Why Cookie Consent Matters More Than Ever for GA4

Google Analytics 4 was built for a privacy-first world, but that does not mean it works perfectly without a proper consent strategy. When visitors decline cookies, GA4 loses the ability to track individual user journeys, attribute conversions, and build audience segments. For many website owners, this translates into a silent data gap that quietly undermines marketing decisions.

The challenge is straightforward: privacy regulations like GDPR and ePrivacy require explicit consent before setting analytics cookies. Without that consent, GA4 either collects no data at all or operates in a heavily restricted mode. Understanding exactly how this interaction works is the first step toward building a measurement strategy that respects user privacy while preserving actionable insights.

What Data Does GA4 Lose Without Consent?

When a visitor does not grant cookie consent, GA4 cannot set its _ga and _gid cookies. Without these identifiers, the following capabilities are lost or degraded:

• User identification: GA4 cannot distinguish returning visitors from new ones, inflating new user counts significantly.
• Session stitching: A single user browsing multiple pages may appear as multiple separate sessions.
• Conversion attribution: Multi-touch attribution models break down because there is no persistent identifier linking touchpoints.
• Audience building: Remarketing audiences in Google Ads cannot be populated from unconsented sessions.
• Engagement metrics: Metrics like engaged sessions per user and average engagement time per user lose accuracy.

In markets with high consent rejection rates — often 30 to 50 percent in parts of Europe — this data loss is substantial enough to make GA4 reports unreliable for business decisions.

How Consent Mode V2 Changes the Equation

Google introduced Consent Mode V2 specifically to address this gap. It works by sending cookieless pings to Google's servers even when consent is denied, but these pings contain no personally identifiable information and no cookie identifiers. Instead, they carry contextual signals: the page URL, a timestamp, a user agent string, and the consent state itself.

Consent Mode V2 introduces two key consent parameters that your CMP must manage:

• analytics_storage: Controls whether GA4 can set analytics cookies. When denied, GA4 sends cookieless pings instead.
• ad_storage: Controls whether advertising cookies (Google Ads, Floodlight) can be set. When denied, conversion pings are sent without identifiers.

There are two implementation levels:

• Basic mode: No data is sent to Google at all until consent is granted. Simple but results in maximum data loss.
• Advanced mode: Cookieless pings are sent even when consent is denied. This is what enables Google's conversion modelling and is the recommended approach.

Cookieless Measurement and Data Thresholds

The cookieless pings sent in Advanced mode serve as the foundation for Google's machine learning models. These models use the behavioural patterns observed from consented users to estimate conversions and engagement from non-consented sessions. However, this modelling only activates when certain thresholds are met.

Google requires a minimum volume of data before modelling kicks in. For Google Ads conversion modelling, the general threshold is approximately 1,000 ad clicks per day for at least 7 consecutive days. For GA4 behavioural modelling, the thresholds are lower but still require a meaningful volume of consented users to train the model against.

If your site does not meet these thresholds, you will see gaps in your reports where modelled data would otherwise appear. This is particularly relevant for small and medium-sized websites that may not generate enough traffic to activate modelling consistently.

Configuring GA4 with a CMP: Step by Step

Proper configuration requires your CMP to communicate consent decisions to Google's tags before those tags fire. The sequence matters:

1. Load the CMP script first. It must execute before Google Tag Manager or gtag.js.
2. Set default consent states. Before any tags fire, the CMP should push a consent default command setting all consent types to denied.
3. Display the banner. The user sees the consent prompt and makes their choice.
4. Update consent states. When the user responds, the CMP pushes a consent update command with the new values.
5. Tags react accordingly. GA4 either sets cookies normally (consent granted) or sends cookieless pings (consent denied).

This sequence ensures that no cookies are set before consent is obtained, satisfying GDPR requirements while still enabling cookieless measurement for denied sessions.

Common GA4 and Consent Mistakes

Even experienced teams make configuration errors that undermine both compliance and data quality. Watch out for these frequent pitfalls:

• Loading GA4 before the CMP: If the analytics script fires before consent defaults are set, cookies may be placed before the user has a chance to decide. This is both a compliance violation and a data integrity issue.
• Using Basic mode when Advanced is appropriate: Basic mode is simpler but sacrifices all modelling capability. Unless you have a specific legal reason to avoid cookieless pings, Advanced mode is almost always the better choice.
• Not mapping cookie categories correctly: Your CMP's analytics category must map to analytics_storage and your marketing category to ad_storage. Mismatches cause consent signals to be ignored.
• Forgetting ad_user_data and ad_personalization: Consent Mode V2 added these two parameters. Both must be explicitly managed by your CMP for full compliance with Google's EU user consent policy.
• Ignoring consent for server-side tagging: If you use server-side GTM, consent signals must be forwarded to the server container. A server-side setup does not exempt you from consent requirements.

How FlexyConsent Auto-Handles GA4 Consent Signals

FlexyConsent is a Google-certified CMP with built-in support for Consent Mode V2 in Advanced mode. When installed, it automatically manages the entire consent lifecycle for GA4 without requiring manual tag configuration:

• Automatic default states: FlexyConsent pushes consent default commands for all five consent types (analytics_storage, ad_storage, ad_user_data, ad_personalization, and functionality_storage) before any Google tags load.
• Real-time consent updates: When a visitor interacts with the banner, FlexyConsent immediately pushes consent update commands, triggering GA4 to adjust its behaviour in the same page session.
• IAB TCF 2.3 integration: For publishers using programmatic advertising alongside GA4, FlexyConsent simultaneously manages TCF consent strings, ensuring ad partners receive proper signals.
• Geo-targeting: FlexyConsent detects visitor location and adjusts the consent experience accordingly. Visitors from regions without consent requirements can receive a streamlined experience, preserving maximum GA4 data collection where legally permitted.

With plans starting from EUR 0 per month, there is no cost barrier to implementing proper consent management. The free tier supports sites with moderate traffic, and paid plans scale with your needs. Integration is available via a simple JavaScript snippet, or through native plugins for WordPress, Shopify, and PrestaShop.

Key takeaway: GA4 and cookie consent are not opposing forces. With Consent Mode V2 properly implemented through a certified CMP like FlexyConsent, you maintain regulatory compliance while recovering a significant portion of the data that would otherwise be lost to consent rejections. The earlier you implement this correctly, the sooner Google's models can begin learning from your traffic patterns.