Does GA4 require cookie consent?

In most EU and UK contexts, yes. GA4 sets first-party cookies that count as analytics cookies under ePrivacy rules, so a consent decision is required before GA4 fires.

What is consent mode?

Consent mode is a Google feature that lets a site signal the user's consent state to Google products. With consent mode v2, GA4 sends pings without identifiers when consent is denied, supporting basic measurement without setting cookies.

Cookie policy for Google Analytics 4

What to include in a cookie policy when the website uses Google Analytics 4, including consent mode, data retention, and disclosure.

Disclose Google Analytics 4 by name

A vague reference to "third-party analytics" is not enough for a site that wants to be transparent. Name Google Analytics 4 in the cookie policy, link to Google's GA4 documentation, and describe the cookies it sets (typically _ga, _ga_<container> and friends).

Describe the data collected

Explain that GA4 collects events, page views, device data, and approximate location. If the site uses GA4 features like demographics, advertising integrations, or signals, disclose those features explicitly. Generic copy ("we collect aggregate usage data") understates what the tool does.

Describe data retention

GA4 retention is configurable in the property. State the retention window the site uses (for example, two months, fourteen months) and explain what happens after that window. If the site changes the setting, update the policy.

Cover consent mode

If the site uses consent mode v2, describe its behavior. With consent denied, GA4 sends limited pings without setting identifiers; with consent granted, GA4 collects normal analytics data. The cookie policy should make clear that no measurement happens until the visitor sees the banner.

Explain how to decline

The cookie banner should expose a clear "decline" or "manage" option, and the cookie policy should reference it. Some sites also link to Google's opt-out browser extension as an additional path; mention it only if it actually works for the audience.

Cross-link with the privacy policy

The privacy policy describes the legal basis for analytics data, the international transfer mechanism (for example, the EU-US Data Privacy Framework if the operator is in scope), and the retention. The cookie policy describes the technical detail. Both should be consistent.

Server-side and Measurement Protocol

If the site sends GA4 events through the Measurement Protocol or a server-side tag, the cookie policy should mention that flow. Server-side tagging does not bypass the consent requirement; it changes who sets the cookies, not the underlying analytics decision.

Consent revocation

The site should provide a way for the visitor to revoke consent later. A persistent link in the footer ("Cookie settings") that reopens the banner is the common pattern. The cookie policy should reference the link.

Updates

Any change to the analytics stack — switching to a different tool, adding advertising features, changing retention — needs a corresponding update to the cookie policy. Keep an effective date and an internal change log.

Practical baseline

A short, honest cookie policy that names GA4, describes the cookies, explains the consent path, and links to a working revocation mechanism does most of the work for a typical small business site. Generic policies invite questions; specific policies survive audits.