Google has just announced the removal of a significant control mechanism over personal data flows in Google Analytics 4 (GA4).

This change has direct implications for the allocation of responsibilities under the GDPR framework.

Website owners using GA4 need to make a technical decision with significant legal repercussions.

1 Executive summary: immediate actions

The website owner using Google Analytics must, before June 15, 2026:

· Make an express and documented decision regarding the configuration of the ad_storage parameter and the rest of the Consent Mode parameters before June 15, 2026.

· Review the configuration of their CMP (Consent Management Platform or cookie banner) to ensure that default settings are based on a valid legal basis and that consent, where required, meets all applicable requirements.

· Update the privacy policy and cookie policy to reflect, where applicable, the new architecture of data flows to Google Ads, in compliance with the information obligations under Article 13 GDPR.

You are reading ZERO PARTY DATA. The newsletter on current developments and technology law by Jorge García Herrero and Darío López Rincón.

In the spare time this newsletter leaves us, we handle complex matters related to personal data protection regulations and artificial intelligence. If you have one of those, give us a shout. Or contact us by email at jgh(at)jorgegarciaherrero.com

2 Obligations currently applicable to the processing of website visitor data

At present, and in summary, two different sets of rules must be complied with regarding the configuration of GA4.

2.1 LSSI – Law 34/2002 on Information Society Services

Analytical, advertising, or profiling cookies—however you look at it, GA4 falls within this category—require the user’s informed and granular consent.

Authorities (the EDPB, the CNIL, the AEPD) extend this requirement to the use of cookies or analogous procedures (tracking pixels, tracking links, local processing, server-to-server flows, to name just a few of these endless ideas).

2.2 Consent and information requirements under the GDPR

When the information stored on or collected from the user’s device includes personal data—and that is precisely why things such as advertising identifiers, GA4 unique identifiers, and associated signals were created—its processing is subject to the GDPR.

Consent must meet GDPR requirements: it must be freely given, specific, informed, and unambiguous, expressed through a clear affirmative action, and must be verifiable and revocable as easily as it was given.

Any substantial change in the processing architecture—such as the one addressed in this text—requires updating the information notices before its effective implementation.

3 The novelty: the change in Google Analytics 4

To date, GA4 offered two distinct control mechanisms over data flows to Google Ads, operating cumulatively and independently:

• Google Signals: when disabled, it prevented GA4 from sharing advertising cookies and user identifiers with the Google Ads platform, regardless of consent status.

• Consent Mode (and, in particular, the ad_storage parameter): it conditioned data collection and processing on the user’s expression of consent in the CMP.

The coexistence of both mechanisms allowed the data controller to have a double layer of protection: disabling Google Signals acted as a structural safeguard regardless of potential failures or permissive configurations of the CMP.

As of June 15, 2026, this duality disappears.

Google has announced that the Google Signals configuration will no longer govern the flow of advertising data to Google Ads.

From that date onward, the only mechanism determining whether Google Ads may collect and use advertising signals—including linking user activity to their authenticated Google account—will be the ad_storage parameter of Consent Mode.

The change, explained in operational terms:

• If ad_storage is set to granted, Google Ads may use all available signals.[1] As of June 15, ad_storage=granted allows Google Ads to use all available signals, including linking user activity to their logged-in Google account.

• If ad_storage is set to denied, data flow is restricted. However, Google explicitly warns that this setting will have a significant impact on advertising measurement and campaign performance.

The change, explained in legal terms:

The purpose of the regulation is to prevent access to (or collection of data from) the user’s device unless the user has given active consent.

Therefore, ad_storage=granted has the same effect as a pre-ticked consent box in a cookie banner.

· If ad_storage is configured as granted before user interaction, the implementation is sanctionable because it allows user data to flow to Google before the user has even had the opportunity to interact with the CMP.

Even if the user later consents to the use of cookies, the original infringement is not remedied: between page load and user interaction with the banner, the data has already flowed (if the Google tag was triggered with ad_storage=granted).

As an example, the 150-million fine imposed by the CNIL on Shein last year.

The consent required by Article 5(3) of the ePrivacy Directive, transposed into Article 22.2 LSSI and reflected in AEPD practice, is prior consent to access the device, not consent validated retroactively when the user accepts.

A configuration that would not present this problem would be:

ad_storage=denied by default, transitioning to granted only if the user actively accepts in the banner.

The CMP triggers the update call after interaction, and the tag does not collect advertising data until that moment. In this architecture, consent is genuinely prior.

Interactive self-assessment tool

With the help of my friend Claude, I have created an interactive tool where you can see, for each option, (i) the data flow to Google and (ii) indications of the legal effects.

As Substack does not allow embedding such tools in the newsletter, you will need to access it on my blog via this link.

Why do I include those other two controls ad_user_data and ad_personalization? Because they are relevant.

Because, as usual, Google disregards the user’s refusal of consent: Google’s own documentation indicates that even when consent is denied, tags continue sending “measurements without cookies” and various pings: consent state pings, key event pings, and Google Analytics pings.

Google acknowledges that these pings may include timestamp, user agent, referrer, a boolean indication of consent status, and a random number per page load; however, with ad_storage denied, it states that no new advertising cookies are written or read, certain third-party cookies are avoided, and IP addresses are truncated at collection for Ads products.

4 Legal implications for the website owner

The decision regarding the default value of ad_storage is a clear example of a data controller decision.

Configuring ad_storage as granted or denied by default in the CMP has direct legal consequences that only the controller can adopt and whose responsibility is non-delegable.

Two remarks:

· The de facto delegation of this decision to a third party (advertising agency, website manager), whether by action or omission, or the inertia-driven continuation of inherited configurations without documented review, does not exempt the controller from liability before the supervisory authority. On the contrary, the inability to demonstrate analysis and decision-making in accordance with Article 5(2) GDPR aggravates the controller’s position in potential sanctioning proceedings.

· Third parties (Google in this case) that access visitor data obtained without consent may face their own sanctions, but it should be noted that (i) data subjects do not always know which third parties access such data and (ii) they will always lodge complaints against the website owner, with whom they have a direct relationship.

5 Risk scenarios

The change announced by Google creates, at a minimum, the following risk scenarios that the website owner must address prior to June 15, 2026:

a) Legacy configurations that cease to be effective.

Website owners where GA4 was implemented with Google Signals disabled as a privacy measure—a relatively common configuration in compliance audits—will see that protection automatically cease to operate as of June 15.

Unless proactively reviewed, data flows to Google Ads will depend exclusively on the configuration of the cookie banner or CMP, which may not reflect the underlying privacy decision of the previous configuration.

b) CMPs with permissive defaults or deficient implementation.

It is common for CMPs to present ad_storage with a default value of granted, either due to technical inertia or to avoid impact on advertising measurement.

If the user does not click accept on the banner, or if the banner does not effectively require a clear affirmative action, data will flow to Google Ads without a valid legal basis, in direct breach of Article 22.2 LSSI and Article 6 GDPR. Liability before the AEPD lies, in all cases, with the data controller.

c) Inconsistency between the privacy policy and actual data flows.

Google has provided a sixty-day grace period for updating privacy policies.

This requirement is very revealing: if the change were truly merely technical—without material impact on data processing—it would not require updating user-facing information.

d) Commercial pressure and permissive configurations adopted by third parties.

The impact on measurement and campaign performance warned by Google constitutes implicit pressure on the controller’s providers to adopt permissive configurations.

It must be borne in mind that, at present, both processing for analytical purposes and for behavioral advertising personalization (and any processing that is not strictly technical) require the visitor’s active consent.

6 What if the Digital Omnibus is approved?

The Digital Omnibus is a legislative proposal to simplify the GDPR and the ePrivacy Directive, among others. Its vote is scheduled for June this year.

For present purposes, if approved in its current wording, the Digital Omnibus would introduce two particularly relevant changes:

· Reduction of situations requiring consent. Certain low-risk processing activities—audience measurement and generation of website or app usage statistics—could be based on legitimate interest, thus not requiring consent.

Accordingly, the collection of strictly statistical metrics via GA4 would not require prior user consent.

However, even the reform would not exempt consent for data flows with advertising purposes to Google Ads, which are precisely the subject of the change announced by Google for June 15, 2026.

• Relocation of the Article 5(3) ePrivacy regime into the GDPR. Access to and storage of information on the user’s terminal equipment, when involving personal data processing, would be regulated under new Articles 88a and 88b GDPR, disappearing from the scope of the ePrivacy Directive.

The direct consequence would be that non-compliance with these new provisions by European companies would be subject to GDPR sanctions, which are much more severe (at least in Spain).

Other players such as Google and Meta would fall under the exclusive jurisdiction of the Irish DPC, thereby avoiding the multimillion fines imposed so far by the CNIL under the ePrivacy Directive.

Additionally, it should be noted:

• The Digital Omnibus has not been approved and its final content may differ substantially from the current proposal.

• Even if approved in its current wording, its entry into force will most likely be after June 15, 2026. Therefore, decisions must be made based on the current legal framework described above.

Jorge García Herrero

Lawyer and Data Protection Officer

[1] A CMP “correctly configured” in a technical sense (i.e., one that respects the user’s choice when it is made) does not remedy a legally deficient technical implementation if the default setting is permissive.

[2] In fact, Google expressly warns that, in Consent Mode for web, the default state must be set before any command that sends measurement data, and provides ad_storage=’denied’ as an example.