14 months is the maximum for user-level data)
[ ] You are not collecting more data than you need (data minimization principle)
[ ] IP anonymization is active (GA4 does this by default now, but verify your setup)
[ ] You are not sending personally identifiable information (names, emails) into GA4 event parameters or user properties
[ ] Google Signals is only enabled if you understand what data it collects and have consent for it
Data processing agreements
[ ] You have a Data Processing Agreement (DPA) with Google (this is accepted through the Google Analytics Terms of Service)
[ ] You have DPAs in place with all other vendors receiving personal data (Meta, LinkedIn, your CMP provider, etc.)
[ ] If you are using a server-side setup, you have a DPA with your infrastructure provider
Advertising and remarketing
[ ] Remarketing audiences in Google Ads or Meta are only built from consented users
[ ] Your Meta Pixel is configured to respect consent — it should not fire (or should fire in limited mode) for non-consented users
[ ] LinkedIn Insight Tag respects consent in the same way
[ ] You are not using "broad" audience expansion settings that include non-consented users
Data subject rights
[ ] You have a process for handling data subject access requests (DSARs) — users asking what data you hold about them
[ ] You have a process for handling deletion requests
[ ] Your privacy policy accurately describes what data you collect, why, and with whom you share it
[ ] Your privacy policy is up to date and references GA4 (not Universal Analytics)
Cross-border data transfers
[ ] You understand that GA4 data is processed in the US and this requires an adequacy mechanism (typically Standard Contractual Clauses via Google's DPA)
[ ] If you use Meta CAPI or other US-based vendors, the same applies
[ ] You have not relied on Privacy Shield, which was invalidated in 2020
Things most businesses are still getting wrong
Cookiebot (or any CMP) is installed but Consent Mode is not configured. The banner appears to work, but tracking ignores consent choices entirely.
The consent banner uses dark patterns. A grey "Reject" button next to a bright "Accept all" is not compliant. Several EU regulators have issued fines specifically for this.
Personal data is leaking into GA4 parameters. Search queries, email addresses in URLs, or form field values captured in event parameters are PII and should not be in GA4.
Remarketing is running on non-consented users. If you are building audiences in Google Ads from GA4 data, and some of that data comes from users who declined consent, you have a problem.
Privacy policy has not been updated since GA moved from UA to GA4. Different data model, different retention settings, different third-party processors. The policy needs to reflect the current setup.
What to do next
Work through this checklist and note where you have gaps. The highest-risk items are the consent management ones — especially Consent Mode v2 configuration and dark pattern banners, since these are what regulators focus on.
If you want an independent review of your current setup, get in touch. I cover consent compliance as part of analytics audits for EU-based clients.
