Stop Google Analytics from loading before consent (KVKK/GDPR)
Google Analytics (GA4) sets identifiers and sends the visitor’s IP and page data to Google the moment it loads. If that happens before the visitor accepts cookies, it is processing without a legal basis.
Why it matters
Analytics is non-essential, so under KVKK Art. 5 and the ePrivacy rule (GDPR Art. 6) it needs prior consent. GA4 also sends data to Google in the US, engaging cross-border transfer rules. A tag that fires on page load — before anyone clicks "Accept" — is the single most common finding in a privacy scan.
How to fix it
Load GA only after opt-in. The cleanest way is Google Consent Mode v2: set the defaults to "denied" before any Google tag initialises, then update to "granted" from your consent banner’s accept callback. Until consent, GA stays dormant (or sends only cookieless pings, if you enable that).
<!-- BEFORE any Google tag: default everything denied -->
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('consent', 'default', {
ad_storage: 'denied',
analytics_storage: 'denied',
wait_for_update: 500
});
</script>
<!-- In your consent banner's Accept handler -->
gtag('consent', 'update', { analytics_storage: 'granted' });
Official sources
- KVKK — Law No. 6698 (official full text, mevzuat.gov.tr)
- KVKK — Kişisel Verileri Koruma Kurumu (Turkish DPA)
- GDPR — full regulation, article by article
- ePrivacy Directive 2002/58/EC — cookies, Art. 5(3)
- EDPB — guidelines on consent & cookies
Links to primary legislation for reference. PrivaScan is not affiliated with these bodies; this is information, not legal advice.
Related guides
- Gate Google Tag Manager behind consent KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Load the Meta (Facebook) Pixel only after consent KVKK m.5 · GDPR Art. 6 · Art. 26 (joint controller)
- Session recording (Hotjar, Clarity, Yandex) needs explicit consent KVKK m.5 · GDPR Art. 6 · Art. 9 risk
- Self-host Google Fonts to stop leaking visitor IPs KVKK m.9 · GDPR Chapter V (transfers)
These guides cover automated checks for trackers, cookies and data flows. A full privacy review also needs legal input.