If your website uses Google Analytics, you are almost certainly processing personal data under the GDPR. Even when you never ask for a name or email address, analytics identifiers, cookie IDs, device fingerprints (where used), and IP-derived location can still be personal data when they can single out a user.

GA4 (Google Analytics 4) can be configured in a more privacy-protective way, but it is not “GDPR compliant by default”. Compliance depends on how you implement it, what you collect, and how you document your choices.

This guide explains a practical, defensible way to configure GA4 for GDPR, with an approach that also aligns well with modern privacy expectations and many non-EU regimes (including Jamaica’s evolving data protection landscape).

GDPR basics you need to get right before touching GA4

GA4 data is usually personal data

Under the GDPR (Regulation (EU) 2016/679), personal data includes any information relating to an identifiable person. In analytics, that can include:

• Online identifiers (cookie IDs, app instance IDs, advertising IDs)

• Device and browser attributes combined into a unique profile

• IP address and IP-derived location (even if IP is not stored long term)

• Event data that can reveal behaviour patterns about an individual

GDPR lawful basis: consent is often the safest route for analytics cookies

In practice, analytics on websites is commonly implemented via cookies or similar tracking technologies. That usually triggers EU “cookie rules” (ePrivacy) layered on top of GDPR. Many organisations rely on consent for non-essential analytics.

If you plan to rely on “legitimate interests” instead, you need a careful balancing test, strong minimisation, and typically a cookieless or strictly limited setup. For many businesses, consent plus data minimisation is the more robust, regulator-aligned path.

For consent standards, the European Data Protection Board (EDPB) emphasises that consent must be freely given, specific, informed, and unambiguous (see EDPB consent guidance).

Roles and contracts: you are the controller, Google is a processor

For GA4 on your website, you typically act as data controller (you decide purposes and means). Google generally acts as a processor for analytics processing.

A compliant setup usually includes:

• A Data Processing Agreement / Addendum with Google

• Proper vendor disclosures in your privacy notice

• An international transfer assessment if EU/UK personal data is involved

Decide what you actually need GA4 to do (data minimisation starts here)

Before configuring settings, define the “minimum viable measurement”:

• What questions must analytics answer (conversion rate, top pages, funnel drop-off)?

• Do you truly need remarketing, demographic reporting, or cross-device user stitching?

• Can you measure performance with fewer events and shorter retention?

A service-based site, for example a booking-focused spa website like Lumina Skin Sanctuary, may only need core conversion tracking (booking button clicks, contact form submissions, and page performance). It may not need advertising features at all.

Configure GA4 the compliant way (implementation + settings)

1) Put consent management first (banner + logging)

A GDPR-friendly GA4 deployment starts with a Consent Management Platform (CMP) that:

• Presents clear choices (accept, reject, granular categories)

• Blocks non-essential tags until consent

• Stores an auditable consent record (what user chose, when, and in what context)

If you have EU/UK visitors, implement Google Consent Mode v2 so Google tags respect consent choices and Google products can apply consent signals appropriately. Google’s documentation is here: Consent Mode overview.

Key principle: configure your site so the default state is restrictive (no analytics storage) until the user opts in.

2) Deploy GA4 via Google Tag Manager (recommended for governance)

Using Google Tag Manager (GTM) makes it easier to enforce consent-based firing rules and to maintain a clean audit trail of what tags fire under what conditions.

Good practice:

• Use one GTM container per site (or per clearly defined domain group)

• Maintain a tag inventory (what each tag does, lawful basis, retention, vendor)

• Require change control (who can publish, and how changes are reviewed)

3) Configure GA4 to avoid advertising and profiling features unless you truly need them

In GA4 Admin, review and disable features that are not necessary for your stated purpose.

Typically privacy-forward settings include:

• Turn off Google signals unless you have a strong reason and appropriate consent language (signals can enable cross-device reporting and advertising-related capabilities).

• Avoid enabling or linking advertising features (for example, Google Ads integrations) unless you have explicit consent and have updated notices accordingly.

• Avoid building remarketing audiences from analytics unless you have an explicit advertising consent category and a clear user choice.

If you do need marketing features, treat them as a separate consent category and ensure tags only fire after that specific consent is granted.

4) Minimise what you collect at the tag level (events, parameters, and URLs)

A common GDPR failure point is not the GA4 interface settings, but what your implementation sends into GA4.

Avoid sending:

• Names, email addresses, phone numbers

• Client IDs that you can directly map back to a person in your CRM

• Full URLs that contain personal data in query strings (for example, ?email=)

Practical controls:

• Review form flows so personal data never appears in the URL.

• If your site appends identifiers to URLs, strip or rewrite page_location before sending it to GA4.

• Keep custom events focused on site actions, not user attributes.

Remember: Google’s terms generally prohibit sending personally identifiable information to Google Analytics. From a GDPR perspective, preventing this is also core to data minimisation.

5) Set a short data retention period

In GA4, set event data retention to the shortest period that still supports your reporting needs.

Many organisations choose 2 months for user-level event retention unless they have a documented reason for longer retention (for example, seasonal trend analysis), in which case you should document that necessity.

6) Reduce data sharing and internal access

In GA4 Admin, review options related to data sharing and ensure access is restricted:

• Limit GA4 property access to staff who need it (least privilege)

• Use role-based permissions, remove ex-staff and agencies promptly

• Avoid optional sharing settings that are not needed for your purpose

Also align your internal policies:

• Who can create new events and conversions

• Who can link products (Google Ads, Search Console)

• How often permissions are reviewed

7) Implement deletion workflows for data subject rights

GDPR requires you to respect rights requests (access, deletion, objection where applicable).

Operationally, you should be able to:

• Delete user data associated with identifiers you can lawfully link (where feasible)

• Stop analytics processing for users who withdraw consent

• Demonstrate what happens after withdrawal (tags stop firing, and future collection ceases)

Even if you cannot always identify a specific user in GA4, you should still have a documented process for handling requests and explaining technical limits.

8) Address international transfers (a frequent GA risk area)

If EU/UK personal data is involved, GA4 often raises cross-border transfer questions.

Your compliance posture typically includes:

• Executing Google’s data processing terms (including Standard Contractual Clauses where applicable)

• Performing and documenting a transfer risk assessment (and any supplementary measures)

• Ensuring consent and transparency statements accurately describe the transfer and vendor role

This area is fact-specific and changes with regulator guidance, so it is a common point where legal review is worthwhile.

GA4 GDPR compliance checklist (practical and auditable)

Use the table below as a working checklist for your implementation and documentation pack.

Common pitfalls that make GA4 non-compliant in practice

“We have a banner” but tags still fire before consent

This is one of the most common issues. If GA4 requests fire on page load and only later adjust settings, you may already have processed data.

Collecting personal data via forms and leaking it into analytics

Examples include:

• Thank-you pages that include the user’s email in the URL

• Search boxes that allow users to type personal data, which is then captured as a query parameter

Turning on advertising features without a separate consent choice

Linking GA4 with ad platforms, enabling Google signals, or building remarketing audiences can shift your processing into a higher-risk category that usually requires explicit opt-in and stronger disclosures.

Using “legitimate interests” without a minimised, defensible configuration

If you rely on legitimate interests, expect to justify necessity, minimisation, and user rights impact. Many standard GA4 configurations are hard to defend under that basis.

What Jamaica-based businesses should consider

Even if your organisation is headquartered in Jamaica, GDPR may apply if you:

• Offer goods or services to individuals in the EU/EEA/UK

• Monitor behaviour of individuals in those regions (which analytics can do)

In addition, Jamaica’s local privacy requirements and contractual obligations (for example, with overseas clients) can drive similar standards: transparency, minimisation, security, and accountable governance.

If your business operates internationally, aim for one coherent analytics standard that can withstand scrutiny across jurisdictions, rather than maintaining fragmented setups.

Frequently Asked Questions

Is Google Analytics (GA4) GDPR compliant? GA4 can be used in a GDPR-compliant way, but it is not compliant by default. Your lawful basis, consent implementation, minimisation choices, transfers approach, and documentation determine compliance.

Do we need cookie consent for GA4? Often yes, especially where GA4 uses cookies or similar identifiers for non-essential analytics. Requirements vary by jurisdiction and implementation, but consent is commonly the safest route for EU/UK traffic.

What is the most important GA4 setting for GDPR? There is no single setting. The most important control is usually preventing GA4 from collecting data before a valid consent signal (implemented via CMP, GTM firing rules, and Consent Mode v2).

Should we enable Google signals in GA4? Only if you have a clear need, your notices cover it, and you have obtained appropriate consent. It can increase privacy risk because it enables additional cross-device and advertising-related capabilities.

How do we prevent personal data from entering GA4? Design your site so personal data never appears in URLs, and ensure events and parameters exclude identifiers like email or phone number. Audit GTM tags and test real user flows.

Need help aligning GA4 with GDPR and modern privacy expectations?

GA4 compliance is a blend of technical configuration and legal governance. If you want a defensible setup, it helps to review consent design, data flows, vendor contracts, and cross-border transfer documentation together.

Henlin Gibson Henlin advises organisations on data privacy, compliance, and risk, including how analytics and marketing technologies should be implemented in a legally sound way. If you are rolling out GA4 (or auditing an existing implementation), consider getting a tailored review that matches your website, audience, and regulatory exposure.