How This Briefing Works
This dossier opens with key findings, then maps the gap between what GoogleAnalytics4 discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 461 sites
vendor fires before consent
1 HIGH
Briefing
Google Analytics 4 is Google's current analytics platform, detected on 360 sites across 564 observations in our scanning corpus. GA4 collects page views, user interactions, and conversion events while deploying 5 cookies and connecting to 5 external domains. The 45% pre-consent firing rate means nearly half of all observed GA4 deployments begin data collection before visitors provide consent — a systematic pattern that creates per-visitor regulatory exposure under GDPR and ePrivacy. With 8 BTI behavioral codes triggered including fingerprinting, session recording capabilities, and identity resolution, GA4's data collection extends well beyond basic page analytics.
What This Means For You
If GA4 is on your site, there is a 45% chance it is collecting visitor data before consent — every one of those page views is an individually actionable ePrivacy violation. Your attribution models and business intelligence may be built on data that regulators could order deleted, creating a measurement crisis on top of a compliance crisis. GA4's integration with Google's advertising ecosystem means your visitor behavioral data flows into ad targeting systems regardless of your intent — your visitors' journeys subsidize Google's ad products. The 5 cookies GA4 deploys include identifiers with multi-year expirations, meaning the tracking persistence outlasts most visitors' awareness that it exists.
Risk Channel Breakdown
GA4's measurement model relies on event-based tracking that captures granular user interactions — but 45% pre-consent firing means nearly half your analytics data was collected without valid legal basis. Under GDPR enforcement trends, regulators may order deletion of unlawfully collected data, potentially invalidating months of business intelligence and attribution models built on tainted datasets.
GA4 feeds data into Google's advertising ecosystem including audience signals, conversion data, and behavioral patterns. When GA4 fires pre-consent, it transmits visitor behavioral data to Google before your visitor has agreed — subsidizing Google's ad targeting while creating liability for your organization. CAC subsidization score of 100 reflects complete integration with Google's advertising intelligence pipeline.
Expands attack surface
A 45% pre-consent firing rate across 564 detections represents systematic consent infrastructure failure. Under CNIL and DPA enforcement precedent, pre-consent analytics firing has triggered fines in the tens of millions. Each pre-consent page view generates an individually actionable violation under ePrivacy Directive Article 5(3), creating cumulative liability that scales with traffic volume.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
Long-lived identifiers
PII deanonymization
Container/loader (neutral)
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed GoogleAnalytics4's public claims against observed runtime behavior and identified 1 contradiction.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 0, observed 1
googletagmanager, linkedinads, doubleclick…
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →