How cookie consent managers can mess up your GA4 data

AnalyticsCookies
Written By Chris Unitt

In working on Google Analytics 4 projects over the years, we’ve come across a great many instances of cookie consent managers causing problems with people’s data.

When organisations come to us saying, “can you take a look at our data? It doesn’t seem right”, chances are that it’s a poorly implemented cookie consent manager messing things up.

This article will shine a light on what can go wrong, how to spot it, and how to fix it.

Before we begin

To be clear, I’m not saying that cookie consent management is in any way bad or that visitors should be tricked into allowing the use of tracking technologies against their will. It’s not about collecting as much data as possible - it’s about collecting good data.

As long as you're getting a good sample size to work with, your data can still be useful. There are also new approaches being developed by the analytics and ad platforms that can help you see an estimate of 'actual' traffic, such as Google’s 'consent mode'.

A quick overview of the cookie consent rules in the UK

At this point, a quick overview of the current legal situation might be helpful. Of course, I’m not a lawyer and this shouldn’t be considered legal advice.

As of September 2023, when I’m writing this, there are two regulations that are relevant:

  • PECR is the thing that started it all. It stipulates that you can’t put ‘identifiers’ (ie cookies or anything similar) on someone’s device without their consent. It used to be that consent could (arguably) be of the soft opt-in variety (i.e. automatic opt in with a polite notification). But then along came…

  • GDPR, which amended the definition of ‘consent’ in PECR to require actual proper opt-in consent. This has resulted in cookie consent management tools taking off.

Common cookie consent issues and how to spot them

1. Subtlety Doesn’t Always Pay

From a user experience point of view, it may seem like a good idea to make a cookie consent banner as unobtrusive as possible. After all, you don’t want to interrupt people who are trying to use your website.

However, being too subtle can end up ruining the data that you collect.

Take a look at the (reasonably anonymised) website below. The banner doesn’t get in the way of anything and it’s sympathetically branded, so it doesn’t stand out too much. You might get fewer opt ins this way, but that’s not the end of the world.

However. There are two issues here:

  1. Anyone who only wanted to look at a single page (especially on desktop) might find that they don’t need to make a decision to opt in or out. In fact, they might view several pages before or even without making a decision. So a potentially quite large chunk of traffic won’t be tracked, even if those visitors would have had no objections.

  2. GA can only identify someone’s traffic source if they opt in on the first page of their session. If people don’t opt in until after they’ve visited multiple pages then they’ll just show up in your reports as coming from ‘Direct’. This potentially robs credit from your email and advertifing campaigns you’re spending so much valuable time and money on.

The solution is to be a bit more upfront. Ask people explicitly to opt in or out, make it easy to do so, and then it’s done. Visitors are better informed and you receive more useful data.

There’s no avoiding cookies on the One Further website: the rest of the page is blcoked and visitors have to make a decision before browsing.

2. Disregarding User Preferences

One of the worst things we’ve seen is cookie consent managers that don’t actually do anything.

In this case, a user will be asked whether they want to opt in to the use of tracking technologies, but tags will have fired already and/or they’ll keep on firing regardless.

In the arts this is more likely to happen by accident rather than through deliberate deception. We’ve seen organisations or their website developers think that installing a cookie consent manager takes care of the whole process, which is rarely the case. The tags (ideally in Google Tag Manager) need to be configured appropriately and checked to make sure nothing is sneaking in around the edges.

3. Not Firing Tags When Someone Opts In

Talk about missing an open goal. The opposite of the previous issue occurs when someone opts in to tracking, but tags aren’t instructed to fire correctly. Often they only start firing from the next time a page is loaded - which is too late.

This usually results in the undercounting of sessions and page views, plus the high % of Direct traffic that we see when cookie consent managers are made too subtle.

4. The Perils of Page Refresh

Some cookie consent managers reload the page after a person opts in to allowing cookies. The thinking is that this causes tags to fire, avoiding the situation described above. Which is great in theory, but…

When someone comes to your website, information about the previous website they were on is held in the ‘referer’ header. If you refresh the page this is replaced with your own domain name, making it impossible for GA4 to determine the user's true traffic source.

If you're fortunate, any UTM campaign parameters may be preserved, but it’s not guaranteed. In short - don’t use a cookie consent manager that forces a page refresh.

5. Inconsistency Across Domains

A common issue we see is when organisations use a CMS-based cookie consent manager on their main website. Problems arise if you then send visitors to separate or partly-integrated ticketing solutions, online shops, or microsites that sit on different domains.

The CMS-based cookie consent tool doesn’t persist across those other domains, which means you’ll need a separate cookie consent manager on each of them. As your visitors move around your domains, they will be asked to choose their preferences all over again.

This is a poor user experience, will produce some odd quirks in your data and should be avoided at all costs.

In this situation, it’s preferable to have a single, platform-agnostic cookie consent tool that can sit across all of the websites and third-party systems in use.

6. Cookie Consent Isn’t Just About Analytics and Advertising

We’ve seen many organisations and their website developers make the mistake of assuming cookie consent applies only to analytics and advertising tags.

However, multimedia embeds added to the site, such as YouTube, Soundcloud, and Google Maps also place cookies on users' devices and should be treated with equal importance.

If a person opts out of tracking, then it’s the website owner’s responsibility to make sure that embedded third parties don’t place identifiers on their devices either.

How to spot an issue

It’s difficult to spot a problem just by looking at your website. You need to dig into your analytics, and the following should be considered red flags in Google Analytics 4:

  • A high % of sessions and/or revenue attributed to ‘Direct’ traffic (as in 30-40% or more). This usually means that something is preventing GA from identifying the true traffic source.

  • A suspiciously high sitewide engagement rate. That might indicate that you’re only tracking people who are going deeper into your website, and not tracking the more transient (but potentially still valuable) website visitors.

  • The number of sessions closely matching the number of page views. This can indicate that a client or session ID is being cleared by a cookie consent manager.

These things don’t necessarily point to an issue with your cookie consent manager, but it should be the first line of investigation.

Sometimes, if we spot one of the issues listed above, it’s pretty easy to predict that there will be an issue with someone’s data without even needing GA4 access.

If your data looks odd And You Need Help

Please get in touch. We’ve fixed a great number of GA4 implementations and helped organisations to regain trust in their data.

Chris Unitt
Previous

Google Ad Grants for indie cinemas: $10,000 to spend on search ads every month
Next

Invitation to participate: Benchmarking online collections