Do you need cookie consent for Google Analytics?

The short version

Google Analytics 4 sets cookies. Cookies are non-essential. Non-essential cookies require informed opt-in consentunder the EU ePrivacy Directive and the UK's PECR before they can be set on a visitor's device. That obligation applies to anyone whose site is accessible to EU or UK residents — your physical location doesn't matter, theirs does.

In practice, this means three things you have to do:

• Show a cookie banner with a working "Reject" button.
• Block GA4 from firing until the visitor clicks Accept.
• Accept that 30–60% of EU visitors will decline (industry benchmark) and stop appearing in your analytics.

Why "just turn on Consent Mode" doesn't fix it

Google Consent Mode v2 doesn't eliminate the obligation. When a visitor declines consent, Consent Mode sends "cookieless pings" that let GA4 statistically model what the missing visitor probably did. You still need the banner. You still need the visitor to opt in for real data. Several EU data protection authorities have flagged the modeled-data approach as legally precarious — France's CNIL and Italy's Garante have both issued enforcement actions against sites that fire GA before consent.

The cost of needing a banner

Two real costs. Operational: you pay for a consent management platform (usually $10–$100/month for compliant ones — Cookiebot, OneTrust, Iubenda, Termly), plus engineering time to integrate it with your tag manager. Data: every visitor who declines disappears from your analytics. With EU decline rates running 30–60%, you're routinely missing half your traffic in the markets where the law applies.

Both costs disappear if the analytics tool you're using doesn't set cookies in the first place. That's the cookieless analytics path.

How cookieless analytics works

The ePrivacy Directive applies to storing or accessing information on the user's device— i.e., setting cookies, writing localStorage, fingerprinting. If your analytics tool does none of those things, the law doesn't apply.

Cookieless tools (Gizmo, Plausible, Fathom, Umami) generate visitor IDs server-side from a daily-rotating salted hash of IP + User-Agent. The hash isn't stored on the device, isn't a cookie, and rotates every 24 hours so it can't be used to track an individual across sessions. The CNIL and the European Data Protection Board have both published guidance confirming this pattern can be used without consent.

No storage on the device → no ePrivacy trigger → no banner required → no data loss from declined consent.

FAQ

Do I need cookie consent for Google Analytics?

Yes. GA4 sets _ga and _gid cookies on every visitor, and under the EU ePrivacy Directive (the 'cookie law') any non-essential cookie requires informed opt-in consent before it can be set. That means a cookie banner with a working 'Reject' button, and GA4 must not fire until the visitor clicks Accept. GDPR adds a second layer: GA4 collects personal data (IP addresses, device IDs), so you also need a lawful basis under GDPR — for almost everyone that's the same opt-in consent.

What if I use Google Consent Mode?

Consent Mode v2 doesn't eliminate the consent requirement — it just lets GA4 send 'pinged' signals when consent is denied so Google can model the missing data. The underlying legal obligation is unchanged: you still need a banner, visitors still need to opt in, and visitors who decline still go uncounted (or get statistically modeled by Google, which several DPAs have flagged as legally precarious).

Does this only apply in the EU?

The ePrivacy Directive applies to anyone whose site is accessible to EU residents — your geography doesn't matter, theirs does. The UK has its own near-identical PECR rules. California's CCPA / CPRA has 'Do Not Sell or Share' obligations that GA4 triggers in most configurations. Brazil's LGPD, Canada's CPPA, and others follow similar patterns. If your traffic includes any of these jurisdictions, you need the banner.

What's the cost of needing a consent banner?

Two costs. Operational: you pay for a CMP (consent management platform) — usually $10–$100/month for compliant ones — plus engineering time to integrate it. Data: every visitor who declines consent disappears from your analytics. Industry benchmarks put decline rates at 30–60% in the EU depending on the vertical, so roughly half your traffic stops being measurable. Both costs go away if your analytics tool doesn't set cookies in the first place.

Is there a way to use GA4 without a banner?

No, not legitimately. Some sites fire GA4 before consent and hope nobody notices — that's a regulatory fine waiting to happen, and several EU data protection authorities have issued enforcement actions against exactly this pattern (CNIL in France, Garante in Italy, the Austrian DSB, etc.). The compliant paths are: (1) ask for consent and accept the data loss, (2) switch to cookieless analytics that doesn't trigger the obligation in the first place.

How does cookieless analytics avoid the consent requirement?

ePrivacy applies to storing or accessing information on the user's device — i.e., setting cookies, writing localStorage, fingerprinting. Cookieless analytics (Gizmo, Plausible, Fathom, Umami) doesn't do any of those. Visitor IDs are derived server-side from a daily-rotating salted hash of IP + User-Agent, which the CNIL and EDPB have confirmed in published guidance can be processed without consent because it's anonymized and doesn't allow individual identification across sessions. No storage on the device = no ePrivacy trigger = no banner required.

Will switching to cookieless analytics affect my data?

You gain back the visitors who would have declined consent — typically 30–60% in the EU. You lose Google's cross-device user stitching, paid-ad attribution, and audience modeling features. For most operator-style sites (content, indie SaaS, agencies running fleets) the trade is overwhelmingly favorable: simpler stack, no banner, more visible data. For sites whose revenue depends on Google Ads attribution, GA4 remains the better choice.

What does Gizmo Analytics do differently?

Gizmo is cookieless web analytics built MCP-first — no cookies, no localStorage, no fingerprinting, no PII storage. A one-line script replaces GA4's snippet. No banner needed. Free forever for 10k events / month, unlimited sites, and your AI coding agent (Cursor, Claude, etc.) can install it on a new site in one prompt via our MCP server.