Collecting GA4 consent means showing a cookie banner and recording each visitor's choice. That choice then passes to Google Analytics through Consent Mode v2, so tags fire only when allowed. Google says the same thing directly: use a consent banner or a Consent Management Platform (CMP) to collect and send consent.
This guide covers six steps. Choose a collection method, configure the banner, and wire Consent Mode v2. Then pick a mode, verify the signals arrive, and keep a record.
Do you need consent to run Google Analytics?
Yes, for EEA and UK visitors you need prior consent before GA4 sets cookies or collects data. In the US, most state privacy laws run on an opt-out model instead. Some regions, including Australia, have lighter requirements. Google states this directly.
You are responsible to obtain users' consent on your website or app or any data you upload to Google.
The legal detail behind that requirement is its own question. For the GDPR analysis, read whether Google Analytics is legal under GDPR. For the compliance checklist, read whether GA4 is GDPR compliant.
A consent tool with automatic geotargeting shows the EEA/UK opt-in banner only where the law requires it and skips it for visitors elsewhere. That single setting removes most of the "do all my visitors need this" confusion.
GA4 consent is one piece of a bigger job. For the full picture across every regulation your site touches, see cookie-law compliance across your whole site.
What you need before you start
Most teams miss one thing: a live GA4 property connected before you touch consent settings, since Consent Mode has nothing to signal against otherwise.
Four things get you started.
- Roles: the site owner or whoever manages the GA4 property. One person can do this end to end.
- Time: 30 to 60 minutes for a straightforward setup. Add time if you are wiring Google Tag Manager manually instead of using a CMP.
- Inputs: a live GA4 property, access to your site's
<head>section or your tag manager, and a way to collect and record consent (a cookie banner or a CMP). - Tools: a website builder or CMS that allows script installation, plus a consent banner or CMP. Any major platform works.
Step 1: Choose how you will collect consent
You need something that asks visitors for consent and records their choice, because Consent Mode by itself does not collect anything. It only relays whatever choice already exists. One practitioner put it plainly: Consent Mode "doesn't actually collect consent. It just reacts to it."
Two paths get you there.
- A Consent Management Platform. A CMP shows the banner, records the choice in a consent log, and signals Consent Mode v2 automatically. Google's own guidance recommends this route: use a CMP to collect consent and send it to Google.
- A do-it-yourself banner. You build or install a banner, then wire the record-keeping and the Consent Mode signal yourself in code.
Consently runs the first path. Its banner collects consent and its preference center lets visitors choose by category. Its consent logs record every choice with an export option. It signals Consent Mode v2 automatically, with no hand-written gtag('consent') code. One tool covers collection, the record, and the signal.
Done: you have picked a collection method. You know whether a CMP or a manual build handles the record-keeping and signaling.
Step 2: Configure your consent banner for GA4
Your banner needs to match the visitor's region, put analytics in its own togglable category, and make declining as easy as accepting.
Three things to configure.
- Pick the model by region. EEA and UK visitors need an opt-in banner (no tracking until they accept). US visitors typically see an opt-out model tied to state privacy laws.
- Categorize analytics separately. Put Google Analytics cookies in their own category so a visitor can decline analytics while keeping essential cookies running.
- Add a preference center. Give visitors a way to change their choice later without clearing cookies or hunting for a hidden setting.
- Keep Reject as easy as Accept. A banner that buries the decline option or requires more clicks to reject than to accept produces consent that will not hold up if challenged.
Automatic geotargeting solves the first item for you. Consently ships GDPR opt-in and CCPA/US opt-out templates and shows the right one per region, with no manual rules to write. Its category-based preference center handles the second and third.
If you do not have a banner yet, start with add a cookie banner to your site.
Done: your banner shows the correct model per region. Analytics sits in its own category, and declining takes the same clicks as accepting.
Step 3: Connect consent to GA4 with Google Consent Mode v2
Consent Mode v2 relays the visitor's choice to GA4 as four signals so Google tags know whether they are allowed to run.
The four signals are these.
ad_storage: governs Google Ads cookie storage.analytics_storage: governs Google Analytics cookie storage.ad_user_data: governs sending user data to Google for advertising.ad_personalization: governs personalized advertising.
Every signal defaults to denied until the visitor consents. Once they accept, the relevant signals flip to granted and GA4 tags read the update. The wiring itself runs through gtag() calls or Google Tag Manager. This guide keeps that wiring out of scope. For the full manual and GTM walkthrough, read the full Consent Mode v2 setup walkthrough. For what each signal actually controls, see what each consent signal controls. For the concept in full, see what Google Consent Mode does.
Consently sets all four signals to denied by default and updates them automatically once a visitor consents, with no manual gtag('consent') code required. It works through gtag or through Google Tag Manager.
Done: GA4 receives all four signals. Each starts denied and updates to granted only after explicit consent.
Step 4: Decide between basic and advanced Consent Mode
Basic mode blocks every Google tag until the visitor consents. Advanced mode lets tags load immediately in a denied state and sends cookieless signals Google uses to model the gap.
| Mode | Tag behavior before consent | Data before consent |
|---|---|---|
| Basic | Tags do not fire at all | Zero data, not even a consent status ping |
| Advanced | Tags load immediately, denied by default | Cookieless pings (consent state, key events) for modeling |
The safest compliance position is basic mode. No Google tag fires until the visitor decides, but that is also the position with the most data loss. Advanced mode recovers some of that loss through behavioral modeling. Modeling only activates once GA4 sees enough denied-consent traffic. Google documents two thresholds. The first is at least 1,000 events per day with analytics_storage='denied' for 7 days. The second is at least 1,000 daily users with analytics_storage='granted' for 7 of the previous 28 days.
Weigh the tradeoff in basic versus advanced Consent Mode. A certified CMP supports both modes. The choice stays yours, not a limitation of the tool.
Done: you have picked basic or advanced mode. The choice reflects your risk tolerance and traffic volume.
Step 5: Verify GA4 is receiving your consent signals
Confirm signals in GA4 Admin under Data collection and modification, then Consent settings. That panel shows the percentage of EEA traffic and the status of each signal.
Four checks confirm it.
- Open Admin > Data collection and modification > Consent settings in GA4.
- Read the EEA traffic and conversions panel at the top of the page.
- Check the status of your advertising and behavior analytics consent signals. A signal reading Not detected instead of Granted or Denied means GA4 is not receiving it correctly.
- Allow 48 to 72 hours after a fix before checking again. Google's documentation states notifications take that long to refresh.
Watch your consent analytics alongside the Admin check. A CMP with consent tracking shows acceptance patterns over time. That is a faster day-to-day signal than waiting on the Admin panel alone.
Done: every consent signal reads Granted or Denied, not Not detected. You have confirmed the EEA traffic percentage matches expectations.
Step 6: Keep a record of the consent you collect
GDPR expects you to prove valid consent existed, so you need a timestamped record of each visitor's choice, its scope, and their region.
An exportable consent log is that record. It should capture the timestamp, the choice made, the categories consented to, and the visitor's approximate location. Consently's consent logs record all of this automatically. They export on demand, giving you the audit trail a hand-rolled banner usually cannot produce.
Done: you can export a dated record of any visitor's consent choice.
Common mistakes when collecting GA4 consent
The most damaging mistake is firing GA4 tags before consent in a region that requires it. That alone breaks the legal basis for every event collected that way.
Five mistakes worth avoiding.
- Firing tags before consent where prior consent is required. Consequence: every event collected before the visitor decided is unlawfully processed. Remedy: use basic mode, or verify your CMP genuinely blocks tags pre-consent rather than just hiding the banner visually.
- Assuming Consent Mode collects consent. Consequence: teams wire Consent Mode and skip the banner entirely, so nothing ever asks the visitor. Remedy: pair Consent Mode with a CMP or a banner that actually records a choice.
- Making Reject harder to find than Accept. Consequence: dark-pattern banners invalidate the consent they collect. Remedy: give both buttons equal visual weight and equal click depth.
- Never checking GA4 Admin for signal status. Consequence: a broken signal wiring goes unnoticed for weeks. Remedy: check Consent settings after any tag or CMP change, and again 48 to 72 hours later.
- Skipping the exportable record. Consequence: no way to prove consent was collected if challenged. Remedy: use a CMP with consent logs and export the log on a regular schedule, not just on request.
A certified CMP removes most of these failure modes by default. Collection, signaling, and the record all live in one system, not three hand-wired pieces.
FAQs
Do you need consent for Google Analytics 4 specifically?
Yes, in the EEA and UK you need prior opt-in consent before GA4 tracks a visitor. In the US, most state laws use an opt-out model instead, so GA4 can run by default until a visitor opts out.
How long until GA4 shows my consent signals?
Google's own documentation states notifications take 48 to 72 hours to refresh after you fix a signal issue. Check the Consent settings panel again after that window before assuming a fix failed.
Can I use Google Analytics without a cookie banner?
Only where no prior-consent law applies to your visitors, such as most US states under an opt-out model. Anywhere prior consent is required, GA4 needs a banner or CMP in front of it.
Does Consent Mode collect consent for me?
No. Consent Mode only relays a choice that already exists; it does not ask the visitor anything. A CMP or a custom banner is what actually collects and records consent.
Will collecting consent tank my GA4 data?
Declined consent removes real tracking data for those visitors. Advanced Consent Mode partly recovers it through behavioral modeling once you hit Google's documented thresholds. Those thresholds are 1,000 daily events denied for 7 days, plus 1,000 daily users granted for 7 of the previous 28 days.
Do US visitors need the same consent as EU visitors?
No. EU and UK visitors need opt-in consent before tracking starts. Most US visitors fall under an opt-out model tied to state privacy laws, so the banner and default state differ by region.
Consently collects, records, and signals GA4 consent from one tool, with Google Consent Mode v2 on by default and no manual code to maintain. See the full setup on the Google Consent Mode v2 integration page, or start your free trial to get your banner live today.

