Primer: eCommerce Consent Compliance with Google Analytics 4

There’s WAY more data that you can collect with GA4, while remaining compliant with cookie consent banners.

Capture useful engagement data while respecting opt-outs.

(I’m not a privacy attorney. Don’t consider this blog post legal advice.)

It’s obvious that respecting shoppers’ privacy preferences is critical to building trust and growing customer lifetime value for your eCommerce brand. Full stop.

At the same time, eCommerce brands are feeling more and more pressures to collect customer data that can be fed into machine-learning powered paid advertising campaigns.

These tensions are acute.

As a result, it’s important that brands understand how to collect attribution data with Google Analytics 4 in the context of privacy consent and compliance.

This is not an blog post on privacy law…

Again, not an attorney…in sharing the mechanics of consent modes and compliance with GA4, I am not offering advice on how to set up cookie banners, or what you need to do organizationally to be compliance with GDPR or California’s Privacy Rights Act.

To understand cookie consent requirements for your organization, chat with someone at one of the major providers: OneTrust, Osano, and so forth.

Whether you’re on Shopify or BigCommerce or Magento or WooCommerce, these companies will be able to help you collect shopper consent on your website — and make that consent available to the attribution tracking scripts you might be loading on your site.

Accessing Opt-in/out preferences in the browser

Most privacy banners provided by companies, like OneTrust or Osano, provide integrations (or at least javascript recipes) for setting a variable in your storefront theme that represents a specific shopper’s choice to opt in/out of attribution tracking and attribution cookies.

For Shopify, this is its Customer Privacy API. For BigCommerce, the tools are a bit more of a blunt instrument, leveraging configuration options in its Scripts Manager.

Configuring GA4 with tracking/cookie consent

Depending upon how you capture tracking and cookie consent, there are ultimate two ways to respect these preferences when tracking shoppers with GA4:

1. The extreme approach — Don’t load any GA4 tracking scripts without consent

This is essentially how you would set up your own GA4 tracking with BigCommerce’s Scripts Manager. With Scripts Manager, you can chose to load scripts depending upon a shopper’s opt in/out to attribution/analytics tracking:

Configuration options for attribution tracking in BigCommerce

Similarly, you can configure GA4 attribution tracking scripts to load based upon consent in Shopify with a little custom theme code or with Google Tag Manager.

The problem with this approach of only loading GA4 tracking scripts upon consent is that you miss out on a ton of data that Google can collect anonymously — while staying compliant with privacy laws.

Below, I’ll describe a better approach.

2. A smarter approach: Leveraging GA4’s Consent Mode

This is where things get really exciting with GA4!

While Google Analytics 4 has many pain points, one of the most useful features that it includes is its Reporting Identity.

With GA4’s Reporting Identity, Google leverages modeling (powered by machine learning) to fill in the gaps to report on user engagement for website visitors who have opted out of being personally identified and tracked.

GA4’s Reporting Identity leverages ML to track engagement for opted-out visitors.

When GA4’s Reporting Identity is set to “Blended”, companies can still leverage GA4 attribution scripts to track user engagement on your website, without identifying those opted out users. Geolocation, device, and browser data isn’t captured, but GA4 can still stitch together traffic and engagement for reporting.

Setting up Consent Mode in GA4

The key to leveraging the Reporting Identity and modeling for opt-ed out traffic is setting up your Google Analytics tracking scripts to leverage Consent Mode.

With Consent Mode, you would load your initial GTag.js on a website with the following settings, to prevent your script from sending Google Analytics user-identifiable data:

gtag('consent', 'default', {  
  'ad\_storage': 'denied',  
  'analytics\_storage': 'denied'  

Then, once your privacy consent banner and scripts fire, you can change this consent setting to allow your GTag.js scripts to send identifiable data, set Google Analytics cookies, and so forth:

gtag('consent', 'update', {  
  'ad\_storage': 'granted',  
  'analyitcs\_storage': 'granted'  

What you will see when Consent Mode is set to 'denied’

When GA4 Consent Mode is set to deny ad_storage and analytics_storage, you will still see events sent to Google Analytic’s Collection API in the network tab of your browser console.

However, if you look at the events in Google Tag Assistant, you’ll see that these events are sent to GA4 with consent denied:

Consent Mode variables set to “denied.”

Moreover, if you look at the real-time reports in GA4, you won’t see these “denied” events in the event stream.

But these anonymized events still exist in GA4, and will be blended into your reports within 24–48 hours!

Still confused with how to set all this Consent Mode stuff up?

Yeah…admittedly, all this consent mode and opt in/out settings and privacy banner stuff can be a little overwhelming.

Fortunately, Fueled’s out-of-the-box Shopify and BigCommerce Attribution Tracking Apps can solve all of this for you, ensuring that capturing as much engagement data as possible, while remaining privacy compliant.

If you want to learn more, give us a shout!

Want product news and updates?

Sign up for our newsletter to stay up to date.

We care about the protection of your data. Read our Privacy Policy.