GDPR, Guides, Marketing, PECR

GDPR & Google Analytics 4: What you need to know

Published:

Last updated:

Google Analytics on a Laptop
Home » Articles » GDPR & Google Analytics 4: What you need to know

Thinking of switching to the new Google Analytics 4? Stay GDPR compliant by reading our short guide where we’ll outline the areas you should pay the most attention to when making the switch.

Switching to Google Analytics 4 gives marketers & site managers a wide range benefits:

  • Machine learning: access to automatic insights and improved machine learning algorithms.
  • Data privacy by design: access to cookie-less and IP-anonymised tracking capabilities.
  • Better data accuracy: less reliance on data sampling than previous versions of Google Analytics, allow for a more complete and accurate picture of your user’s interactions with your website.
  • Improved cross-device tracking: using Google signals to help piece together user journeys across multiple devices.
  • Improved cross-app tracking: making it easier to track interactions across websites and mobile apps.
  • Improved custom reporting: giving you more power to create more in-depth reports about how users are interacting with your digital properties.

Many of these benefits are possible because of the more powerful tracking capabilities of Google Analytics latest tracking code. And an improved system back-end which makes computational power and features previously only available to enterprise “Google Analytics 360” customers available to everyone.

But it’s not just a bunch of high-end features that marketers are getting with GA4. We’re also getting a taste of Google’s “privacy-centric by design” approach to web analytics. Below we’ll highlight some of the key areas where changes to GA4 will have an impact on how you apply GDPR and E-Privacy regulations (PECR).

“We’re in the midst of a measurement evolution, and global ecosystem changes are challenging marketers to be forward thinking and privacy focused”

Philip McDonnell – Director, Product Management at Google

Anonymising IP

The previous version of Google Analytics collected the whole user IP by default. This was problematic from a GDPR perspective, because an IP address is considered as an item of personally identifiable data. Some users of the previous GA edited how GA collected the IP address, by anonymising the final 3-4 digits. This setup used to require you to edit your tagging code. However in GA4 IP Anonymisation is enabled by default and cannot be switched off. 

This move appears to be more GDPR friendly than before, but in many ways you could argue that this changes nothing. Since even hashed IP addresses are considered personal data under GDPR. And because tracking cookies, regardless of whether they collect IP addresses or not, require consent under the e-privacy regulations (PECR in the UK).

So don’t drop your cookie consent notices just yet and make sure that Google Analytics remains in your Data Privacy Impact Assessments.

Data Storage

Google Analytics 4 makes dramatic changes to how long data can be stored for. In the previous GA you could choose a data retention period up-to 64 months. In GA4 you only have two options:

  • 2 Months
  • 14 Months

This move is arguably more GDPR friendly because you will be able to apply the data minimisation principle with ease. You may need to review your data retention policies and notices after making the switch.

Note that this will make historical comparisons more difficult, however it is still possible to export data to a data warehouse like BigQuery, or for more simple analysis to export to Google Sheets. Later you can connect this data to a tool like Google Data Studio for analysis. 

Server Location

As before Google provides no choices regarding the location of the server that will be processing the data it collects from it’s website. Google Analytics data processing occurs across multiple servers, located around the world with a large volume of processing occurring at US based servers. Under GDPR, sending personal data, such as analytics data from a website, to the US from the EEA or UK is considered a restricted transfer. 

Therefore with Google Analytics 4 you will need to ensure that you have evaluated this “restricted transfer” and determined an appropriate legal mechanism for transferring personal data to GA4’s US servers.

In practice this will likely be Standard Contractual Clauses (SCCs). SCCs are a set of contracts signed by both the data exporter and data importer which include standard clauses set by the EU or UK data protection authorities. The clauses outline how data should be protected in order to make the transfer legal under UK GDPR or EU GDPR. Google Analytics makes it easy to access these standard contractual clauses. You can simply visit your account settings and then sign the documents. Afterwards you should make sure that you retain copies of these agreements and set aside time to review them at a future date.

Warning: Just because a company offers SCCs, it does not mean that simply signing the SCCs will make your data transfer legal. The data transfer may still not offer “adequate protections” under GDPR. There are other issues, particularly with Google Analytics which you may wish to consider. Recent decisions by supervisory authorities in Austria, Italy & France have ruled that data transfers to Google Analytics should stop. If you want to minimise your risk of non-compliance, you should consider suspending your use of Google Analytics and seeking a more privacy friendly alternative with data stored within the UK or EU.

Remember, you should also disclose your use of international data transfers within your privacy policy.

User Explorer – Deleting Individual Data

Google’s updated user explorer tool brings a much needed feature for GDPR compliance. The ability to delete an individual user’s data. This is a big improvement on the previous GA which only allowed you to delete data within a set time range.

Be aware that the data provided in the GA4 user explorer tool is significantly simplified compared to the previous GA. At present you can view every event in the user timeline, but you cannot extract much detail about the events, such as the url of where a page-view event occurred. This greatly reduces the usefulness of this tool. However you it is far more privacy friendly. It’s not clear whether Google will be updating this reporting tool in the future to provide more information about user events in the user explorer report out of the box, so I’d advise you to consider whether this important to you before making the switch.

Sharing with Other Google Products

Google wants you to share your data with them. So when you setup your account, you’ll be asked to review choices relating to sharing data with Google’s tech support teams, account managers and other products. Make sure you review these options carefully as some of them will require additional disclosures within your privacy policy. To keep things simple you can opt out of data sharing. Make sure you pay particular attention to the advertising preference or Google signals opt-in. These settings may share data about your users with Google to build advertising profiles. This data sharing would require opt-in consent under PECR (e-privacy).

Tip: If you are setting a up a new Google Analytics account, it is currently possible to create both an old UA Google Analytics view and a new Google Analytics 4 property. Both have different considerations with regards to GDPR so please be aware of this. The Measured Collective view is that Google Analytics 4 is a significantly more privacy conscious tool.

Credit: Photo by Myriam Jessier on Unsplash

Author

  • Scott Dooley

    Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance. With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development. Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

    View all posts

Now Available to Start Immediately:

GDPR Online Training Course

There's no time like now, to give your team the training they need.

Article: Do I need ongoing GDPR training?