1. Your cookie banner is just for show
The fastest way to lose half your marketing data is a cookie banner that does not actually fire consent signals.
We see this most on sites built with newer AI tools. Lovable, Replit, the rest of the no code stack. The banner looks fine. The technical backend is not connected.
Click "accept" and nothing happens in the dataLayer. No granted parameter. No denied parameter. No ad_storage, no analytics_storage. The button is there to look like a button, not to act like one.
The cost is brutal:
GA4 stops recording any session without an explicit consent signal
Google Ads blocks the conversion entirely, so your campaign data goes dark
GTM either fires Meta tags regardless of consent, a GDPR violation, or blocks them entirely and you lose the data.
The fix is technical, not visual. Behind every accept and reject click, you need a dataLayer push that writes the right consent state. If you are using Cookiebot, OneTrust, or a custom setup, the implementation guide is your starting point. If you built the banner with AI, ask the same AI to add a dataLayer push with the proper consent variables, and then test it.
Then verify. Open the GTM debug console, click accept, and check that consent variables flip to granted. If nothing changes, your banner is decoration.
2. Stop using custom conversions on Meta
Custom conversions feel like the right call. Specific names. Clean reporting. A unique conversion per form.
Meta's algorithm does not see it that way.
Standard events (Lead, Contact, Purchase, AddToCart) carry more weight in Meta's optimization. Custom conversions can work, however they sit on top of a standard event, and that extra layer costs you. Meta's model is trained on billions of standard event signals across all advertisers. That shared signal history is baked in. Custom conversions don't inherit it.
The result is that the same campaign, same audience, same creative will typically optimize better when the conversion is a standard event with a specific trigger underneath, not because your data becomes more accurate, but because Meta's algorithm recognises and values standard events at a deeper level. It is the same principle that runs through any serious PPC playbook for Meta and Google in Belgium: give the algorithm signals it already understands, and it will spend smarter.
As Ruben (Senior Tracking & Analytics Expert at Fightclub) puts it: "One standard event, multiple triggers. Not one custom event per form."
Practically:
If you have a contact form and a quote form, both push the Lead standard event with different parameters underneath, not 2 custom events
If you have multiple thank you pages, the trigger fires the same Lead event regardless of which page
Reserve custom conversions for the rare cases where the standard taxonomy genuinely does not fit (a price calculator, a niche micro conversion)
The exception is when the action is genuinely outside Meta’s taxonomy. Then a custom event is fine. But the default should be standard.
3. The GDPR violation in your enhanced conversions
Most agencies are sending personal data to Google and Meta in plain text. Names. Emails. Phone numbers. Sent unhashed. It is a GDPR violation.
Enhanced conversions on Google Ads, and the equivalent setups on Meta, exist to compensate for cookie loss. They match offline conversions back to ad clicks using customer data. Done correctly, they recover meaningful attribution. Done incorrectly, they hand identifiable data to US platforms in a way European law does not permit.
The fix is hashing. Hashing means encoding the email, name, or phone number into an unreadable string of characters before it leaves your stack. Google can still match the hash against their internal database. Nobody can read the original data from the wire.
But hashing alone does not make you GDPR compliant. You still need valid consent before sending any personal data, hashed or not. A hashed email is still personal data under GDPR if it can be linked back to an individual. The hashing protects the data in transit. It does not replace consent.
Why does it keep happening? Two reasons:
Google and Meta are American companies. Their docs barely mention hashing because most of their customer base does not need to comply with GDPR
Hashing is unintuitive. Sending an email looks normal. Sending a 64 character string of letters and numbers looks weird, so people skip it
Big spenders have already been caught. Bol.com is the public example. The fines are not widespread yet, but the legal exposure is real, and it is only a matter of time before the Belgian and Dutch regulators catch up to the wider EU.
Joren (Head of Tracking & Analytics at Fightclub): "5 years ago this was fine. Today it is a fine waiting to happen."
If you are running enhanced conversions, audit what is leaving your tag manager today. If your client’s privacy team has not signed off on the hashing setup, get it in writing.
4. Conversion definitions nobody bothered to align
This one is mundane and expensive.
GA4 is configured to count a "contact" as a thank you page view. Google Ads is configured to count it as a form submission. Meta is configured to count something else again, usually a custom event with its own definition.
You think you are comparing the same conversion across 3 platforms. You are comparing apples to pears.
The downstream effect is the worst kind of bad data: it looks consistent enough to act on. Google Ads "performs better" than Meta because the GA4 thank you page event fires twice on refresh and Meta’s event does not. The CFO reallocates budget. Meta gets cut. The actual customer behavior was identical.
The fix is a one off, then a discipline:
Document every conversion you measure, in plain language
Define exactly which user action triggers it
Configure that same action across GTM, GA4, Google Ads, and Meta
Audit quarterly, because someone will rebuild a tag without telling you
The discipline is the hard part. Naming conventions, ownership, sign off before any new conversion goes live. Nobody finds it sexy. It is the foundation.
5. GA4 is not your source of truth
The most common request we get from clients new to Fightclub: "Can you build us a GA4 dashboard so we have one source of truth?"
We push back every time. GA4 is excellent for behavior, trends, and on site flow. It is not your source of truth. Four reasons:
GA4 blocks any data without explicit consent. If 30% of your visitors reject cookies, 30% of your revenue could be missing from the report, unless Advanced Consent Mode is configured. With Advanced Consent Mode, GA4 uses behavioral modeling to estimate the conversions it cannot observe directly. It is not perfect, but it closes most of the gap.
Consent is not the only blind spot. Ad blockers and privacy-focused browsers like Brave or Firefox block tracking scripts regardless of what the user consents to. That traffic is invisible by default, no consent mode fixes it.
GA4 always favors Google attribution over Meta. The platform's data-driven attribution model is biased toward the parent company. Use only GA4 and Meta will look worse than it actually is.
GA4 numbers will never match your CMS, your CRM, or your bank. The discrepancy is not a bug. It is the architecture
The only real source of truth is the system that records the money or the lead. That is also where genuine data-driven marketing starts: from the data your business already trusts to close its books.
For ecommerce: Shopify, your ERP, or your bank
For B2B: your CRM (HubSpot, Salesforce, Pipedrive)
For appointment based services: the booking system
The platforms that stitch true cross channel attribution exist (Billy Grace and similar), but they cost roughly €500 to €600 per client per month and require real engineering. Most brands are not there yet. That is fine. Use the platform data for trends and optimization. Use the back end for board level reporting. When the CFO asks why the numbers do not match, point to GA4’s consent blocking and Google’s attribution bias. That is the answer.
What to do next
Five fixes the team can run this week:
Audit your cookie banner. Open GTM debug, click accept, and verify the consent variables flip to granted. If they do not, your banner is decoration
Switch Meta custom conversions to standard events with triggers underneath. Watch CPA over the next 4 weeks
Check whether your enhanced conversions are sending hashed or plain data. If plain, fix it now. But hashing is only half the story, make sure you have valid consent before sending any personal data in the first place. Hashed or not, sending personal data without consent is still a GDPR violation. The exposure is not theoretical.
Document every conversion across GA4, Google Ads, and Meta. Where they do not match, decide on the source definition and align the others
Stop reporting GA4 as your source of truth. Switch to your CRM or your back end for board reports. Use GA4 for behavior and trends only
None of these are glamorous. Tracking never is. That is why so much of the industry is still running on a setup that has not been audited since 2021.
The bottom line
Five years ago GDPR was not enforced for Google and Meta. Today it is. Five years ago AI built sites did not exist. Today every third client builds them. Five years ago the platforms were not this strict on consent. Today they block data silently when consent is not right.
If your tracking setup has not been touched in 2 years, it is leaking. The leak is not always visible in the dashboard. Sometimes the dashboard looks healthier than reality, which is worse.
Audit it. Fix the foundation. Then layer the dashboards, the AI tools, and the attribution models on top.
Wondering if your tracking is doing what you think it is?
Talk to our analytics team
