WordPress GDPR compliance setup for Analytics and Google ads

When your consent banner “works” but your tracking dies

You don’t notice it the day you install a GDPR cookie banner. You notice it when Google Ads starts spending, bookings feel the same, and Analytics suddenly looks like a ghost town. Sessions drop, conversions disappear, and every report becomes “Direct” or “Unassigned”. At that point you are not compliant and informed. You’re blind, and still paying for traffic.

This page is for owners who run (or plan to run) Google Ads and need Analytics to stay usable under GDPR. It’s also for owners who are tired of plugins that promise compliance and quietly break measurement. If you want to keep tracking exactly as before without consent, or you want someone to sign off legal responsibility, this will feel uncomfortable, and we are not for you.

Most small hotels and rentals in Halkidiki and Thessaloniki end up here after a well-meaning “GDPR fix” by a developer, a plugin, or a cousin who watched a YouTube video. The banner shows, the site loads, and everyone relaxes. Then the season starts, you add budget, and you realise you can’t tell which keyword or campaign is paying the bills. We’ve seen this fail many times, and it usually breaks in the same boring places.

The real operational problem: you can’t connect spend to bookings

GDPR is not the main pain. The pain is what happens after a broken setup: you keep spending on ads while the data that should guide decisions stops flowing. Owners then react the only way they can. They cut budgets too late, they blame the market, or they keep spending because “it must work”.

When tracking breaks, you lose more than pretty charts. You lose the ability to answer simple questions that decide profit. Which campaigns bring booking requests, which audiences waste money, and whether mobile traffic is actually converting or just browsing.

If you want to check what Google considers “consent mode” and why it exists, read Google’s own overview: https://support.google.com/google-ads/answer/10000067 and the more technical guide at https://developers.google.com/tag-platform/security/guides/consent. It’s not law, but it explains the mechanism that most modern setups rely on.

Consent in plain terms: what you can measure, and when

On a tourism site, measurement has two modes: before consent and after consent. A good setup makes both modes predictable, so you know what your reports mean. A bad setup mixes signals, blocks too much, or fires too early, and then you get fake certainty.

Before consent, you should assume you cannot place marketing cookies and you cannot run full Analytics tracking the old way. Depending on configuration, you may still send limited “pings” that are designed to respect the user’s choice. These pings can help platforms model aggregated performance, but they won’t look like normal user-level tracking in GA4.

After consent, you can measure properly, meaning GA4 can set cookies and collect user interactions, and Google Ads tags can record conversions and build audiences. This is the part owners care about, because it restores the link between ad spend and outcomes. The point is not to track everyone. The point is to track correctly when you are allowed to.

If you want the legal background in one neutral source, the ePrivacy rules around cookies are summarised here: https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communications_Directive and the GDPR itself is here: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation. You don’t need to become a lawyer to run a hotel, but you do need to understand that “banner present” is not the same as “tracking is configured properly”.

What changes after this is set up correctly

You stop guessing whether the numbers are real. GA4 starts showing traffic sources that make sense again, and Google Ads has conversion signals it can actually use. Your reports won’t be perfect, because consent reduces the amount of identifiable data, but they become consistent enough to manage budget without superstition.

Owners usually notice the change in two places first. Campaign decisions get calmer, because you can see patterns again. Also, the conversations with whoever runs your ads become less emotional, because you can both look at the same reality, even if it’s imperfect.

There’s also a quieter change. Your site stops leaking tags that fire without consent, which reduces risk and removes the false safety of “we installed a GDPR plugin”. You end up with a system where the banner, Tag Manager, GA4, and Google Ads agree with each other. That alignment is what keeps things stable after updates.

What this does not solve (important)

This does not make poor campaigns profitable. If your ads are targeting the wrong countries, if your landing pages are confusing, or if your booking engine is a mess, tracking won’t save you. It will only show you the problem faster, which is still useful.

It also does not remove the need for proper legal text and policy decisions. We don’t decide what you should claim in your privacy policy, and we don’t tell you what your legal basis is. We implement the technical behavior you choose with your legal advisor, or with the cookie tool settings you approve.

And it does not magically recover historical data. If you’ve been running blind for months, we can restore measurement going forward. Your past season will still be missing pieces, and that’s part of the cost of a broken setup.

Who this is for, and who it is not for

This is for owners who want usable measurement and are willing to accept that consent affects data. It’s for businesses that want a clean, auditable setup that survives plugin updates and theme changes without quietly drifting. It’s also for owners who want one place to check if tracking is alive, instead of asking three people and getting three answers.

It’s not for you if you want to track marketing cookies before consent because “everyone does it”. It’s not for you if you want us to argue with your lawyer or write your legal documents. It’s not for you if another agency is actively changing your tags and you want us to “just fix it” without controlling access, because that usually breaks again and everyone blames everyone.

What we set up on WordPress (and what you will notice)

A WordPress site usually has tags coming from too many places. A theme adds a pixel, a plugin adds GA, a booking engine injects scripts, and then Tag Manager sits on top like a second steering wheel. The result is double counting, missing consent, or tags firing in the wrong order. The fix is not “add another plugin”. The fix is deciding what tool is the source of truth and making the rest behave.

We implement a consent-aware tracking setup that keeps GA4 and Google Ads usable without pretending GDPR doesn’t exist. The goal is simple: when consent is not given, tags behave in a restricted mode. When consent is given, tags behave normally. And you can verify the difference without guessing.

• Consent banner behavior configuration: what categories exist, what “Accept” and “Reject” actually do, and how the default state behaves before the user clicks.
• Google Tag Manager alignment: one container as the controlled entry point for marketing and analytics tags, with clear firing rules tied to consent state.
• GA4 configuration consistent with consent: measurement settings, tag firing, and avoiding duplicate GA4 implementations from plugins or themes.
• Google Ads conversion and remarketing signals wired to consent: so Ads can receive allowed signals after consent and restricted signals before consent, instead of nothing.
• Basic event signals needed for ads decisions: the minimum set of meaningful actions (for example, booking inquiry submit, phone click, email click) implemented as trackable events when consent allows it.
• Verification steps: checks that data is flowing, that consent changes behavior, and that tags are not firing twice or firing outside the rules.

You’ll notice fewer “mystery” spikes in conversions and fewer days where Analytics says you had 20 users but you had 8 inquiries. You might also notice that your total GA4 users are lower than the old Universal Analytics era. That’s normal, and it’s better than lying to yourself with inflated numbers.

How broken GDPR setups usually fail (so you can recognise it)

One common failure is the banner blocks everything, including the tags that should run in restricted mode. Owners then see almost no data and assume “GDPR killed marketing”. No, the implementation killed measurement. Consent mode exists specifically to avoid this all-or-nothing behavior, but it has to be configured, not wished into existence.

Another failure is the opposite. Tags fire immediately, then the banner appears, and the site is technically collecting before consent. That can happen when GA4 is injected by a plugin in the header while the cookie tool only controls scripts added later. It looks fine until someone audits it, or until you try to align it with Ads and you get inconsistent attribution.

A third failure is duplication. GA4 is installed via a plugin and also via Tag Manager, so every event fires twice. Google Ads conversions then get counted twice, Smart Bidding learns nonsense, and you end up paying more for the same bookings. Owners often blame Google for this, but it’s usually just two tags doing the same job badly.

If you want a reference for why tag duplication and tracking issues matter for decision-making, Ahrefs has a solid explanation of attribution and tracking limitations that is still readable for owners: https://ahrefs.com/blog/google-analytics-alternatives/ and for the advertising side, Google’s explanation of conversion tracking basics is here: https://support.google.com/google-ads/answer/6095821.

What you can realistically measure after consent (and what will be limited)

After consent, you can measure sessions, sources, landing pages, and events like form submissions or click-to-call, assuming those are implemented cleanly. You can also measure Google Ads conversions in a way that is usable for bidding and reporting. That is the core business need: you want your ad platform to optimise based on something real, not on random pageviews.

What will be limited is full visibility into every user journey. Some users will not consent, some browsers block more by default, and some traffic will always be fuzzy. The point is not to eliminate fuzziness. The point is to make the fuzziness predictable, so your decisions are still grounded.

If your booking happens on a third-party engine, measurement depends on what that engine allows. Some engines support proper cross-domain tracking and event callbacks, some do not. We’ll tell you what is possible with your current setup, and what is not, without pretending.

Verification: how you know you’re not running blind anymore

A working setup is one you can test without faith. You should be able to open the site in a fresh browser, reject consent, and see that marketing tags do not behave like full tracking. Then accept consent and see GA4 events and Ads conversions behave normally. If the difference is not visible, something is off.

We verify with real checks, not “it should work”. In practice that means inspecting tag firing in Tag Manager preview, confirming GA4 receives events, and confirming Google Ads sees conversion signals. We also check for duplicates and for tags injected outside Tag Manager, because WordPress loves to add “helpful” scripts in unexpected places.

Owners usually feel relief when they can answer one question again: “Did this campaign bring inquiries, yes or no?” Not perfectly, not with courtroom certainty, but with enough confidence to move budget without fear. If you can’t answer that, you’re not marketing. You’re gambling with better graphics.

When this is a bad fit

This is a bad fit if you don’t control your WordPress admin and you can’t provide access, because we can’t verify anything reliably. It’s also a bad fit if your current “cookie solution” is hard-coded by a developer who is no longer available, and you don’t want to change it. In that case, you’re stuck with a system that can’t be maintained.

It’s also a bad fit if another agency is actively managing your Tag Manager and Google Ads and won’t coordinate. Consent and tracking are system-level decisions. If two teams keep changing tags, you will get drift, and by August you will be back to arguing about whose numbers are correct.

Finally, it’s a bad fit if you expect this to solve low demand. Tracking can show you the truth. It can’t create a market, and it can’t fix a property that is priced wrong for its photos and reviews.

What we do not do

We do not provide legal advice, legal opinions, or legal documents. We are not your lawyer, and we won’t pretend. We also do not decide what your consent categories “should” be from a legal standpoint. We implement the technical behavior based on your chosen cookie tool and your decisions.

We also don’t run social media campaigns, and we don’t optimise campaigns while another agency has access to the same accounts. That turns into messy responsibility fast, and it usually ends with broken tracking again.

If you need a reminder of why “consent” and “legitimate interest” are not the same thing, and why cookie rules are separate from GDPR in practice, the UK ICO has a clear explainer that many owners find easier to read than legal text: https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/cookies-and-similar-technologies/

What we need from you to do this properly

If you contact us, we will ask for a few boring things. Boring is good here, because it means fewer surprises later. If you can’t provide these, it’s a signal that the project will turn into chasing access instead of fixing measurement.

We typically ask for WordPress admin access so we can see what is actually installed and where scripts come from. We also need to know what cookie tool you currently use, if any, because changing tools is sometimes the cleanest fix, and sometimes it’s not worth the disruption. And we need to know if you run Google Ads now, because the verification steps are different when Ads is live.

Not sure where to start? Contact our local team for friendly, personalised advice and to arrange a meeting in person.

Make the decision like a business owner, not like a victim of plugins

If you spend money on Google Ads, measurement is part of the cost of advertising. Without it, you will overpay for bookings and never be sure why. With it, you can still make mistakes, but you will see them earlier and correct them with less drama.

The decision is not “Do I need GDPR?” You already do. The decision is whether you want a consent setup that keeps your marketing measurable, or a banner that makes everyone feel safe while you run ads blind. If you want the first, send us your site URL, tell us what cookie tool is currently installed, and whether Google Ads is running right now.

No shortcuts. No noise. Data analysis. Use only what works.