Worried about those looming data privacy fines? In today’s landscape, tracking website visitors without their explicit permission is unethical. It is illegal under regulations like GDPR (Europe) and POPIA (South Africa).
If you’re relying on basic Google Analytics (GA4) setup, you might be illegally collecting data.
This Standard Operating Procedure (SOP) is your essential guide. It helps you set up a fully compliant and future-proof tracking system. This system uses Google Tag Manager (GTM) and Google’s Consent Mode. This method allows you to collect valuable aggregated data while respecting user privacy and minimising your legal risk.
Phase 1: The Legal Foundation – Implementing Consent
The core of compliance is obtaining valid and explicit user permission. This must be done before tracking any personal data, including IP addresses and browser IDs.
Step 1: Deploy a Certified Consent Management Platform (CMP)
You must use a Google Certified CMP (like OneTrust, CookieBot, or Osano) to manage the user consent banner.
- Selection: Choose a CMP that specifically supports Google Consent Mode v2. This is non-negotiable for full compliance.
- Implementation: Install the CMP script directly into the <head> of your website, before the GTM script.
- Configuration: Configure the CMP to offer clear choices. Options should include Accept All, Reject All, and Preferences. Block all non-essential tracking cookies by default, including Google Analytics.
Step 2: Integrate Google Consent Mode
Consent Mode allows Google tags to adjust their behavior based on the user’s consent choice (e.g., if a user rejects analytics cookies, Google still sends pings for modeling, but without identifying data).
- CMP Activation: The CMP you choose must send the user’s consent status to the Google Data Layer before GTM fires any tags.
- If Analytics is granted: gtag(‘consent’, ‘update’, { ‘analytics_storage’: ‘granted’, ‘ad_storage’: ‘granted’ })
- If Analytics is denied: gtag(‘consent’, ‘update’, { ‘analytics_storage’: ‘denied’, ‘ad_storage’: ‘denied’ })
- GTM Settings: In GTM, ensure all relevant tags (GA4 Configuration Tag, Google Ads) have the “Require additional consent for tag firing” option enabled and configured to wait for the appropriate consent parameter (analytics_storage, etc.).
Phase 2: Technical Setup & Data Minimisation in GA4
Even with consent, you must minimise the data you retain.
Step 3: Configure Data Retention in Google Analytics 4 (GA4)
GDPR and POPIA encourage data minimization. You must limit the time GA4 stores user-level data.
- Navigation: In the GA4 Admin panel, go to Data Settings > Data Retention.
- Setting: Change the retention period from the default months to months (the maximum available). This keeps historical data for annual comparisons but deletes user-specific data faster than the default.
Step 4: Deactivate Granular Location and Device Signals
While GA4 automatically anonymises IP addresses, you can increase privacy by limiting the collection of fine-grained location data.
- Navigation: In the GA4 Admin panel, go to Data Settings > Data Collection.
- Toggle Off: Turn off the toggle for “Granular location and device data collection.” This tells Google to stop collecting the most specific location and device details.
Phase 3: Implementation via Google Tag Manager (GTM)
GTM is the central control point for your compliant setup.
Step 5: Configure the GA4 Tag in GTM
- Variables: Create a User-Defined Variable in GTM to store your GA4 Measurement ID (e.g., G-XXXXXXXXXX).
- GA4 Configuration Tag: Create a new tag:
- Tag Type: Google Analytics: GA4 Configuration.
- Measurement ID: Use the Variable created in the step above.
- Fields to Set: Crucially, add a field named anonymise_ip and set its Value to true (although GA4 does this by default, adding it confirms this crucial privacy step).
- Triggering: Set the trigger to “Initialization – All Pages” (or use the custom Consent Initialization trigger provided by your CMP).
The GTM Advantage: Pros and Cons
Implementing this compliance setup through Google Tag Manager offers significant operational and technical benefits, but it’s not without complexity.
| Aspect | Pros of Using GTM for Compliance | Cons of Using GTM for Compliance |
| Control & Speed | Centralized control over all tracking scripts. Changes (e.g., updating a cookie blocking mechanism) can be deployed instantly without touching the website code. | Requires a deep understanding of the Data Layer. Incorrect GTM variable configuration can lead to tags firing before consent is registered, breaching compliance. |
| Accuracy | GTM’s Consent Mode integration ensures tags only fire when the legal requirements are met, minimizing the risk of accidental data collection. | Debugging is complex. If the CMP, the Data Layer, and the GTM triggers aren’t perfectly aligned, the setup fails silently, potentially resulting in data loss or illegal tracking. |
| Testing | GTM’s Preview Mode allows for robust, real-time testing of consent states. You can see exactly which tags fire when a user clicks “Accept” versus “Reject.” | The initial setup is time-consuming and requires highly specialized knowledge (usually a GTM expert) to ensure compliance is technically sound from the ground up. |
Final Compliance Check
Once deployed, use GTM’s Preview Mode and the Google Analytics DebugView to confirm:
- When a user accepts cookies, the GA4 tags fire normally.
- When a user rejects cookies, the GA4 tags fire but only send limited, modeled, and non-identifying data (signaled by Consent Mode).
- The CMP correctly blocks all other cookies (e.g., Facebook Pixel, LinkedIn Insight Tag) until consent is given.
Need help setting up this high-level, compliant structure? Don’t risk the fines. Contact MLG Digital today for a full compliance audit and GTM implementation.
