TL;DR: Google Signals links GA4 sessions to users' Google accounts for cross-device tracking, which constitutes personal data processing requiring explicit consent under GDPR. The ICO and EDPB have both confirmed this position. Without valid consent, enabling Google Signals is unlawful. This guide covers what Google Signals does, how to disable it, and the most common compliance mistakes.
What Does Google Signals Do?
Google Signals is a GA4 feature that, when enabled, produces four key effects:
- Cross-device reconciliation: Google links your GA4 sessions to the user's Google account ID to reconstruct the full journey across mobile, tablet, and desktop
- Demographic and interest data: GA4 receives data on the age, gender, and interest categories of users signed into Google
- Enhanced remarketing: GA4 audience lists are enriched with Google signals for targeting across the Google network
- Cross-channel attribution: conversions are attributed more accurately by cross-referencing multi-device sessions
Google Signals and GDPR: ICO and EDPB Position
The ICO and EDPB have confirmed that cross-device tracking via Google Signals constitutes personal data processing under GDPR Article 4. The key requirements are:
- Consent must be obtained before Google Signals is activated
- Users must be informed that their data is linked to their Google account
- Cross-device tracking must be explicitly mentioned in the cookie policy
- Withdrawing consent must immediately stop Signals data transmission
How to Disable Google Signals in GA4
If you do not have valid consent, or want to limit data collection, follow these steps to disable Google Signals:
- Sign into Google Analytics 4 and navigate to Admin
- Under the Property column, click Property Settings
- Scroll to Google Signals and click Google Data Settings
- Click Deactivate and confirm the deactivation
- Verify in Data Streams that the signal is inactive
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The Data Thresholding Effect
When Google Signals is disabled or when users have not consented, GA4 applies data thresholding. This means that certain dimensions (age, gender, interest) disappear from reports, and exploration reports may show aggregated or suppressed data below privacy thresholds. This behavior is expected and correct in a GDPR-compliant setup.
Common Mistakes with Google Signals
Enabling Google Signals by default. GA4 activates Google Signals automatically in some configurations. Check the activation status every time a new GA4 property is created.
Confusing Signals with User-ID. User-ID is an internal mechanism based on your own customer identifier. Google Signals uses the Google account ID. These are distinct with different GDPR implications.
Not mentioning Signals in the cookie policy. The EDPB requires each processing purpose to be explicitly described. Cross-device tracking via Signals must appear as a separate purpose.
Using Signals without Consent Mode v2. Without Consent Mode v2, GA4 cannot respect consent state in a granular way. All four parameters must be transmitted before GA4 loads.
Google Signals GDPR Compliance Checklist
- Check whether Google Signals is enabled in your GA4 property
- If yes, ensure explicit consent is obtained before it activates
- Mention cross-device tracking in your cookie policy
- Implement Google Consent Mode v2 with all four parameters
- Test that Signals deactivation applies correctly when consent is refused
- Monitor the impact of data thresholding on your audience reports
- Document Signals processing in your GDPR records of processing activities
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Conclusion
Google Signals amplifies GA4's analytical power but introduces significant GDPR risk if consent is not properly managed. The ICO has acted against organizations transferring data to Google without a valid legal basis. A compliant consent setup protects your organization.
Scan your site for free to check your compliance: Free FlowConsent Scan