Last updated on 01 July 2022 by Stephen Titcombe (Legal writer at TermsFeed)
In recent years, Google has run into several issues regarding privacy of its users and has been the subject of several related lawsuits. The most recent of these has been regarding the unlawful transfer of personal data across EU-U.S. borders through the use of Google Analytics.
In light of this legal crisis, Google decided to provide a more privacy-centric solution for users with the launch of its latest flagship analytics product, Google Analytics 4 (GA4).
GA4 was primarily developed to replace and improve the privacy controls of Google's previous analytics product, Universal Analytics. On that note, Universal Analytics and Universal Analytics 360 properties will be deprecated and will stop processing new hits from July 1, 2023 and October 1, 2023, respectively.
In other words, if your website still collects data with Universal Analytics when the deprecation dates arrive, your Universal Analytics deployment will simply stop functioning.
It is, therefore, imperative for you (as a website owner or operator) to begin transitioning from Universal Analytics properties to GA4 if you haven't already done so.
Importantly, GA4 will build upon the foundation set by Universal Analytics and will adopt a "data privacy by design" approach to address recent privacy challenges, among other developments.
In this article, we'll walk you through the privacy features and implications of GA4 as well as answer key questions regarding GA4 and how it relates to GDPR compliance.
Google Analytics 4 (GA4) is Google's latest analytics property and attempt at providing a more privacy-friendly experience for users. Like previous versions released by Google, GA4 helps users discover and predict new insights by measuring customer engagement and traffic across their websites and apps.
Notably, GA4 focuses heavily on data privacy, which comes as no surprise given the failure of its previous versions to fully comply with the stringent standards set by modern privacy laws.
According to a press release from Google:
"Google Analytics 4 is designed with privacy at its core to provide a better experience for both our customers and their users. It helps businesses meet evolving needs and user expectations, with more comprehensive and granular controls for data collection and usage."
Practically speaking, this means GA4 is equipped with several updated privacy features and functionality which are intended to help users comply more easily with most data privacy laws.
These features are especially designed to keep up with a changing ecosystem and provide users with better protection and more control over their data in today's demanding data privacy landscape.
Now that we have a basic understanding of Google Analytics 4 and why it was developed, let's go over the main privacy features and functionality it provides.
In a world where users are increasingly expecting better protection and control over their data, GA4 offers a variety of privacy controls (among other features) to meet these expectations and comply with common privacy laws, particularly the GDPR.
Without further ado, let's go over the privacy features embedded in GA4.
In the previous version of Google Analytics (Universal Analytics), IP addresses were collected by default, and the IP anonymization feature had to be manually activated by users. This was problematic because IP addresses are considered "online identifiers" under the GDPR and may therefore constitute personally identifiable information (PII).
In GA4, however, the IP anonymization feature is activated by default and cannot be adjusted by users. Essentially, the default IP anonymization feature means that GA4 will not store the IP addresses of users.
From an EU privacy perspective, this is considered the most impactful feature in GA4 to promote data privacy and help users comply with the GDPR.
Another prominent feature provided by GA4 is the stringent data storage duration specified in its terms.
In contrast with Universal Analytics, GA4 offers just two rigid options from which users may select. Essentially, you can either choose to retain data for 2 months or 14 months, depending on your processing activities.
Notably, this feature is a deliberate attempt to help users comply with the GDPR's storage limitation principle, which states that data must only be kept for as long as it is absolutely necessary for the purpose(s) agreed upon during its collection.
However, if a 14-month data retention period is too short for the types of processing activities your business undertakes, you can always store the data for an extended period using a data warehouse like BigQuery.
Officially introduced in 2020, consent mode is a privacy feature that allows you to modify the behavior of Google tags on your website based on users' consent choices.
When you launch a new GA4 implementation, you can configure GA4 tags by using consent mode to ensure that your tracking responds appropriately to users' consent preferences.
We won't go into much detail about this privacy feature in this article, but for an in-depth understanding of how consent mode works, check out our article, Google Consent Mode.
It was recently established that EU-U.S. data transfers through Google Analytics violate the GDPR's data transfer requirements.
Most GA4 servers are hosted in the U.S. and like Universal Analytics, GA4 doesn't give users the ability to choose where their data may be stored.
Therefore, if your website is based in the EU or targets EU residents, you must take additional measures to adapt your data privacy strategy to fit the data transfer requirements of the GDPR.
Most privacy laws (like the GDPR, for example) give consumers the right to request that their data be deleted from a website's server, and with GA4, this has been made easier.
GA4 provides a User Explorer report which gives website owners or operators the ability to differentiate users and erase a user's data from GA4 if required. This is considered yet another privacy-friendly upgrade from Universal Analytics which only allowed data to be erased within a fixed time range.
To help users remain compliant with modern privacy laws, Google doesn't allow users to collect personally identifiable information (PII) in GA4.
More specifically, it is considered a violation of Google's Terms of Service to capture PII in GA4, and Google may delete all the data in any GA4 property where PII is found.
Note that PII includes information such as email addresses, identification numbers, phone numbers, and so on.
For a detailed guide on how to avoid sending PII to Google Analytics, check out the recommendations issued by Google.
Google gives its users an option to share GA4 data with other Google products like Google Signals and Google Ads.
While this can provide certain benefits to aid your business' tracking efforts, it may also increase the risk of violating privacy laws if not properly managed.
Therefore, it's highly important that you first consider which privacy laws apply to you before opting in to share data with other Google products.
For instance, under the GDPR, you must obtain explicit opt-in consent from your consumers before cross-linking their data with tools like Google Signals and ad personalization. This is necessary because such data may be used to build advertising profiles to track users.
Now that we've covered the privacy features embedded in GA4, let's answer some common questions about Google Analytics and the GDPR.
If you implement Google Analytics 4 on your website, the deciding factor about whether you must comply with the GDPR boils down to your collection and use of personal data.
In other words, it all depends on whether the data you collect from the EU through Google Analytics 4 may be classified as personal data under the GDPR.
Keep in mind that the GDPR defines personal data as any information that can be used to identify a natural person.
Simply put, if your GA4 implementation collects personal data from the EU, then the GDPR will apply, but if not, then you will likely not fall under the GDPR's scope.
For better clarification, let's dive a bit deeper and see when the data gathered through GA4 may constitute personal data under the GDPR.
When you launch the standard out-of-the-box Google Analytics 4 properties, several relevant parameters are created, the most significant of which is the Device ID.
A Device ID is a unique, anonymous identifier assigned to every user device (such as a smartphone or laptop) that visits your website.
While a Device ID cannot identify a natural person on its own, it can potentially identify an individual when combined with user data from other sources. As such, a Device ID can (in certain instances) constitute personal data under the GDPR.
This notion has been supported in several cases and rulings by EU data protection authorities.
In practice, it's possible that none of your GA4 data (or Device IDs) will be considered personal data under the GDPR if you do the following:
However, if you modify GA4 properties by cross-linking data with Google Signals or activating the ad personalization feature, then it is likely that the Device ID will be classified as personal data under the GDPR. In such a case, your website may well fall under the GDPR's scope.
Note that this explanation only covers data gathered through your GA4 implementation and does not apply to the data you collect outside Google Analytics. That is to say, if your website obtains the personal data of EU residents outside Google Analytics, you may fall under the GDPR's scope.
To get a better grasp of whether you need to comply with the GDPR outside of Google Analytics, check out our article, Do I Need to Comply With the GDPR?
By launching the default out-of-the-box implementation of GA4, standard tracking cookies are placed on your users' devices. This automatically puts your website in the scope of cookie laws in countries where your users reside.
If your website targets EU users, then your GA4 deployment will also fall under the scope of the EU Cookies Directive.
With that said, the regulations regarding cookie consent requirements differ from country to country, even within the EU.
Simply put, some EU countries require websites to obtain explicit consent from users through cookie notice banners before placing analytics cookies on their devices, while others are more lenient with this requirement.
To put things in context, take the cookie consent requirement of Germany and the United Kingdom for example.
The German conference supervisory authorities published a guide that addresses cookie consent requirements for analytics tracking.
In short, the body decided that websites do not need to obtain consent through cookie notice banners before placing analytics cookies on devices unless the data gathered through these cookies will be transferred to a third party.
The United Kingdom, on the other hand, takes a different perspective on cookie consent.
According to the cookie guide released by the UK Information Commissioner's Office (ICO), websites must obtain consent from users through cookie notice banners before placing analytics cookies on a user's device.
That said, the ICO states that it is unlikely that formal action will be taken against violators for implementing low-risk cookies (e.g., first-party cookies) without obtaining consent.
However, we recommend that you play it safe and always seek user consent through cookie banners before implementing analytics cookies for UK residents.
To sum it up, your obligations with regard to providing a cookie notice banner when using GA4 will depend on the cookie laws in the countries where your users reside.
In any case, keep in mind that exceptions for consent regarding Google Analytics cookies will only apply if you only use GA4 in an anonymized version and do not share data with other Google platforms or activate the ad personalization feature.
However, if you share GA4 data with Google Ads or Signals, then (depending on the country's cookie law) you will likely need to obtain active consent from users by providing a cookie notice banner.
Here's an example of a good cookie consent banner from EY that details cookie information and provides users with clear options to either accept or reject cookies:
The Guardian provides a similar cookie consent banner, shown below:
In light of recent privacy issues, Google introduced Google Analytics 4 (GA4) to help its users comply more easily with the GDPR's stringent requirements, among other reasons.
GA4 provides a variety of privacy-focused improvements from Universal Analytics, the most significant of which is the default IP anonymization feature. In other words, Google Analytics will no longer store IP addresses.
If your website hasn't migrated to GA4, it's highly recommended that you start doing so now, as Google will begin sunsetting Universal Analytics next year. Moreover, configuring GA4 now will help you start tracking the metrics you want as well as compile historical data so that it's available when you need to reference it.
To recap, remember that implementing GA4 properties does not automatically exempt your website from the GDPR's scope. You may, however, be exempted if you run GA4 only in an anonymized version for statistical reporting purposes while disabling all other data-sharing features.
This concept can also be applied to cookie consent requirements when implementing GA4 properties, but ultimately, the deciding factor regarding cookie consent for GA4 boils down to country-specific cookie laws. We recommend you seek additional legal advice if you are uncertain about how to interpret each country's cookie laws.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022