Managing Consent for Analytics Cookies

Managing Consent for Analytics Cookies

Overview

Analytics cookies present a unique compliance challenge: they are among the most widely deployed non-essential cookies, yet many organizations depend on them for business intelligence. The ePrivacy Directive Article 5(3) requires consent for analytics cookies (they are not strictly necessary for the service requested by the user), confirmed by the Planet49 ruling. However, some Data Protection Authorities — notably the CNIL — have explored whether analytics can qualify for a consent exemption if configured with sufficient privacy safeguards. This skill covers compliant analytics implementation, consent mode fallback behavior, and alternatives that reduce or eliminate the need for consent.

GA4 Privacy Configuration

Privacy-First GA4 Setup for Pinnacle E-Commerce Ltd

Configure GA4 with maximum privacy protections:

GA4 Property Settings:

Setting	Value	Purpose
Data retention	2 months	Minimum needed for trend analysis
Reset user data on new activity	Enabled	Do not extend retention on revisit
IP anonymization	Enabled (default in GA4)	Last octet removed before storage
Google Signals	Disabled	Prevents cross-device tracking via Google account
Granular location	Disabled	City-level only, no GPS/precise location
Device data collection	Disabled	Reduces device fingerprinting surface
Data sharing with Google	Disabled	Prevents data use for Google benchmarking/products
Ads personalization	Disabled	No remarketing audiences from analytics
User ID feature	Disabled unless explicit consent	Requires separate consent if linking sessions

GA4 Data Stream Settings:

Setting	Value
Enhanced measurement	Selective — enable page views, scrolls; disable site search, file downloads unless needed
Cross-domain tracking	Only between pinnacle-ecommerce.com subdomains
Referral exclusions	Add payment processors (stripe.com, paypal.com)
Internal traffic filtering	Exclude office IP ranges

Consent Mode Integration

GA4 behavior changes based on analytics_storage consent state:

When analytics_storage = granted:

• _ga cookie set (client ID persisted)
• _gid cookie set (session distinction)
• Full event data collected
• User-level and session-level reporting available
• Real-time reports populated

When analytics_storage = denied:

• No analytics cookies set
• Cookieless pings sent to Google (if Consent Mode enabled)
• Pings include: timestamp, page path, user agent, referrer, consent state
• Pings do NOT include: client ID, session ID, user ID
• GA4 uses behavioral modeling to estimate metrics from these pings
• Modeled data appears in reports with a "modeled" badge

Behavioral Modeling Thresholds

For GA4 to provide modeled data for non-consenting users:

Requirement	Minimum
Consented daily users	1,000+ per web data stream
Consecutive days of data	7+ days
Consent Mode implementation	On all GA4 tags
Data quality	< 10% bot traffic

If thresholds are not met, GA4 reports will show only consented users — creating an undercount.

Analytics Without Consent — CNIL Exemption Criteria

CNIL Cookie Exemption for Audience Measurement

The CNIL published guidance (September 2020, updated June 2021) identifying limited conditions under which audience measurement cookies may be exempt from consent under ePrivacy Article 5(3). This is an interpretation specific to French law (transposition of ePrivacy Directive) and is not universally accepted across all EU member states.

CNIL Exemption Conditions:

Condition	Requirement
Purpose limitation	Strictly limited to anonymous audience measurement on behalf of the publisher only
No cross-site tracking	Data must not be combined across different websites or apps
No data sharing	Data must not be shared with third parties
Cookie lifetime	Maximum 13 months
Data retention	Maximum 25 months from collection
IP address	Anonymized or not collected
User notification	Users must still be informed about the cookies (even without consent)
Opt-out mechanism	Users must be able to object to the measurement

CNIL-Exempt Analytics Tools:

The CNIL maintains a list of analytics solutions that can be configured to meet exemption criteria:

Tool	CNIL Exempt Configuration	Notes
Matomo (self-hosted)	Yes — with specific config	No data sharing, anonymized IP, 13-month cookie, self-hosted
AT Internet (Piano Analytics)	Yes — exempt mode	French analytics provider, certified by CNIL
Eulerian Analytics	Yes — exempt mode	First-party data processing, no cross-site
Abla Analytics	Yes — privacy-by-design	Designed for CNIL exemption
Google Analytics 4	No — does not meet exemption	Data transferred to Google; cross-site processing

GA4 Cannot Qualify for CNIL Exemption Because:

1. Data is processed by Google (a third party)
2. Data may be combined with other Google services
3. Data is transferred to the United States
4. Google retains control over processing purposes

Implementing Matomo as CNIL-Exempt Alternative

For Pinnacle E-Commerce Ltd, deploy Matomo alongside GA4:

Matomo CNIL-Exempt Configuration:

Setting	Value
Hosting	Self-hosted on EU servers (pinnacle-ecommerce.com infrastructure)
Cookie lifetime	13 months maximum
IP anonymization	Full anonymization (2 bytes masked for IPv4)
Do Not Track	Respected
Data retention	Visitor logs: 25 months; aggregated reports: indefinite
Cross-site tracking	Disabled
Third-party data sharing	None
User opt-out	JavaScript opt-out widget on cookie policy page
Session fingerprinting	Disabled — use cookie-based session only

Dual Analytics Architecture:

Page Load
    │
    ├── Always fire (no consent needed):
    │   └── Matomo (CNIL-exempt configuration)
    │       └── Basic pageview, session, referrer data
    │
    └── Fire only with analytics consent:
        └── GA4 (full measurement)
            └── Enhanced measurement, events, conversions

This gives Pinnacle E-Commerce Ltd baseline analytics for all users (via Matomo) and richer data for consenting users (via GA4).

Aggregate Reporting Alternatives

Privacy-Preserving Measurement Approaches

Approach	Consent Required	Data Granularity	Implementation
Server-side log analysis	No (essential for operations)	Aggregate	Parse access logs for page views, status codes
Matomo (CNIL-exempt config)	No (France only)	Per-session	Self-hosted, privacy-configured
GA4 with Consent Mode	Yes (consent improves data)	User-level (modeled for non-consenting)	Standard implementation
Plausible Analytics	Depends on jurisdiction	Aggregate	No cookies, no PII, EU-hosted
Fathom Analytics	Depends on jurisdiction	Aggregate	No cookies, no PII
Privacy Sandbox Attribution Reporting	Evolving	Aggregate	Chrome-only, limited availability

Server-Side Log Analytics

The most privacy-preserving approach uses existing server access logs:

Available Metrics from Access Logs:

Metric	Source	Processing
Page views	HTTP request count	Count 200-status HTML requests
Unique visitors (daily)	IP + User Agent hash	Hash and count distinct per day
Top pages	Request URI	Rank by request count
Referrers	Referer header	Parse and categorize
Device types	User-Agent header	Parse UA for device category
Geographic distribution	IP geolocation	Resolve to country, discard IP
Error rates	HTTP status codes	Count 4xx, 5xx responses
Page load performance	Server response time	Measure TTFB from logs

Limitations:

• No client-side event tracking (clicks, scrolls, form interactions)
• No session stitching across pages (without cookies)
• No conversion attribution
• Bot traffic must be filtered (estimated 30-50% of web traffic)

Consent Rate Impact Analysis

Typical analytics consent rates observed across industries:

Consent Banner Design	Analytics Consent Rate	Impact on GA4 Data
Accept All prominent, Reject buried	80-90%	Low data loss
Equal prominence (CNIL-compliant)	40-60%	Significant data loss
Reject All as default action	20-35%	Severe data loss
Cookie wall (non-compliant)	90%+	Artificially high — non-compliant

Pinnacle E-Commerce Ltd Expected Impact: With a CNIL-compliant equal-prominence banner, expect approximately 45-55% analytics consent rate. This means:

• GA4 direct measurement covers ~50% of users
• Consent Mode behavioral modeling recovers ~20-30% of lost data
• Combined coverage: ~70-80% of actual traffic
• Matomo (CNIL-exempt) provides 100% coverage for basic metrics

Key Legal and Technical References

• ePrivacy Directive 2002/58/EC, Article 5(3) — Consent required for analytics cookies (not strictly necessary)
• CJEU Case C-673/17 (Planet49) — Active consent for all non-essential cookies including analytics
• CNIL Deliberation No. 2020-091 (17 September 2020) — Cookie guidelines including audience measurement exemption
• CNIL Guidelines on Audience Measurement Exemption (June 2021) — Conditions for consent-exempt analytics
• EDPB Guidelines 05/2020 on Consent — Analytics cookies require consent under GDPR
• Google Analytics 4 Privacy Documentation — GA4 data controls, consent mode, data retention
• Matomo GDPR/CNIL Compliance Guide — Self-hosted configuration for consent exemption
• Austrian DPA Decision (December 2021, DSB D155.027) — Found Google Analytics non-compliant with GDPR due to US data transfers
• CNIL Decision on Google Analytics (February 2022) — Ordered website to comply or cease using GA; US transfer concern