datakant
Sign inRequest a demo
BlogPrivacy & GDPRIssue 004
004 · Field NotesPrivacy & GDPRMay 19, 2026 · 12 min read

Why GA4 will never show you 100% of users — and privacy-first tools can.

Consent banners, data modeling, browser restrictions, ITP, ETP, and the legal constraints behind every "(other)" row in your GA4 reports. We walk through where 30–60% of visitor data disappears and what a privacy-first architecture actually does differently.

SF
Sascha Fuß
Founder & CEO · datakant
Key takeaways · TL;DR
  • GA4 inherently misses 30–60% of EU visitors due to five compounding factors, none of which you can fix in the dashboard.
  • Consent banners alone hide 35–65% of European traffic; ad blockers, ITP, ETP, and DNS-level blocking erase another slice each.
  • By never collecting personal data, privacy-first architecture removes the consent requirement — visitor counts become complete.
  • EU-only hosting eliminates the Schrems II legal exposure that comes with sending visitor data to Google’s US infrastructure.

If you run Google Analytics 4 on a European website, you are almost certainly making decisions based on incomplete data. Industry research consistently shows that GA4 misses between 30% and 60% of actual visitors on a typical EU site. This is not a bug — it is a structural consequence of how GA4 works, the legal environment it operates in, and the browser ecosystem it depends on.

This article breaks down exactly why GA4 loses data, what mechanisms are responsible, and how a fundamentally different architecture — one that removes the need for consent by never collecting personal data — can deliver full visibility while staying fully GDPR-compliant.

The five layers of data loss in GA4

GA4’s data gap is not caused by a single factor. It is the compound result of five independent mechanisms, each removing a slice of your visitors from the data set.

1. Consent mode and cookie banners

Under the GDPR and the ePrivacy Directive, any tool that sets cookies or processes personal data for analytics requires explicit, informed consent from the visitor before data collection begins. GA4 uses cookies (_ga, _gid) and sends the visitor’s IP address to Google’s servers in the United States — both of which constitute personal data processing under EU law.

Cookie consent opt-in rates · by region
EU · 2025–2026
Germany
35–50%
France
40–55%
Nordics
45–60%
Southern EU
50–65%
Invisible to GA4 (no consent) Tracked by GA4
Source: Cookiebot, Usercentrics, IAB Europe TCF aggregate data 2025

Google’s “Consent Mode v2” attempts to patch this by sending cookieless pings for non-consented visitors, then using machine learning to model the missing data. But this introduces a different problem: the numbers in your dashboard are not measured data — they are statistical estimates.

2. Ad blockers

Ad blockers block requests to google-analytics.com and googletagmanager.com at the network level. Ad blocker usage in Europe:

  • Desktop: 30–42% of users run an ad blocker
  • Mobile: 15–20%, growing with Brave and Firefox Focus
  • Tech-savvy audiences: 50–70% (developer sites, SaaS, fintech)

3. ITP and ETP

Apple’s Safari (ITP) caps JavaScript-set cookies to 7 days. Mozilla’s Firefox (ETP) blocks known tracking domains. Together they account for 30–40% of EU web traffic with corrupted session data.

4. Network-level blocking

Pi-hole, AdGuard Home, corporate firewalls, and VPNs with built-in blocking prevent google-analytics.com from resolving entirely. Zero signal reaches Google.

5. Data sampling and processing delays

GA4’s free tier applies data sampling on large date ranges. Combined with 24–48 hour processing delay, you’re making decisions on modeled, sampled, delayed data.

The compound effect: what you are actually seeing

These five factors stack. Each one cuts a slice from what remains after the previous one.

Where your visitors actually go · German B2B SaaS (typical)
Compound loss · waterfall
All actual visitors
Page-load events on your server
100% baseline
100%
After cookie consent
−55% · banner rejection
45% consented
−55% lost to consent
45%
After ad blockers
−16% of total
29% reach GA4
−16%
consent loss
29%
After ITP / ETP corruption
−10% have misattributed sessions
19% accurate
81% missing or modeled
19%
GA4 shows accurate, complete data for roughly 19–29% of your actual EU traffic.

This is not a worst-case scenario. The 19–29% figure assumes typical German B2B traffic. For developer tools or fintech, it drops below 15%.

How privacy-first architecture solves this

The core insight: if you never collect personal data, you don’t need consent. Remove the personal data, remove the consent requirement.

“The visitor’s privacy is protected by architecture, not by a consent dialog. The outcome is better for both parties.”— Internal datakant design principle

1. No cookies, no persistent identifiers

datakant uses first-party localStorage for session continuity. No _ga cookie, no third-party cookie. ITP and ETP have nothing to restrict.

2. IP addresses are discarded, not stored

The raw IP is used for a single city-level geo lookup against a locally bundled MaxMind database, then immediately discarded. Never written to disk.

3. First-party, same-origin requests

Data goes to collect.yourdomain.com, not google-analytics.com. Ad blockers have no reason to block it.

The ad-blocker bypass is not a hack. It’s a natural consequence of first-party architecture — no domain masking, no proxy trickery.

4. EU-only data residency

All data processed and stored on Hetzner Cloud in Germany. No Schrems II risk.

What “100% tracking” actually means

Every visitor who loads your page is counted. No consent gate, no blocked domain, no capped cookie. This does not mean collecting personal data without consent — no personal data is collected.

Side-by-side: GA4 vs datakant

FactorGA4datakant
Consent required Yescookies + IP sent to US Nono PII collected
Ad blocker impact 30–42%blocked at network 0%first-party endpoint
ITP / ETP impact Cookie cap7-day reset, inflated users Unaffectedno cookies used
Data sampling Yeson long date ranges, free tier Neverraw counts always
Processing delay 24–48 hbatched processing Real-timesub-second ingest
Data residency USGoogle Cloud, multi-region EU onlyHetzner, Germany
Schrems II risk YesUS transfer, FISA 702 Nonedata never leaves EU
Typical data coverage 19–29%of actual EU visitors ~100%of actual EU visitors

GDPR’s purpose is to protect individuals from being identified, profiled, and targeted. Privacy-first analytics achieves this better than consent-based tools:

  1. No personal data is processed. GDPR Art. 4(1) does not apply.
  2. No cross-site tracking. Each property is isolated.
  3. No profiling. No persistent identifiers tied to a person.
  4. Legitimate interest applies under Art. 6(1)(f).

Conclusion

GA4’s data gap is structural, not fixable. Privacy-first tools eliminate the consent gate, the ad-blocker problem, and the browser restriction problem simultaneously. Complete, accurate, real-time data — with stronger privacy guarantees than GA4.

Sources cited

  1. Cookiebot Consent Barometer 2025
  2. IAB Europe TCF Transparency Report
  3. Statista Ad Blocker Usage 2025
  4. CJEU C-582/14 (Breyer v. Bundesrepublik)
  5. CNIL Audience Measurement Exemption
Try it on your own site

See your real numbers in 7 days.

Drop the snippet, get full data from day one, and run a GA4-vs-datakant chart at the end of the week. No credit card. EU-hosted.

Request a demo

More from Field Notes

Privacy & GDPRMay 511 min

How to design a tracking setup that works without consent.

Step-by-step guide to architecting analytics that never collects personal data.

Read article
GA4 alternativesApr 219 min

Why server-side tracking alone does NOT fix your data quality.

Server-side GTM still needs cookies, consent, and client-side JS.

Read article
GA4 alternativesApr 710 min

How Google Consent Mode actually works (and why it still loses data).

Technical teardown of GA4 Consent Mode v2: cookieless pings and data modeling.

Read article