A Plain-English Guide to GA4 Privacy: What You Can (and Can’t) Collect

Most marketers installed GA4 because Google suggested it. They added the tag, saw data flowing in, and assumed everything was fine. Ignorance is not a defense for non-compliance, and your site could be collecting and analyzing data without complying with state and Federal laws.

In plain terms, GA4 collects behavioral data and does not store any personal information. It uses anonymous identifiers and automatic IP anonymization. You also need consent-based tracking to comply with user privacy requirements under the GDPR and state laws.

Here’s a guide to walk you through what GA4 collects or doesn’t, where most privacy mistakes happen, and how Consent Mode changes everything. I’ll even cover the privacy settings you should review in your account.

Why GA4 Privacy Confuses So Many Website Owners

Before we talk about what GA4 collects, let’s review why so many setups are accidentally misconfigured from a privacy standpoint.

If you’re totally green, start with, ‘What is Google Analytics?‘ Another great read would be, ‘User tracking and how to know who visited my website?‘

When Google replaced Universal Analytics with Google Analytics 4, most people focused on reports and events. Very few stopped to ask how the privacy model changed.

In Universal Analytics, privacy often depended on what you turned on. In GA4, privacy depends on what you avoid sending and what you properly configure.

That mindset shift is where many website owners get tripped up.

GA4 was built in response to laws like the GDPR and the CCPA.

• IP anonymization is automatic.
• Personal identifiers are prohibited.
• Consent-based tracking is expected.

However, here’s what most people miss: GA4 is privacy-friendly but not privacy-compliant. It’s on you to be fully compliant.

The Mindset Shift from Universal Analytics to GA4

With Universal Analytics, you could enable or disable features that affect privacy. The data you send to GA4 differs and could cause issues with events, URLs, and parameters.

With GA4, you need a proactive mindset. Remember, your users are busy asking Google, “What information can websites see about me?“

Why “Just Installing GA4” Isn’t Enough

You can’t just add the tag, see the traffic, and assume you’re compliant. You have to work through the configurations, handle consent, and have data discipline.

Where Most Websites Get GA4 Privacy Wrong

Common mistakes include:

1. Sending form data as events.
2. Exposing personal data in URLs.
3. Skipping consent mode.
4. Leaving default data settings untouched.

Why would you want to identify anonymous website visitors unless it’s for legally sanctioned reasons?

What Data Does GA4 Collect by Default? (Explained Simply)

Before I talk about GA4 privacy compliance, let’s agree that most people are either overestimating or underestimating what GA4 actually collects. Let me break it down plainly.

Google Analytics 4 collects behavioral and technical data. It doesn’t collect personal identity unless you mistakenly send it.

Here’s what that looks like in practice.

Device and Browser Information

GA4 automatically collects technical details, such as:

• Device category (mobile, desktop, tablet).
• Operating system.
• Browser type and version.
• Screen resolution.

It helps understand how users access a site, but doesn’t tell who they are.

Location Data (And How Precise It Is)

GA4 uses IP-derived location data, but it automatically anonymizes IP addresses. I can see:

• Country.
• Region or state.
• City.

I cannot see exact addresses, nor can I access full IP logs. GA4 doesn’t allow it.

User Behavior and Events

GA4 is event-based, meaning that every interaction or action on a website is tracked as an event. It allows for more granular tracking and analysis of user behavior, reducing the need to set up specific goals or conversions.

Some common trackable events are when a user:

• Views a page on the website.
• Clicks on an element, i.e., a button or link.
• Fills out and submits a form.
• Starts playing a video on the website.
• Scrolls down or up on the page.
• Downloads a file from the website.

Basically, user behavior and events are the bread and butter of GA4.

Anonymous Identifiers (Not Personal Identity)

To avoid storing personal details, GA4 assigns identifiers such as:

• Client IDs.
• Device-based identifiers.
• Modeled behavioral data when consent is restricted.

These identifiers connect sessions without attaching them to a real-world identity.

What GA4 Does NOT Collect

GA4 doesn’t collect:

• Names.
• Email addresses.
• Phone numbers.
• Mailing addresses.

If that information ends up in your GA4 property, it didn’t get there by default. It was sent there, and you should delete it.

What You Are NOT Allowed to Send to GA4

Google Analytics 4 has strict rules regarding prohibited data, and violating them can result in your property being suspended.

Here’s what you absolutely cannot send.

1. Personally Identifiable Information (PII)

Google explicitly prohibits sending personally identifiable information to GA4. That includes:

• Names.
• Email addresses.
• Phone numbers.
• Physical addresses.
• Government ID numbers.

Even hashing this information doesn’t automatically make it acceptable. If it can reasonably identify a person, it doesn’t belong in GA4.

It’s a core principle of GA4 privacy compliance.

2. Form Fields, Emails, and Phone Numbers in URLs

One of the most common mistakes I see is appending user data to the URL in form submissions.

For example:

• [email protected]
• ?phone=1234567890

If GA4 tracks that page view, you just send PII into your analytics property.

Most people don’t realize this is happening, especially with older form plugins or poorly configured tracking setups.

3. Internal Site Search That Exposes Personal Data

You can accidentally collect restricted data via your internal search function. That’s possible if the function lets users search for order numbers, email addresses, or names.

The searches collect identifiable data, and GA$ doesn’t automatically filter out the data.

It’s you’re responsible to configure filters for such data in event parameters. That said, you can exclude certain search terms from being sent to Google Analytics.

4. User IDs Done the Wrong Way

GA4 allows User ID tracking, but it must be a non-identifiable, internal ID. You cannot use:

• Email addresses.
• CRM IDs that can be reverse-engineered.
• Any identifier tied directly to a real person.

If the ID can identify someone outside your system, it’s not compliant.

5. Why This Matters More Than Ever

Privacy regulations charge the website owner with the responsibility, not Google. GA4 provides guardrails, but you’re responsible for staying inside them.

How GA4 Handles IP Addresses and Anonymization

IP addresses were once among the biggest privacy concerns in analytics, but GA4 changed that. Now, IP handling works very differently from how it did in Universal Analytics.

IP Anonymization Is Automatic in GA4

In Universal Analytics, you had to manually enable IP anonymization. In GA4, it’s automatic and cannot be turned off.

GA4 uses IP addresses briefly to determine approximate geographic information, then discards them. They are not stored in reports and are not accessible inside your property.

That design change directly supports modern privacy expectations.

What This Means for GDPR and Other Privacy Laws

Regulations, such as the General Data Protection Regulation, treat IP addresses as personal data.

By automatically anonymizing IP addresses, GA4 reduces risk compared to older models. However, that doesn’t automatically make your site GDPR compliant.

GDPR compliance involves more than IP handling. It includes:

• Legal basis for processing.
• User consent (when required).
• Clear privacy disclosures.
• Proper data retention policies.

GA4 supports compliance but doesn’t guarantee it.

How Location Reporting Still Works Without Storing IPs

With the information I’ve shared so far, you might think there’s zero location tracking, but GA4 still displays:

• Country.
• Region.
• City.

However, the users whose locations are tracked aren’t personally identifiable, which is possible through IP anonymization.

Understanding GA4 Consent Mode (The Right Way)

The first thing I always check when auditing a site in GA4 for compliance with Consent Mode.

As mentioned before, Google Analytics can track personal data through your site’s cookies. Consent Mode lets you capture consent from your site visitors so Google won’t track any data until they explicitly agree.

What Consent Mode Actually Controls

Consent Mode lets your users decide whether GA4 can:

• Store analytics cookies.
• Access advertising identifiers.
• Collect full behavioral data.
• Use identifiers to connect sessions.

If users grant consent, GA4 functions normally. If they refuse, GA4 restricts identifiers and limits what gets stored.

Measurement shifts toward aggregated signals instead of user-level tracking.

Modeled Data And Why It Exists

When users don’t consent, GA4 may use modeled data to estimate conversions and trends. You get reporting continuity without collecting identifiable data from users who opted out.

Modeled data is important for targeting.

Where Most Implementations Go Wrong

Here’s what I see all the time:

1. A cookie banner collects consent.
2. GA4 fires before consent is granted.
3. Consent signals never reach the tags.
4. Data is collected regardless of user choice.

These are configuration issues. You need to properly wire Consent mode through your tag manager or implementation layer.

Otherwise, it’s meaningless.

Why This Matters for GDPR and Beyond

Under GDPR and similar laws, certain tracking requires prior consent. Consent Mode helps align GA4’s behavior with those legal requirements, but it only gives you the means.

You’re responsible for ensuring that the consent mode is properly configured and implemented to meet legal requirements.

The Most Important GA4 Privacy Settings You Must Configure

Out of the box, Google Analytics 4 gives you tools. If you never review your settings, you’re trusting the defaults rather than making intentional privacy choices.

Here are the areas I always review.

Data Retention Settings

GA4 allows you to control how long user-level data is retained. Ask yourself, “Do I truly need extended user-level data, or just aggregated reporting?”

You can choose shorter retention periods for event-level data used in exploration reports. If privacy minimization is your goal, make it as short as possible.

Google Signals (Advertising Features)

Google Signals enables cross-device reporting and advertising features. When activated, it can incorporate additional data from users signed into Google accounts with ad personalization enabled.

That’s powerful, but it also expands the privacy scope of your property. Figure out if Google Signals aligns with your consent framework and disclosures.

Internal Traffic Filters

If you’re not filtering internal traffic, you’re collecting employee behavior data inside your analytics property. It can affect your data accuracy, and you may be breaching employee privacy.

Always configure internal traffic rules and testing filters to prevent avoidable tracking.

Event and Parameter Discipline

GA4’s flexibility is a strength and a risk. Though you can send almost any event or parameter,

1. Review custom events.
2. Audit URL parameters.
3. Ensure no PII is passed.
4. Limit unnecessary data collection.

Data Collection Controls

GA4 has settings that you can use to regulate data collection, i.e.,

1. Advertising features.
2. Granular location data.
3. Device-based signals.

These should align with your privacy policy, consent model, and regional obligations.

How Compliant Are You?

I can’t insist this enough, but I’ve tried; using Google Analytics 4 isn’t automatic compliance. GA4 gives you privacy-forward tools, but you must take pains to configure it for full compliance.If you pay for monthly website maintenance, negotiate for events review, consent setup, and policy review.