QA mode · Tier:PUBLIC(override via ?tier=paid | premium)
← All Vendors
analytics

GoogleAnalytics4

Google Analytics 4 fires before consent on 45% of observed deployments — making it the highest-volume source of pre-consent data collection in most GTM stacks.

27 IOCs observed772 detections52% pre-consent461 sites
90
Vendor Risk Score
Tier: HOSTILE
Observation Coverage

BLACKOUT observes runtime behavior in the browser. This dossier reflects browser-side execution, which is one of five vendor data-egress classes. Server-to-server transfers, backend integrations, and offline data flows are outside this observation boundary.

BLACKOUT observes runtime behavior and cites the regulations that address that behavior pattern. Legal determinations are the customer's counsel's call.

How This Briefing Works

This dossier opens with key findings, then maps the gap between what GoogleAnalytics4 discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.

Key Findings

At a Glance

Detections
772

across 461 sites

Pre-Consent Rate
52%

vendor fires before consent

Disclosure Gaps
1

1 HIGH

Summary

Briefing

Google Analytics 4 is Google's current analytics platform, detected on 360 sites across 564 observations in our scanning corpus. GA4 collects page views, user interactions, and conversion events while deploying 5 cookies and connecting to 5 external domains. The 45% pre-consent firing rate means nearly half of all observed GA4 deployments begin data collection before visitors provide consent — a systematic pattern that creates per-visitor regulatory exposure under GDPR and ePrivacy. With 8 BTI behavioral codes triggered including fingerprinting, session recording capabilities, and identity resolution, GA4's data collection extends well beyond basic page analytics.

Customer Impact

What This Means For You

If GA4 is on your site, there is a 45% chance it is collecting visitor data before consent — every one of those page views is an individually actionable ePrivacy violation. Your attribution models and business intelligence may be built on data that regulators could order deleted, creating a measurement crisis on top of a compliance crisis. GA4's integration with Google's advertising ecosystem means your visitor behavioral data flows into ad targeting systems regardless of your intent — your visitors' journeys subsidize Google's ad products. The 5 cookies GA4 deploys include identifiers with multi-year expirations, meaning the tracking persistence outlasts most visitors' awareness that it exists.

Collapse Engine

Risk Channel Breakdown

Oracle
Truth Collapse
40

GA4's measurement model relies on event-based tracking that captures granular user interactions — but 45% pre-consent firing means nearly half your analytics data was collected without valid legal basis. Under GDPR enforcement trends, regulators may order deletion of unlawfully collected data, potentially invalidating months of business intelligence and attribution models built on tainted datasets.

Broker
Control Collapse
100

GA4 feeds data into Google's advertising ecosystem including audience signals, conversion data, and behavioral patterns. When GA4 fires pre-consent, it transmits visitor behavioral data to Google before your visitor has agreed — subsidizing Google's ad targeting while creating liability for your organization. CAC subsidization score of 100 reflects complete integration with Google's advertising intelligence pipeline.

Reaper
Safety Collapse
0

Expands attack surface

Counselor
Legitimacy Collapse
100

A 45% pre-consent firing rate across 564 detections represents systematic consent infrastructure failure. Under CNIL and DPA enforcement precedent, pre-consent analytics firing has triggered fines in the tens of millions. Each pre-consent page view generates an individually actionable violation under ePrivacy Directive Article 5(3), creating cumulative liability that scales with traffic volume.

BTI Codes

Threat Indicators

Runtime-observed (BTI-C)

BTI-C01
Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06
Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07
Session Recording

Full session replay

BTI-C08
Cross-Domain Sync

Identity stitching

BTI-C09
Consent Bypass

Ignoring CMP signals

BTI-C10
Fingerprinting

Device identification

BTI-C13
Persistence Mechanisms

Long-lived identifiers

BTI-C14
Identity Resolution

PII deanonymization

BTI-C15
Tag Manager

Container/loader (neutral)

8
BTI Consequences Identified

Per-code narrative explanations of what each detected behavior means for your organization

Available in VIDB Subscription

Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →

Disclosure Gaps

Claims vs. Reality

1
Gaps Observed
1 HIGH

BLACKOUT analyzed GoogleAnalytics4's public claims against observed runtime behavior and identified 1 contradiction.

Available in VIDB Subscription

Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →

Recommended Actions

What To Do

Recommended Actions
9

5 for current users · 4 for evaluators

Negotiation Leverage
5

contractual leverage points

Available in VIDB Subscription

Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →

Ecosystem

Supply Chain & Pairings

Subprocessor Disclosure Gap
1undisclosed

Claims 0, observed 1

Commonly Paired With
33

googletagmanager, linkedinads, doubleclick

Available in VIDB Subscription

Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →

Profile: googleanalytics4First Seen: 2025-12-12Last Updated: 2026-05-21