Blog / Analytics

Cookie Consent Banners, GDPR, and GPC: What Actually Requires a Banner

Most businesses treat "cookie consent" and "GDPR compliance" as the same thing because both are usually handled by the same banner. They are two separate laws with different triggers. One is triggered by cookies. The other is triggered by personal data. If you collect neither, you do not need a banner at all. Here is the clear breakdown, including Global Privacy Control and the exact Google Tag Manager setup to respect it.

Brendan Andrew Chase

Brendan Andrew Chase

July 8, 2026  ·  13 min read  ·  Analytics

Two Laws, Not One: Why the Confusion Exists

When you see a cookie consent banner on a website, it exists because of two overlapping but separate pieces of legislation that are almost always described as one thing: "GDPR compliance." They are not the same thing, they have different triggers, and understanding the difference changes what you actually need to do.

The two laws are:

  • The ePrivacy Directive (commonly called the Cookie Law) -- an EU law that governs the placing of cookies and similar technologies on a user's device
  • GDPR (General Data Protection Regulation) -- an EU law that governs the collection and processing of personal data

They are conflated because most popular analytics tools trigger both at the same time. Google Analytics 4 uses cookies (triggering the Cookie Law) and collects personal data (triggering GDPR). One banner handles the consent requirement for both, so they get treated as a single thing.

But they are not a single thing. The trigger for each is different, the compliance mechanism is different, and -- critically -- it is entirely possible to do analytics tracking that triggers neither, meaning no banner is required at all.

GDPR: What It Actually Says

GDPR (2018) applies to the processing of personal data of EU residents. Personal data is any information that can identify a specific person, directly or indirectly -- names, email addresses, IP addresses in many contexts, device fingerprints, and detailed behavioural profiles all qualify.

GDPR requires a lawful basis for processing personal data. There are six possible lawful bases: consent, legitimate interest, contract, legal obligation, vital interests, and public task. For analytics, the lawful basis most businesses use is consent, because legitimate interest for tracking individual users has not generally held up under EU regulatory scrutiny.

The critical distinction from the Cookie Law is what GDPR does not apply to: anonymous data. GDPR Recital 26 says explicitly that "the principles of data protection should not apply to anonymous information" -- information from which no individual can be identified by any reasonable means. If you are collecting truly anonymous, aggregate data with no way to link it to a specific person, GDPR does not apply to it at all.

This is the legal basis for privacy-first analytics tools that claim no consent banner is needed. They are not bending the rules -- they are operating in a space that GDPR genuinely does not cover, because no personal data is in scope.

Cookie Law (ePrivacy) GDPR
What triggers it Placing non-essential cookies on a user's device Collecting or processing personal data
Data type Irrelevant -- any cookie, anonymous or not Personal data only (anonymous data is exempt)
Requirement Opt-in consent before cookie is set Lawful basis before processing begins (consent or legitimate interest)
How to avoid triggering it Do not use cookies Do not collect personal data
GA4 Triggers it (uses cookies) Triggers it (collects personal data)
PostHog anonymous mode Does not trigger it (no cookies) Does not trigger it (no personal data)

When You Need a Banner and When You Do Not

With the two laws separated, the banner question becomes straightforward. There are four scenarios:

Scenario 1: Cookies + personal data (GA4, most tag management setups)

You trigger both laws. You need opt-in consent before firing any tags for EU users. Banner required. This is the situation most businesses running GA4 are in, which is why the consent banner has become ubiquitous.

Scenario 2: No cookies, but personal data is collected (PostHog with session recordings or user identification)

Cookie Law does not apply (no cookies), but GDPR does (personal data collected). You do not need a cookie consent banner specifically, but you do need some form of consent or lawful basis before collecting personal data from EU users. Session recordings capture individual user behaviour in detail -- that is personal data. A consent prompt of some kind is required, even if it is not a cookie banner.

Scenario 3: No cookies, no personal data (PostHog anonymous mode, Plausible, Fathom)

Neither law is triggered. Truly anonymous, aggregate analytics -- no cookies, IP addresses anonymised, no persistent user identifiers, no way to link data to a specific individual -- falls entirely outside both the Cookie Law and GDPR. No banner required. You can track by default, and your tracking cannot be blocked by cookie consent tools because there are no cookies to consent to.

Scenario 4: US-only traffic, no EU users at all

The Cookie Law and GDPR apply to EU residents. If you genuinely have no EU traffic, neither law applies. There is no US federal equivalent requiring a consent banner before analytics tracking. Some US states have their own privacy laws (California's CCPA, Colorado's CPA, etc.) but none require opt-in consent before web analytics. You still need to honour the Global Privacy Control signal (covered below), but a banner is not mandated.

The practical takeaway: if you are a US business that wants to track visitors by default, skip the banner, and only stop tracking when someone actively opts out, the way to do it is to use an analytics tool that collects no personal data and sets no cookies. You give up session recordings and individual user profiles, but you gain clean analytics on 100% of your traffic rather than the 40 to 70% who click Accept on a banner.

Global Privacy Control: What It Is and Where It Has Legal Force

Global Privacy Control is a browser-level signal that lets users communicate their privacy preferences to every website they visit, without having to interact with a banner on each one. When a user enables GPC in their browser, two things happen: the browser sets navigator.globalPrivacyControl = true in JavaScript, and it sends a Sec-GPC: 1 HTTP header with every request.

Brave browser enables GPC by default. Firefox users can enable it via the privacy settings or extensions. Various Chrome and Firefox privacy extensions also set it. It is not a niche signal -- it represents a meaningful and growing portion of privacy-conscious users who have made a deliberate choice at the browser level.

Where GPC has legal force

GPC has different legal status in different jurisdictions, and this is evolving:

  • California (CCPA/CPRA): Legally required to honour. The California Attorney General has confirmed that GPC qualifies as a valid opt-out of the sale and sharing of personal information under CCPA. This is binding law.
  • Colorado (CPA), Connecticut (CTDPA), and other US state privacy laws passed since 2022: Most include provisions requiring businesses to honour universal opt-out signals, of which GPC is the primary example. The list of states with this requirement is growing each year.
  • EU (GDPR): No current explicit legal requirement to honour GPC, but France's CNIL and other data protection authorities have indicated that browser-level privacy signals expressing user preferences should be treated as a valid withdrawal of consent. It is not yet mandated, but the direction of travel is clear.
  • UK (UK GDPR): Similar position to EU GDPR -- not explicitly mandated but increasingly expected by the ICO.

For a US business, respecting GPC is already a legal requirement in California and several other states. For a business with EU traffic, respecting it is current best practice even where it is not yet mandated. The implementation cost is low. The cost of not respecting it when it does become mandated is potentially high.

How to Respect GPC in Google Tag Manager

Google Tag Manager gives you a straightforward way to check the GPC signal and block all your marketing and analytics tags from firing for users who have set it. The setup takes two components: a variable that reads the signal, and a trigger that acts as an exception on every tag you want to block.

Step 1: Create the Custom JavaScript Variable

In GTM, go to Variables, click New, and choose Custom JavaScript as the variable type. Name it CJS - Global Privacy Control. Paste this as the function body:

function() {
  return navigator.globalPrivacyControl === true;
}

The === true check is important. In browsers that do not support GPC, navigator.globalPrivacyControl is undefined. undefined === true evaluates to false, so the variable returns false and your tags fire normally. Only browsers that explicitly set it to true -- Brave by default, Firefox with the right settings -- will trigger the exception.

Step 2: Create the Exception Trigger

Go to Triggers, click New, and choose Custom Event as the trigger type. Configure it as follows:

  • Trigger name: Exception - GPC Opt-Out
  • Event name: .*
  • Use regex matching: enabled
  • This trigger fires on: Some Custom Events
  • Condition: CJS - Global Privacy Control equals true

The .* regex matches every event name. When used as an exception, this trigger says: for every event that fires, check whether GPC is active. If it is, block the tag. The trigger itself never fires tags -- it only acts as an exception condition on tags you apply it to.

Step 3: Apply the Exception to Your Tags

Open each tag you want to block for GPC users -- typically your GA4 configuration tag, any advertising pixels, and any remarketing tags. Scroll to the Triggering section at the bottom of the tag. You will see your firing triggers. Below that is an Exception section. Click the plus icon and select Exception - GPC Opt-Out.

Once added, the tag will fire on its normal trigger (All Pages, for example) but will be blocked from firing for any user where CJS - Global Privacy Control returns true. The tag never runs. No data is sent for that user.

Apply this exception to every tag that collects data or drops pixels. Strictly necessary tags -- such as a tag that loads a required session management script -- can be left without the exception.

Testing the setup

Install Brave browser (GPC is on by default) and use GTM Preview mode to verify. Load your site in Brave and check the Preview panel. Any tag with the GPC exception applied should appear under Tags Not Fired for every page load. Then open the same URL in Chrome (no GPC) and confirm those same tags appear under Tags Fired. If the behaviour differs between the two browsers as expected, your GPC implementation is working.

Building a Setup That Tracks by Default and Respects Opt-Outs

The model most US businesses actually want -- track everyone unless they specifically opt out -- is achievable without a consent banner, as long as the tracking itself does not trigger the laws that require one.

Here is how the three legitimate opt-out paths work:

1. Browser-level opt-out (GPC: Brave, Firefox with privacy settings)

Handled by the GTM variable and exception trigger described above. The user never has to interact with anything on your site. Their browser signals their preference and your tags respect it automatically. This is the cleanest path because it requires no action from the user beyond their browser configuration choice.

2. Browser privacy settings (Do Not Track, third-party cookie blocking)

Do Not Track (DNT) is an older signal with no legal force anywhere -- you are not obligated to honour it. GPC is the replacement that does carry legal weight. For third-party cookie blocking (Safari ITP, Firefox ETP), analytics tools that use first-party cookies or no cookies at all are unaffected. If you are using cookieless anonymous tracking, browser-level cookie blocking is irrelevant to you entirely.

3. Explicit opt-out (user clicks Decline or manages preferences)

A simple opt-out link in the footer -- "Do not track me" or "Manage privacy settings" -- lets users opt out on request without requiring a banner on every page load. When they click it, you set a flag in localStorage and check it in GTM the same way you check GPC. Tags do not fire for flagged users. Under most US state privacy laws, providing this mechanism is sufficient.

The key point is that none of these three paths require a consent banner. A banner is the mechanism for collecting opt-in consent before tracking. If your tracking does not require opt-in consent -- because it is anonymous, or because you are operating in a jurisdiction that only requires an opt-out mechanism -- a banner is not the tool you need.

For EU users specifically: if you want to track them with any tool that sets cookies or collects personal data (including GA4 as it stands today), you do need opt-in consent and therefore a banner. The GPC exception trigger is still worth adding on top -- it covers the users whose browser signals an opt-out, which should be respected regardless of what the banner says.

We Handle This for Clients

Setting up Consent Mode v2, GPC exception triggers, and a sensible opt-out flow in GTM is part of what we do when we configure tracking for a client. If your current setup is a banner that half your visitors dismiss without reading, or you are not respecting GPC at all, we can fix both. Get in touch and we will tell you exactly what your current setup is doing and what it should be doing.

Get in touch

FAQ

Does Do Not Track (DNT) have any legal force?

No. Do Not Track is a browser signal from around 2009 that never received legal backing anywhere. There is no law in the EU, UK, or US that requires you to honour it. GPC is the replacement that does carry legal weight -- under California CCPA and several other US state privacy laws, GPC must be honoured as an opt-out of sale or sharing of personal information. DNT is effectively obsolete from a compliance standpoint.

If I use anonymous analytics with no cookies, do I need any banner at all?

For EU users, if your analytics tool genuinely collects no personal data and sets no cookies, then neither the Cookie Law nor GDPR applies to it. No consent banner is legally required. You should still respect GPC (users who have signalled a preference at browser level) and provide an opt-out mechanism somewhere accessible in your privacy policy. But a front-and-centre cookie banner is not required. This is the position taken by tools like Plausible Analytics and Fathom, and it holds up under EU data protection law as currently enforced.

Can I have GA4 running AND respect GPC without a full consent banner?

For US-only traffic: yes. You can run GA4 without a consent banner for US users (no US federal law requires one), add the GPC exception trigger to block GA4 from firing for Brave and Firefox GPC users, and provide a footer opt-out link for everyone else. For EU traffic: no. GA4 uses cookies and collects personal data, which triggers both the Cookie Law and GDPR for EU users. A consent banner before GA4 fires is required for that audience segment regardless of GPC.

What percentage of users have GPC enabled?

There is no reliable industry-wide figure because GPC adoption varies significantly by audience type. Brave browser has tens of millions of users and enables GPC by default -- anyone using Brave is sending the GPC signal to your site. Tech-adjacent and privacy-aware audiences have meaningfully higher Brave adoption. In our experience, GPC rates range from around 2% to 8% depending on the audience. It is not a signal to ignore, and the legal requirement to respect it is already live in California and several other US states.

Does the GPC exception trigger in GTM also block Google Ads conversion tags?

Yes, if you add the exception to your Google Ads conversion tags. That is intentional -- under CCPA, the opt-out of sale or sharing applies to advertising data as much as analytics data. You should apply the exception to GA4, all advertising pixels (Google Ads, Meta, LinkedIn), and any remarketing tags. Strictly functional tags (like a chat widget that the user explicitly opened) do not need the exception. One practical point: if you are running Google Ads and blocking conversion tags for GPC users, your conversion reporting will show slightly lower numbers than your actual conversions. This is the cost of compliance, not a tracking error.

Is this legal advice?

No. This is how we understand the relevant laws based on published regulatory guidance, enforcement decisions, and how we configure tracking for our clients. Privacy law varies by jurisdiction and changes over time. If you have specific compliance requirements -- particularly if you have EU revenue, are subject to California enforcement, or if your legal or enterprise sales team has raised data privacy as a requirement -- get a review from a data protection solicitor or privacy attorney. The GTM implementation described in this post is technically correct; whether it is sufficient for your specific situation depends on your audience, your data practices, and your risk tolerance.

Related Reading