Consent Mode – Why you should not use it

![rw-book-cover](https://brianclifton.com/wp-content/uploads/2022/03/gaining-consent.jpeg) ## Metadata - Author: [[Brian Clifton's Blog]] - Full Title:: Consent Mode – Why you should not use it - Category:: #🗞️Articles - Document Tags:: [[google analytics]], [[Google Analytics]], - URL:: https://brianclifton.com/blog/2022/03/14/google-consent-mode-breaks-privacy-laws/ - Read date:: [[2023-11-01]] ## Highlights > However by examining the URL it is trivial to see that Google’s ghost hits STILL contain the visitor’s > user_id > `user_id` and > transaction_id > `transaction_id` (if collected), and the **visitors IP address** is transmitted to Google servers. Collecting, storing and processing such data when the visitor has explicitly stated no to this, would surely be considered illegal in any jurisdiction. ([View Highlight](https://read.readwise.io/read/01he5few8gw5qxhhvwsg6716dh)) > Note, this does **not** mean all data collection is forbidden without an annoying pop-up banner requesting consent. Any data point or cookie that you can reasonably justify as “strictly necessary” for the functioning of your site/app, does not require consent. That is, there is such as thing as **benign analytics** that does not require consent, but sending data to a “mass aggregator” such as Google, does not count as benign. See my [Planet49 article on LinkedIn](http://linkedin.com/pulse/why-i-think-sky-falling-web-analytics-brian-clifton-phd-/) for further thought on this. ([View Highlight](https://read.readwise.io/read/01he5raepnzyg3t77fhpsxwh2t)) > Therefore to be privacy compliant for laws such as GDPR/ePR, you need to **actively block** the Google ghost hits ([View Highlight](https://read.readwise.io/read/01he5rb1j45c666dk1gct6bsf8)) > With only the default settings of consent mode in place, Google will continue to collect data when a visitor has explicitly stated **no to tracking**. Remarkably, this is quite transparent from Google – see the [official documentation](https://support.google.com/analytics/answer/9976101?hl=en). Their rational is to collect “anonymised” data from your non-consenting visitors so that they can model the impact of non-consent. ([View Highlight](https://read.readwise.io/read/01hed39wnak5vyfx2mpwzb34j1)) But is it? > However by examining the URL it is trivial to see that Google’s ghost hits STILL contain the visitor’s and (if collected), and the **visitors IP address** is transmitted to Google servers. Collecting, storing and processing such data when the visitor has explicitly stated no to this, would surely be considered illegal in any jurisdiction. ([View Highlight](https://read.readwise.io/read/01hed3cjdmk8jsrk2a2097m4z6))