A Practical Guide to data tracking

This guide explains data tracking in practical terms, with a focus on privacy-first analytics decisions.

Google Analytics collects user data through tags, cookies, identifiers, event parameters, device information, and integrations with other Google products. GA4 is different from Universal Analytics in several important ways, but it is still an analytics system built around measurement events and identifiers.

For privacy teams, the practical question is not whether GA4 is "good" or "bad." It is what your implementation collects, which features are enabled, where data flows, and whether the setup matches your legal basis and visitor expectations.

The Tag Starts The Collection

On websites, Google Analytics usually begins with a Google tag or Google Tag Manager container. When the page loads, the tag can send events such as page views, scrolls, outbound clicks, file downloads, form interactions, and video engagement depending on configuration.

Google says default GA4 collection includes number of users, session statistics, approximate geolocation, browser and device information, and enhanced measurement events when enabled (GA4 data collection). That default list is already broader than a simple page counter.

Cookies And Client IDs

GA4 stores a client ID in a first-party _ga cookie to distinguish unique users and sessions unless analytics storage is disabled through Consent Mode. Google says Analytics uses first-party cookies and app instance IDs to measure user interactions (Google Analytics safeguards).

The client ID is pseudonymous, but it can still be personal data when it singles out a browser over time or can be linked with other data. It links page views, events, conversions, and campaign visits into a behavioral record.

IP Address And Location

Google says GA4 does not log or store IP addresses. It uses IP addresses to derive location and for service security, then does not store the raw IP in GA4 reports (Google Analytics safeguards).

That is a real privacy improvement compared with older analytics patterns, but it does not make the whole dataset anonymous. Device data, client IDs, event sequences, User ID, Google Signals, and advertising integrations can still create personal data.

Device And Browser Information

GA4 can collect browser, device category, operating system, screen resolution, language, and similar information. These dimensions help teams understand mobile vs desktop behavior, browser issues, and localization needs. They can also contribute to identifiability when combined with other fields.

This is why privacy reviews should look at the full event payload and not only cookies.

Events And Parameters

GA4 is event-based. Everything is an event: page views, purchases, clicks, form steps, searches, logins, and custom actions. Each event can include parameters.

That flexibility is powerful and dangerous. Teams often accidentally send personal data through:

• Page URLs containing emails, tokens, or search terms
• Form field values captured as event parameters
• Custom dimensions with customer IDs or account names
• File names that reveal sensitive content
• Internal debug fields that identify users

Google Analytics policies prohibit sending personally identifiable information to Analytics, but prevention is your responsibility. Scrub URLs, avoid free-text event properties, and review custom dimensions before launch.

Google Signals And Advertising Features

When Google Signals is enabled, Google says Analytics can use data from signed-in Google users who have Ads Personalization enabled to support remarketing, advertising reporting features, and demographics and interests (Google Signals documentation).

This changes the privacy profile. A measurement tool becomes connected to advertising identity and cross-device reporting. If your business does not need remarketing or demographic reports, disabling Google Signals is a meaningful reduction in risk.

Consent Mode Changes Behavior, Not The Need For Governance

Consent Mode can adjust Google tag behavior based on consent. In basic mode, tags are blocked until consent. In advanced mode, tags can send cookieless pings while consent is denied, which Google can use for modeling (Consent Mode setup).

This is not a replacement for privacy analysis. Your team still needs to decide whether advanced mode is appropriate, how the banner explains it, whether local ePrivacy rules allow the related storage or access, and how modeled data should be reported internally.

International Transfer And Vendor Questions

GA4 data may involve Google entities, processing locations, subprocessors, and transfer mechanisms. The EU-US Data Privacy Framework currently provides an adequacy route for certified US companies, but organizations should still review vendor terms, data processing agreements, and transfer context (European Commission EU-US transfers).

The legal status of a transfer mechanism does not remove the need for data minimization, valid consent where required, and transparent notices.

Safer GA4 Configuration

If you keep GA4, reduce the blast radius:

• Put tags behind a correctly configured CMP where required
• Disable Google Signals unless there is a specific need
• Avoid ads personalization by default
• Do not send User ID without legal review
• Strip personal data from URLs
• Keep event parameters categorical and minimal
• Review enhanced measurement settings
• Limit data retention
• Control BigQuery exports and access permissions
• Document what each custom event collects

Privacy-First Alternative

Many websites use GA4 because it is familiar, not because they need its full identity and advertising ecosystem. If your actual requirements are traffic, referrers, campaigns, goals, file downloads, and funnels, a cookieless analytics setup may answer the same business questions with less personal data.

Google Analytics can be configured more carefully than many default installs, but it is still a complex system. The more features you enable, the more governance you need. Privacy-first analytics starts from the opposite assumption: collect the least data needed to make decisions, then add only what you can justify.

Document Your Actual Configuration

GA4 risk depends heavily on settings. Keep a short record of enabled streams, enhanced measurement choices, Consent Mode mode, Google Signals status, linked Google Ads accounts, custom dimensions, retention settings, and export destinations. This document helps legal, marketing, and engineering discuss the same implementation instead of debating an abstract version of Google Analytics.

Collection Review Checklist

Review GA4 as an implementation, not an abstract product. Record default events, enhanced measurement events, custom parameters, cookie behavior, Consent Mode mode, Google Signals, ads personalization, User-ID, BigQuery export, cross-domain measurement, regional settings, and retention. Then inspect actual network payloads and browser storage before consent, after rejection, and after acceptance.

Use the inventory to separate ePrivacy storage/access consent from the GDPR lawful basis for later processing. A setup can be cookie-free but still process personal data, and a pseudonymous identifier can still require controls even when it is not direct PII.