Anonymizer power-up
Updated Jul 13, 2026
The Anonymizer power-up helps you change, remove or mask specific fields in your events before they leave your sGTM container for Google Analytics 4 (GA4). You’ll still receive your event data, but with exactly the level of privacy you’ve chosen to apply. Use the power-up to stay compliant with privacy regulations such as GDPR and CCPA without changing your existing tagging setup.
When using this power-up, you need to keep in mind the following trade-offs with these settings:
- IP address – GA4 location reports become less precise.
- Client ID – user counts and returning user metrics may fragment.
- General / System info – you lose only the fields you remove – user level, device, or session detail.
- Ads campaign attribution – campaign and ad-click attribution in GA4 breaks.
Anonymizer is available on the Free subscription plan and higher. To check your current plan or upgrade, go to your sGTM container settings.
Important:
How to set up Anonymizer
1. Log in to your Stape account and select your sGTM container from the dashboard.

2. Go to Power-ups and click Use next to the Anonymizer panel.

3. Toggle the Anonymizer switch to enable it.

4. Configure each parameter group:
- IP – identifies a specific device, so it carries the highest identification risk. Select the mode by how much geographic detail you need to keep:
- Leave as is – no changes applied. Your geo accuracy is kept in full.
- Anonymize – removes the last octet. The precision becomes lower, keeping roughly region-level geo. For example, 203.0.113.42 becomes 203.0.113.0
- Anonymize Strict – removes the last two octets. The masking is stronger, geo becomes coarser. For example, 203.0.113.42 becomes 203.0.0.0.
- Anonymize Smart (IP only) – replaces the IP with a static IP from the same country. Keeps country-level geo without exposing the real IP. Anonymize Smart uses MaxMind GeoLite2 data.
For IPv6 traffic, the Anonymizer power-up truncates trailing segments. In the sGTM debugger you may see something like _uip=2a09:bac5:4887:: with the last segments zeroed out.

- Client ID – identifies a specific person, so it carries the highest identification risk. Affected parameters are described in a table below:
- Leave as is – no changes applied.
- Anonymize – hashes IP and client ID, then appends the year and month. JS client ID, _ga, _ga_*, FPLC, and FPID cookies are removed.
- Anonymize Strict – hashes IP and client ID, then appends a timestamp. JS client ID, _ga, _ga_*, FPLC, and FPID cookies are removed.
Client ID parameters
| Parameters | Keys | Description |
| Client ID | cid | ID that’s used to distinguish users. |
| JS Client ID | jscid | JavaScript-managed client ID passed in the request. |
| Cookies | _ga | Primary GA4 user cookie, stores the client ID. |
_ga_* | GA4 session cookie, persists session state per container. | |
FPID | First-party Identifier cookie that’s invisible to client-side JavaScript. This makes it more secure and much more resistant to ad-blockers and browser privacy protections like Apple's Intelligent Tracking Prevention, which heavily restrict the lifetime of client-set JavaScript cookies. | |
FPLC | First-party linker cookie. This is a hashed version of the FPID cookie that can be accessed by JavaScript. It allows GA4 to attach this identifier to links when users navigate across domains, which helps your sGTM container stitch the user session together. |
Note:

- General info – user and session identifiers, and visit history. Removing them limits user-level and session-level analysis in GA4. Affected parameters are described in a table below:
- Leave as is – no changes applied.
- Remove – removes the parameters.
General info parameters
| Setting | Parameters | Keys | Description |
| User ID | User ID | uid | Logged-in user ID. |
| Google Developer ID | gdid | Google Developer ID for apps using Google SDKs. | |
| Firebase ID | _fid | Firebase installation ID in apps. | |
| Session ID | Session ID | sid | GA4 session ID. |
| Session ID in UA | _gid | GA4 cookie used to store and update a unique 24-hour identifier for each user session. | |
| User Session ID | _u | Encoded session metadata in the GA4 request. | |
| New Session ID | _nsi | New session indicator. | |
| Legacy session data | _utmz, _utmb, _utmc, _utmht, _utma | Legacy Universal Analytics cookies for campaign source, session timing, and visit history. May still appear if legacy tracking is present. | |
| Query parameters | Query parameters in Document Location | _dl | Full page URL sent to GA4, including any query string (?utm_source=…, ?gclid=…, etc.). |
| Referer | Referrer header | referer | HTTP Referer header from the browser. |
| Document Referrer parameter | dr | Document referrer sent to GA4. Together with referer they tell GA4 which site the visitor came from. | |
| Session Count | Session Count | sct | Number of sessions the user has had on your site. |
| Session Engagement | Session Engagement | seg | Whether the current session counts as engaged. |
| Join ID for DoubleClick beacon | Join ID for DoubleClick beacon | jid | Used to link GA4 hits with DoubleClick/Google Marketing Platform beacons. |
| Tracking code version | Tracking code version | gjid | Internal identifier for the tracking code version in use. |

- System info – device and environment details. Removing them weakens device and technology reports and reduces the surface for fingerprinting. Affected parameters are described in a table below:
- Leave as is – no changes applied.
- Remove – removes the parameters.
System info parameters
| Setting | Parameters | Keys | Description |
| User agent | User-Agent header | user-agent | Full browser User-Agent string from the HTTP header. |
| Client Hints header | sec-ch-ua, sec-ch-ua-platform, sec-ch-ua-mobile | Client Hints headers with structured browser/device info. | |
| UA parameter | ua | User-Agent sent to GA4 as a request parameter. Used for device, browser, and OS reports. | |
| User country | Geographical ID | geoid | Geographic identifier sent to GA4, often derived from IP geolocation. |
| Current country | _uc | User country code. | |
| Browser plugins | Java Enabled | je | Whether Java is enabled in the browser. |
| Flash Version | fl | Flash Player version. Rarely used in modern reporting. | |
| Screen info | Screen resolution | sr | Physical screen resolution. |
| Viewport size | vp | The visible browser area. | |
| Screen colors | Screen Colors | sd | Screen color depth. |
| User language | Browser active locale | seg | Browser language setting. |

- User agent parsed – the individual Client Hints fields. Remove them to drop granular device detail while keeping the raw user agent, or vice versa. Affected parameters are described in a table below:
- Leave as is – no changes applied.
- Remove – removes the parameters.
User agent parsed parameters
| Setting | Parameters | Keys | Description |
| User agent architecture | User agent architecture | uaa | CPU architecture. |
| User agent bitness | User agent bitness | uab | CPU bitness. |
| User agent full version list | User agent full version list | uafvl | Full browser version string. |
| User agent mobile | User agent mobile | uamb | Whether the browser is on a mobile device. |
| User agent model | User agent model | uam | Device model when available. |
| User agent platform | User agent platform | uap | Operating system platform. |
| User agent platform version | User agent platform version | uapv | Operating system version. |
| User agent WOW64 | User agent WOW64 | uaw | Screen color depth. |

- Ads campaign attribution – UTM, ad-click data such as source or medium. Affected parameters are described in a table below:
- Leave as is – no changes applied.
- Remove – removes the parameters.
Warning:
Ads campaign attribution parameters
| Setting | Parameters | Keys | Description |
| Campaign medium | Campaign medium | cm | UTM medium (for example, cpc, email, organic). |
| Campaign source | Campaign source | cs | UTM source (for example, google, newsletter). |
| Campaign name | Campaign name | cn | UTM campaign name. |
| Campaign content | Campaign content | cc | UTM content – differentiates ads or links within the same campaign. |
| Campaign ID | Campaign ID | ci | Campaign ID from your ad platform. |
| Campaign term | Campaign term | ck | UTM term – usually the paid keyword. |
| Campaign creative format | Campaign creative format | ccf | Creative format identifier for the ad. |
| Campaign marketing tactic | Campaign marketing tactic | cmt | Marketing tactic (for example, remarketing). |
| Google Ads ID | Google Ads ID | gclid | Google Click Identifier – auto-appended to URL when someone clicks a Google Ad. Stored in _gcl_* cookies by the Conversion Linker. Essential for Google Ads attribution. |
| Google display ads ID | Google display ads ID | dclid | Auto-appended from Display & Video 360 / Campaign Manager clicks. Used for display ad attribution. |

5. Click Save Changes.

6. Copy the link shown under the Anonymizer switch.

7. In your web container’s Google Tag replace the server_container_url value with the one you’ve just copied. If you don’t have the GA4 tracking configured, follow this guide.

Testing
There are several ways to test Anonymizer power-up.
Option 1. sGTM debugger
- Open the sGTM debugger for your container.
- Trigger a few events, including some with user parameters.
- Inspect the outgoing GA4 requests and confirm the fields you configured are absent or masked. For example:
_uip=2a09:bac5:4887::– the IP is truncated (trailing segments zeroed).aip=1– the IP-anonymization flag is set.

Option 2. GA4 debugger
Use the Google Analytics 4 debugger Chrome extension to check what data GA4 actually processes on its end:
- Visit your website and trigger the events you want to test.
- Go to GA4 → Admin → DebugView.
- You'll see events streaming in real time. Click into an event and inspect its parameters. Any parameters you configured to remove in the Anonymizer should be absent here. This method can't confirm IP or Client ID anonymization, use Option 1 for those.

Common configurations
Here are some examples of common Anonymizer power-up configurations:
1. Minimal change when legal/compliance asked only to stop sending full IPs:
| Setting | Action |
| IP | Anonymizer |
2. When you use GA4 user_id for logged-in users but policy says that ID must not reach Google.
| Setting | Action |
| IP | Anonymize |
| General info | User ID → Remove |
3. Session analytics without users when you want event and session trends, not user-level analysis.
| Setting | Action |
| IP | Anonymize |
| Client ID | Anonymize |
| General info | User ID → Remove, Session ID → Remove |
4. Healthcare / finance when a data protection officer wants minimal personal data in GA4. Reporting accuracy is secondary.
| Setting | Action |
| IP | Anonymize Strict |
| Client ID | Anonymize Strict |
| General info | User ID → Remove, Referer → Remove, Query parameters → Remove |
| System info | Remove all |
| User agent parsed | Remove all |
| Ads campaign attribution | Remove all |
Use case
A sample scenario is an eCommerce store operating in the EU that collects behavioral data via GA4. Their legal team flags that full IP addresses are being forwarded to Google Analytics, which conflicts with their data processing agreement under GDPR.
You can identify this problem and fix it this way:
- Open your sGTM debugger and inspect the outgoing GA4 requests. If you see a full IP address in the
_uipfield, that data is reaching Google's servers unmodified. - Enable the Anonymizer power-up and configure it: set IP to Anonymize or Anonymize Strict.
- Trigger a few test events, then re-inspect the outgoing GA4 request in the sGTM debugger. Confirm
_uipis truncated.
If configured correctly, GA4 will continue receiving event data for reporting while the fields that locate individual users are stripped before leaving your server.
Was this article helpful?
Comments