All Vendors
analytics

GoogleAnalytics4

Google Analytics 4 fires before consent on 45% of observed deployments — making it the highest-volume source of pre-consent data collection in most GTM stacks.

32 IOCs564 detections45% pre-consent360 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what GoogleAnalytics4 discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

564 detections across 360 sites45% pre-consent activity
HIGH

Pre-Consent Activity

GoogleAnalytics4 was observed loading and executing before user consent was obtained on 45% of sites where it was detected.

GDPRePrivacy
HIGH

Pending Analysis

8 BTI behavioral codes detected. Full claims extraction required for gap analysis.

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps
1 HIGH

Pending Analysis

HIGH
They Claim

Claims analysis pending

Observed Behavior

8 BTI behavioral codes detected. Full claims extraction required for gap analysis.

Customer Impact

What This Means For You

If GA4 is on your site, there is a 45% chance it is collecting visitor data before consent — every one of those page views is an individually actionable ePrivacy violation. Your attribution models and business intelligence may be built on data that regulators could order deleted, creating a measurement crisis on top of a compliance crisis. GA4's integration with Google's advertising ecosystem means your visitor behavioral data flows into ad targeting systems regardless of your intent — your visitors' journeys subsidize Google's ad products. The 5 cookies GA4 deploys include identifiers with multi-year expirations, meaning the tracking persistence outlasts most visitors' awareness that it exists.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use GoogleAnalytics4

  • Verify GA4 consent mode implementation — confirm no data collection occurs before valid consent signal
  • Audit GA4 enhanced measurement settings and disable features that capture data beyond your stated analytics purpose
  • Review GA4 data retention settings and reduce from default to minimum required period
  • Disable Google Signals if you have not explicitly disclosed cross-device tracking to visitors
  • Implement server-side GA4 to control exactly what data reaches Google's servers

If You're Evaluating GoogleAnalytics4

  • Assess privacy-respecting alternatives (Plausible, Fathom, Matomo) that do not require consent under ePrivacy
  • Request Google's Data Processing Amendment and verify it covers all GA4 data flows including Signals
  • Evaluate whether GA4 data linked to Google Ads creates joint controller obligations under GDPR Article 26
  • Commission independent audit of GA4 consent mode to verify it actually blocks collection pre-consent

Negotiation Leverage

  • 45% pre-consent firing rate across 564 detections — this is not a configuration error, it is a systemic deployment pattern that creates per-visitor liability.
  • GA4 feeds data into Google's advertising ecosystem by default — your visitor intelligence subsidizes competitor ad targeting unless explicitly disabled.
  • 5 cookies including 2-year identifiers deployed on every visit — persistence mechanisms that create long-term tracking profiles your privacy policy must disclose.
  • CNIL fined Google EUR 150M for analytics consent violations in 2022 — GA4 pre-consent firing follows the exact pattern regulators have already penalized.
  • 8 BTI behavioral codes detected — GA4's data collection extends far beyond basic page analytics into behavioral biometrics, fingerprinting, and identity resolution territory.
Runtime Detections

Runtime Detections

9 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: GA4 exhibits evasion patterns including consent-state-dependent behavior changes — auditors may observe different data collection than production visitors experience.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: GA4's enhanced measurement features capture scroll depth, outbound clicks, site search, video engagement, and file downloads — behavioral profiling that goes beyond basic analytics.

BTI-C07Session Recording

Full session replay

Impact: GA4's event model captures detailed session-level interaction sequences that reconstruct user journeys, creating session replay-equivalent behavioral records.

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: 45% pre-consent firing rate indicates systematic consent signal failure — GA4 begins data collection before CMP consent is obtained on nearly half of observed deployments.

BTI-C10Fingerprinting

Device identification

Impact: GA4 collects device, browser, and screen configuration data that contributes to fingerprinting profiles, enabling cross-session identification even when cookies are cleared.

BTI-C13Persistence Mechanisms

Long-lived identifiers

Impact: GA4 deploys 5 cookies including the _ga identifier with a 2-year expiration, creating persistent cross-session tracking that survives browser restarts.

BTI-C14Identity Resolution

PII deanonymization

Impact: GA4's User-ID feature and Google Signals integration link anonymous behavioral data to authenticated identities, creating PII-linked profiles from previously anonymous visits.

BTI-C15Tag Manager

Container/loader (neutral)

Impact: GA4 is frequently deployed through GTM, inheriting the container's governance gaps and creating layered consent enforcement challenges.

IOC Manifest

IOC Manifest

27 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
googletagmanager.com/gtag/js
Tracking script
TRACK
google-analytics.com/analytics.js
Tracking script
TRACK
google-analytics.com/ga.js
Tracking script
Ecosystem

Ecosystem & Supply Chain

Google Analytics 4 is the centerpiece of Google's measurement stack, deeply integrated with Google Ads, Google Marketing Platform (DV360, Campaign Manager), Google Tag Manager, and BigQuery. GA4 data feeds directly into Google's advertising auction through audience signals and conversion tracking. The platform's Signals feature connects analytics data with Google account-level identity graphs across devices. GA4 is commonly co-deployed with Meta Pixel, LinkedIn Insight Tag, and HubSpot on marketing-heavy sites, creating overlapping data collection that compounds consent and governance challenges.
Loads (1)
Slides Google
Loaded By (28)
SegmentClearbit6senseAirtableMutinyApifyPerimeterxBionic AdsBrazeCheqEnsightenConstantcontactCrunchbaseEmerseFingerprintjsFullstoryHotjarJourneyLoomMailchimpNotionPhoneburnerPubrioQuantummetricReplitContentsquareSnovZendeskchat
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

32 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details