Skip to main content
All guides
Serious KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3) · Analytics

Stop Google Analytics from loading before consent (KVKK/GDPR)

Google Analytics (GA4) sets identifiers and sends the visitor’s IP and page data to Google the moment it loads. If that happens before the visitor accepts cookies, it is processing without a legal basis.

Why it matters

Analytics is non-essential, so under KVKK Art. 5 and the ePrivacy rule (GDPR Art. 6) it needs prior consent. GA4 also sends data to Google in the US, engaging cross-border transfer rules. A tag that fires on page load — before anyone clicks "Accept" — is the single most common finding in a privacy scan.

How to fix it

Load GA only after opt-in. The cleanest way is Google Consent Mode v2: set the defaults to "denied" before any Google tag initialises, then update to "granted" from your consent banner’s accept callback. Until consent, GA stays dormant (or sends only cookieless pings, if you enable that).

<!-- BEFORE any Google tag: default everything denied -->
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('consent', 'default', {
    ad_storage: 'denied',
    analytics_storage: 'denied',
    wait_for_update: 500
  });
</script>

<!-- In your consent banner's Accept handler -->
gtag('consent', 'update', { analytics_storage: 'granted' });

Does your site have this issue?

Run a free scan to find out in seconds.

Official sources

Links to primary legislation for reference. PrivaScan is not affiliated with these bodies; this is information, not legal advice.

Related guides

These guides cover automated checks for trackers, cookies and data flows. A full privacy review also needs legal input.