In This Article
- 1. Two Laws, Not One: Why the Confusion Exists
- 2. The Cookie Law (ePrivacy Directive): What It Actually Says
- 3. GDPR: What It Actually Says
- 4. When You Need a Banner and When You Do Not
- 5. Global Privacy Control: What It Is and Where It Has Legal Force
- 6. How to Respect GPC in Google Tag Manager
- 7. Building a Setup That Tracks by Default and Respects Opt-Outs
- 8. FAQ
Two Laws, Not One: Why the Confusion Exists
When you see a cookie consent banner on a website, it exists because of two overlapping but separate pieces of legislation that are almost always described as one thing: "GDPR compliance." They are not the same thing, they have different triggers, and understanding the difference changes what you actually need to do.
The two laws are:
- The ePrivacy Directive (commonly called the Cookie Law) -- an EU law that governs the placing of cookies and similar technologies on a user's device
- GDPR (General Data Protection Regulation) -- an EU law that governs the collection and processing of personal data
They are conflated because most popular analytics tools trigger both at the same time. Google Analytics 4 uses cookies (triggering the Cookie Law) and collects personal data (triggering GDPR). One banner handles the consent requirement for both, so they get treated as a single thing.
But they are not a single thing. The trigger for each is different, the compliance mechanism is different, and -- critically -- it is entirely possible to do analytics tracking that triggers neither, meaning no banner is required at all.
GDPR: What It Actually Says
GDPR (2018) applies to the processing of personal data of EU residents. Personal data is any information that can identify a specific person, directly or indirectly -- names, email addresses, IP addresses in many contexts, device fingerprints, and detailed behavioural profiles all qualify.
GDPR requires a lawful basis for processing personal data. There are six possible lawful bases: consent, legitimate interest, contract, legal obligation, vital interests, and public task. For analytics, the lawful basis most businesses use is consent, because legitimate interest for tracking individual users has not generally held up under EU regulatory scrutiny.
The critical distinction from the Cookie Law is what GDPR does not apply to: anonymous data. GDPR Recital 26 says explicitly that "the principles of data protection should not apply to anonymous information" -- information from which no individual can be identified by any reasonable means. If you are collecting truly anonymous, aggregate data with no way to link it to a specific person, GDPR does not apply to it at all.
This is the legal basis for privacy-first analytics tools that claim no consent banner is needed. They are not bending the rules -- they are operating in a space that GDPR genuinely does not cover, because no personal data is in scope.
| Cookie Law (ePrivacy) | GDPR | |
|---|---|---|
| What triggers it | Placing non-essential cookies on a user's device | Collecting or processing personal data |
| Data type | Irrelevant -- any cookie, anonymous or not | Personal data only (anonymous data is exempt) |
| Requirement | Opt-in consent before cookie is set | Lawful basis before processing begins (consent or legitimate interest) |
| How to avoid triggering it | Do not use cookies | Do not collect personal data |
| GA4 | Triggers it (uses cookies) | Triggers it (collects personal data) |
| PostHog anonymous mode | Does not trigger it (no cookies) | Does not trigger it (no personal data) |
Global Privacy Control: What It Is and Where It Has Legal Force
Global Privacy Control is a browser-level signal that lets users communicate their privacy preferences to every website they visit, without having to interact with a banner on each one. When a user enables GPC in their browser, two things happen: the browser sets navigator.globalPrivacyControl = true in JavaScript, and it sends a Sec-GPC: 1 HTTP header with every request.
Brave browser enables GPC by default. Firefox users can enable it via the privacy settings or extensions. Various Chrome and Firefox privacy extensions also set it. It is not a niche signal -- it represents a meaningful and growing portion of privacy-conscious users who have made a deliberate choice at the browser level.
Where GPC has legal force
GPC has different legal status in different jurisdictions, and this is evolving:
- California (CCPA/CPRA): Legally required to honour. The California Attorney General has confirmed that GPC qualifies as a valid opt-out of the sale and sharing of personal information under CCPA. This is binding law.
- Colorado (CPA), Connecticut (CTDPA), and other US state privacy laws passed since 2022: Most include provisions requiring businesses to honour universal opt-out signals, of which GPC is the primary example. The list of states with this requirement is growing each year.
- EU (GDPR): No current explicit legal requirement to honour GPC, but France's CNIL and other data protection authorities have indicated that browser-level privacy signals expressing user preferences should be treated as a valid withdrawal of consent. It is not yet mandated, but the direction of travel is clear.
- UK (UK GDPR): Similar position to EU GDPR -- not explicitly mandated but increasingly expected by the ICO.
For a US business, respecting GPC is already a legal requirement in California and several other states. For a business with EU traffic, respecting it is current best practice even where it is not yet mandated. The implementation cost is low. The cost of not respecting it when it does become mandated is potentially high.
How to Respect GPC in Google Tag Manager
Google Tag Manager gives you a straightforward way to check the GPC signal and block all your marketing and analytics tags from firing for users who have set it. The setup takes two components: a variable that reads the signal, and a trigger that acts as an exception on every tag you want to block.
Step 1: Create the Custom JavaScript Variable
In GTM, go to Variables, click New, and choose Custom JavaScript as the variable type. Name it CJS - Global Privacy Control. Paste this as the function body:
function() {
return navigator.globalPrivacyControl === true;
}
The === true check is important. In browsers that do not support GPC, navigator.globalPrivacyControl is undefined. undefined === true evaluates to false, so the variable returns false and your tags fire normally. Only browsers that explicitly set it to true -- Brave by default, Firefox with the right settings -- will trigger the exception.
Step 2: Create the Exception Trigger
Go to Triggers, click New, and choose Custom Event as the trigger type. Configure it as follows:
- Trigger name:
Exception - GPC Opt-Out - Event name:
.* - Use regex matching: enabled
- This trigger fires on: Some Custom Events
- Condition:
CJS - Global Privacy Controlequalstrue
The .* regex matches every event name. When used as an exception, this trigger says: for every event that fires, check whether GPC is active. If it is, block the tag. The trigger itself never fires tags -- it only acts as an exception condition on tags you apply it to.
Step 3: Apply the Exception to Your Tags
Open each tag you want to block for GPC users -- typically your GA4 configuration tag, any advertising pixels, and any remarketing tags. Scroll to the Triggering section at the bottom of the tag. You will see your firing triggers. Below that is an Exception section. Click the plus icon and select Exception - GPC Opt-Out.
Once added, the tag will fire on its normal trigger (All Pages, for example) but will be blocked from firing for any user where CJS - Global Privacy Control returns true. The tag never runs. No data is sent for that user.
Apply this exception to every tag that collects data or drops pixels. Strictly necessary tags -- such as a tag that loads a required session management script -- can be left without the exception.
Testing the setup
Install Brave browser (GPC is on by default) and use GTM Preview mode to verify. Load your site in Brave and check the Preview panel. Any tag with the GPC exception applied should appear under Tags Not Fired for every page load. Then open the same URL in Chrome (no GPC) and confirm those same tags appear under Tags Fired. If the behaviour differs between the two browsers as expected, your GPC implementation is working.
Building a Setup That Tracks by Default and Respects Opt-Outs
The model most US businesses actually want -- track everyone unless they specifically opt out -- is achievable without a consent banner, as long as the tracking itself does not trigger the laws that require one.
Here is how the three legitimate opt-out paths work:
1. Browser-level opt-out (GPC: Brave, Firefox with privacy settings)
Handled by the GTM variable and exception trigger described above. The user never has to interact with anything on your site. Their browser signals their preference and your tags respect it automatically. This is the cleanest path because it requires no action from the user beyond their browser configuration choice.
2. Browser privacy settings (Do Not Track, third-party cookie blocking)
Do Not Track (DNT) is an older signal with no legal force anywhere -- you are not obligated to honour it. GPC is the replacement that does carry legal weight. For third-party cookie blocking (Safari ITP, Firefox ETP), analytics tools that use first-party cookies or no cookies at all are unaffected. If you are using cookieless anonymous tracking, browser-level cookie blocking is irrelevant to you entirely.
3. Explicit opt-out (user clicks Decline or manages preferences)
A simple opt-out link in the footer -- "Do not track me" or "Manage privacy settings" -- lets users opt out on request without requiring a banner on every page load. When they click it, you set a flag in localStorage and check it in GTM the same way you check GPC. Tags do not fire for flagged users. Under most US state privacy laws, providing this mechanism is sufficient.
The key point is that none of these three paths require a consent banner. A banner is the mechanism for collecting opt-in consent before tracking. If your tracking does not require opt-in consent -- because it is anonymous, or because you are operating in a jurisdiction that only requires an opt-out mechanism -- a banner is not the tool you need.
For EU users specifically: if you want to track them with any tool that sets cookies or collects personal data (including GA4 as it stands today), you do need opt-in consent and therefore a banner. The GPC exception trigger is still worth adding on top -- it covers the users whose browser signals an opt-out, which should be respected regardless of what the banner says.
We Handle This for Clients
Setting up Consent Mode v2, GPC exception triggers, and a sensible opt-out flow in GTM is part of what we do when we configure tracking for a client. If your current setup is a banner that half your visitors dismiss without reading, or you are not respecting GPC at all, we can fix both. Get in touch and we will tell you exactly what your current setup is doing and what it should be doing.
Get in touchFAQ
Does Do Not Track (DNT) have any legal force?
No. Do Not Track is a browser signal from around 2009 that never received legal backing anywhere. There is no law in the EU, UK, or US that requires you to honour it. GPC is the replacement that does carry legal weight -- under California CCPA and several other US state privacy laws, GPC must be honoured as an opt-out of sale or sharing of personal information. DNT is effectively obsolete from a compliance standpoint.
If I use anonymous analytics with no cookies, do I need any banner at all?
For EU users, if your analytics tool genuinely collects no personal data and sets no cookies, then neither the Cookie Law nor GDPR applies to it. No consent banner is legally required. You should still respect GPC (users who have signalled a preference at browser level) and provide an opt-out mechanism somewhere accessible in your privacy policy. But a front-and-centre cookie banner is not required. This is the position taken by tools like Plausible Analytics and Fathom, and it holds up under EU data protection law as currently enforced.
Can I have GA4 running AND respect GPC without a full consent banner?
For US-only traffic: yes. You can run GA4 without a consent banner for US users (no US federal law requires one), add the GPC exception trigger to block GA4 from firing for Brave and Firefox GPC users, and provide a footer opt-out link for everyone else. For EU traffic: no. GA4 uses cookies and collects personal data, which triggers both the Cookie Law and GDPR for EU users. A consent banner before GA4 fires is required for that audience segment regardless of GPC.
What percentage of users have GPC enabled?
There is no reliable industry-wide figure because GPC adoption varies significantly by audience type. Brave browser has tens of millions of users and enables GPC by default -- anyone using Brave is sending the GPC signal to your site. Tech-adjacent and privacy-aware audiences have meaningfully higher Brave adoption. In our experience, GPC rates range from around 2% to 8% depending on the audience. It is not a signal to ignore, and the legal requirement to respect it is already live in California and several other US states.
Does the GPC exception trigger in GTM also block Google Ads conversion tags?
Yes, if you add the exception to your Google Ads conversion tags. That is intentional -- under CCPA, the opt-out of sale or sharing applies to advertising data as much as analytics data. You should apply the exception to GA4, all advertising pixels (Google Ads, Meta, LinkedIn), and any remarketing tags. Strictly functional tags (like a chat widget that the user explicitly opened) do not need the exception. One practical point: if you are running Google Ads and blocking conversion tags for GPC users, your conversion reporting will show slightly lower numbers than your actual conversions. This is the cost of compliance, not a tracking error.
Is this legal advice?
No. This is how we understand the relevant laws based on published regulatory guidance, enforcement decisions, and how we configure tracking for our clients. Privacy law varies by jurisdiction and changes over time. If you have specific compliance requirements -- particularly if you have EU revenue, are subject to California enforcement, or if your legal or enterprise sales team has raised data privacy as a requirement -- get a review from a data protection solicitor or privacy attorney. The GTM implementation described in this post is technically correct; whether it is sufficient for your specific situation depends on your audience, your data practices, and your risk tolerance.
Related Reading
- PostHog for Medium US Businesses -- anonymous analytics without a consent banner, EU Cloud for GDPR-worried businesses
- Conversion Tracking Services -- GA4, GTM setup, and offline conversion tracking that survives consent-mode restrictions
- Advanced Analytics -- GA4 reporting, Looker Studio dashboards, and data layer configuration
- CRM-Connected ROAS Tracking -- how we close the loop on ad spend without relying solely on cookie-based attribution