CNIL GA4 Compliance: 7-Step Server-Side Proxification Guide
CNIL proxy recommendations for GA4: IP reduction, client ID hashing, referrer suppression, page location cleaning, User-Agent reduction.
Why the CNIL Requires a Server-Side Proxy
In 2022, the CNIL (French data protection authority) ruled that using Google Analytics without additional protective measures constituted an illegal transfer of personal data to the United States. Even with the adoption of the Data Privacy Framework in 2023, the CNIL maintains its recommendations for server-side pseudonymization as best practice.
The principle is clear: interpose a proxy server between the user’s browser and Google’s servers. This proxy, which you control, transforms the data before transmitting it to GA4 to remove or pseudonymize anything that could allow Google to identify an individual.
The CNIL has defined seven precise pseudonymization steps. Each corresponds to a specific data type, and all must be implemented in your GTM Server-Side container.
Steps 1 and 2: IP Address and User Identifier
The first step is IP address reduction. Before any transmission to Google, your proxy must strip the last octets of the user’s IP address. In practice, this means truncating the last two octets for IPv4 (going from 192.168.1.42 to 192.168.0.0) and applying an equivalent reduction for IPv6. GA4 already applies IP anonymization, but the CNIL requires this operation to be performed on your server, before Google receives anything.
The second step is user identifier pseudonymization. The _ga cookie contains a client_id that uniquely identifies a browser. Your proxy must replace this client_id with an irreversible hash generated server-side. The hash must incorporate a salt that changes periodically to prevent re-identification. Specifically, in GTM Server-Side, you create a variable that reads the incoming client_id, applies HMAC-SHA256 with a salt, and overwrites the original value before transmission.
Steps 3 and 4: Referrer and page_location
The third step concerns removing the external referrer. The HTTP referrer indicates the previous page visited by the user. If that page is external to your site, it constitutes personal browsing data. Your proxy must strip the referrer when it points to a third-party domain, and only keep internal referrers for on-site navigation tracking.
The fourth step addresses cleaning the page_location parameter. URLs transmitted to GA4 may contain sensitive parameters: UTM parameters (which reveal marketing sources), query strings with identifiers, emails, or tokens. Your proxy must systematically clean these parameters. Keep the page path (/products/shoes) but strip query strings before transmission.
Steps 5 and 6: User-Agent and Cross-Site Identifiers
The fifth step is User-Agent processing. The browser’s User-Agent string contains detailed information about the operating system, browser version, and sometimes the device model. Combined together, this information constitutes a potential fingerprint. Your proxy must reduce the User-Agent to its most generic components: browser family and operating system, without precise version or device details.
The sixth step prohibits the transmission of cross-site identifiers. Your proxy must not transmit any data that would allow Google to track a user across multiple sites. This includes third-party cookies, advertising identifiers (gclid, dclid), and any cross-domain tracking parameter. If you use GA4’s cross-domain tracking, the _gl parameter must be intercepted and handled exclusively server-side.
Step 7: Residual Sensitive Data
The seventh step is a safety net. It requires the removal of any other data that could enable identification: unhashed email addresses, phone numbers, CRM identifiers accidentally transmitted in event parameters.
In practice, this step requires a regex audit on all outgoing parameters to detect and remove email, phone, and personal identifier patterns.
All of these transformations are configured in GTM Server-Side via variables and transformations applied to the GA4 client and GA4 tag. Platforms like Addingwell or Stape offer preconfigured templates that implement all seven steps. The setup remains technical and requires rigorous consent management upstream to be fully compliant.