Privacy regulations changed how we collect data. Here’s how to build analytics that comply — without losing the data you need.
The Regulatory Landscape
GDPR (Europe, 2018): requires consent for tracking EU users. CCPA/CPRA (California): right to opt out, transparency requirements. PIPEDA (Canada): meaningful consent. Quebec Law 25: explicit consent, in French and English. Each year adds jurisdictions. Canadian businesses touching EU customers need GDPR compliance; CPRA applies to anyone doing business in California. Build assuming you need to comply with all of them — it’s cheaper than retrofitting later.
Consent Management Platforms (CMPs)
CMPs (OneTrust, CookieYes, Osano, Cookiebot) manage cookie banners, record consent, and control which tracking scripts fire. Essential for GDPR/CPRA compliance. Free tiers exist for small sites. Integrate with GTM: tags fire based on consent categories (essential, analytics, marketing, etc). Don’t build cookie banners yourself — CMPs handle edge cases (updated regulations, consent revocation, regional differences) that custom code misses.
Google Consent Mode v2
Google Consent Mode tells Google platforms (GA4, Ads) whether the user consented to tracking. If they didn’t, Google runs ‘modeling’ — algorithmic estimates of what conversion data would have looked like. Required for Google Ads use with EU users since March 2024. Without Consent Mode, Google won’t optimize or report on non-consented users; with it, Google fills the gap with modeled data. Enable it — it recovers significant reporting fidelity.
First-Party Data as the Foundation
Third-party cookies are disappearing. First-party data — email lists, customer records, on-site behavior of logged-in users — remains usable under most privacy frameworks. Shift investment toward first-party: email capture lead magnets, loyalty programs, user accounts. This data is more accurate, more durable, and more compliant. Over-reliance on third-party data is a legal and operational risk.
Privacy-Friendly Analytics Alternatives
Plausible and Fathom are cookie-free analytics alternatives to GA4. They’re GDPR-compliant without consent banners, simple to use, fast to load. Trade-off: less granular data, less audience features, incompatible with Google Ads. Good for content sites; weak for ecommerce or ad-driven businesses. Running GA4 + Plausible side-by-side is common: use Plausible for public dashboards, GA4 for ad attribution.
Transparency as a Competitive Advantage
Privacy is a growing selection criterion for customers. Transparent data practices — clear privacy policy, simple consent, honest disclosures — can be a brand asset, not a compliance burden. Apple positioned privacy as a differentiator; so did DuckDuckGo. Businesses that treat privacy as table stakes (rather than a cost to minimize) build long-term trust. Tomorrow’s regulations will be stricter; get ahead of them.
Need help with analytics?
Get a free audit of your analytics setup. We’ll show you exactly where the opportunities are.
Get Free Audit →