Latest News, Updates, Tutorials and much more

Blog

Google Analytics 4 And GDPR

Google Analytics 4 and GDPR: Is GA4 GDPR-Compliant?

Google Analytics is a powerful web analytics service that helps understand website performance and user behavior.

However, over the past years, Google has had a complex relationship between Google Analytics and the General Data Protection Regulation (GDPR) in the EU. Several EU countries have raised privacy compliance issues with Google Analytics that focus on its insufficient personal data protection and data transfer to the US practices. The most recent of these issues were related to the unlawful transfer of personal data across EU-US borders, when the EU – US Privacy Shieldhe EU – US Privacy Shield became invalidated.

In response to the complex relationship between Google Analytics and GDPR, Google released Google Analytics 4 (GA4), which replaced Universal Analytics and solved GDPR privacy issues, especially intercontinental data transfer.

In this article, we will summarize the privacy features and implications of GA4 as well as answer questions regarding GA4 compliance with the GDPR.

What Is Google Analytics?

Google Analytics 4 (GA4) was released on October 14, 2020, and replaced Universal Analytics. On July 1, 2023, the default Google Analytics service became GA4.

GA4 allows you to better understand your website users and measure traffic and users' engagement with your websites and apps. GA4 generates reports that include metrics like total number of users, average session length, page views per session, landing pages, and more.

For GA4 to function, a small Javascript code must be added to each web page of your site. When a user accesses the web page, this code is triggered, and the information is sent to Google's servers. Google then processes the information and generates reports for each website user.

Google Analytics 4 gathers the following data:

  • Online identifiers, including cookies and cookieless pings.
  • Internet protocol addresses and browsing device identifiers.
  • User identifiers.

GA4 gives marketers and website managers many benefits that could be employed for content marketing:

  • Better cross-device tracking, that allows tracking of user journeys across multiple devices.
  • Better cross-app tracking, that collects both website and app data to track interactions across websites and mobile apps.
  • Uses events instead of session-based data.
  • Better data accuracy, that allows tracking of more complete and complex user interactions with your website.
  • Direct integrations to media platforms, that allow driving actions immediately.
  • Artificial intelligence, that allows for automatic insights and predictive capabilities.

Google Analytics 4 is heavily focused on data privacy.

In its Privacy Policy, Google also explains what data it collects, for what purposes, and how it collects it.

Privacy Features in Google Analytics 4

Most importantly, GA4 focuses on data privacy and provides updated privacy features which should help users comply more easily with most data privacy laws. GA4 introduced many features of privacy control to comply with the GDPR.

IP anonymization

The previous version of Analytics (Universal Analytics) collected users' IP addresses. This was breaching a GDPR law since an IP address is considered personally identifiable information (PII) that is protected by the law. The IP anonymization feature could be activated manually by users, but it was not straightforward as it required editing the tagging code.

In GA4, the IP Anonymization is enabled by default and cannot be switched off. This means that GA4 does not store the IP addresses of users and can not track users, which helps to comply with the GDPR.

Data collection restriction

GA4 collects only as much data as is absolutely necessary for specific purposes.

Shorter data retention periods

Another important feature provided by GA4 is a much shorter data storage duration. According to the GDPR, the data must only be kept for as long as it is absolutely necessary. In the previous GA version, you could choose to store collected data for up to 64 months. In GA4 you only have two options for personal data storage: 2 months or 14 months, depending on your analytical activities.

Granular user consent option

Google Consent Mode is a privacy feature that allows modifying the behavior of Google tags on your website based on user's consent preferences. With a new GA4 consent implementation, you can instruct GA4 to track users' behavior according to users' consent preferences, including granular user consent.

Data deletion possibility

The GDPR gives consumers the right for their data deletion. In response to this, GA4 gives the ability to delete an individual user’s data within a set time range.

Rules regarding Personally Identifiable Information (PII)

To comply with most privacy laws, including the GDPR, GA4 doesn't collect personally identifiable information (PII). Since it is considered a violation of Google's Terms of Service to collect PII using GA4, Google has the right to delete all the user data if PII was found.

Read the blog article to get more details about what is Personally identifiable information under the GDPR.

New methods for gathering anonymized user data

To respect data privacy rights, GA4 collects non personalized and aggregated data. GA4 introduced the following features:

  • Conversion modeling. Conversion modeling is a practice of Google to analyze observed conversions and to predict lost conversions without identifying any individual user.
  • Behavioral modeling. Behavioral modeling is applied to users who refuse analytics tracking and is based on the behavior of similar users who have accepted the tracking. 
  • Cookieless pings. Cookieless pings are signals sent to Google servers that inform about user activity and user consent state without relying on cookies when a user did not grant consent for them. Cookieless pings contain only functional information without any personally identifiable data.

International data transfer

Under the GDPR, sending personal data from the EU or UK to the US is considered a restricted transfer.

You need to sign a data processing agreement with Google regarding a restricted transfer of data. You must also keep a copy of the signed agreement. Furthermore, your website must have a Privacy Policy, which clearly discloses the action of international data transfers.

Data sharing with other Google products

Google promotes you to share your data with other Google products like Google Signals or Google Ads since this gives certain benefits and increases your business' tracking outcome.

However, data sharing increases the risk of breaching privacy laws, especially the GDPR, if not properly managed.

Under the GDPR, you must obtain explicit consent from website users for their data sharing between other Google products like Google Signals or Google Ads. The consent must be given BEFORE the data sharing took effect. In addition, your website's Privacy Policy must clearly disclose the fact that user private data may be shared with other Google products.

Website users must also have an option to opt-out of data sharing.

Google Analytics and data transfers between the EU and the US

The main compliance issue of Google Analytics was related to the international data transfers between the EU and US. Google collects European users’ data and sends it to the US servers to store and process. Because Google is a US-owned company, the data it owns is subject to US surveillance laws, which could conflict with EU data privacy rights.

The July 2020 Schrems II ruling invalidated the EU-US Privacy Shield for international data transfers between the EU and the US, on the basis that the US did not provide adequate protection for data. Therefore, from the middle of 2020 to September 2021, data transfers from the EU to the US could not be made based on the Privacy Shield. There was much uncertainty during this period, and many European countries declared that the use of Google Analytics at that time did not comply with the GDPR.

On December 31, 2021, the French data regulator CNIL fined Google a total of 150 million euros because users of google.fr and youtube.com were not able to refuse cookies as easily as accept them. Google Ireland was charged with a €60 million fine, and Google LLC was charged with a €90 million fine.

On January 12, 2022, the Austrian DPA ruled Google Analytics violated the Schrems II ruling. Even though the company anonymized IP addresses, the effort was deemed inadequate and insufficient because anonymization likely occurred only after the data reached US servers, so US authorities could legally access the encryption keys.

France also rejected Google Analytics IP address anonymization function as an adequate measure for protecting data transfers from Europe to the US.

Italy, Netherlands, the UK, Norway, Denmark, and Sweden also noted that Google Analytics had compliance issues and recommended companies to stop using Google Analytics.

In September 2021, Standard Contractual Clauses (SCCs) were released. SCCs are standardized contract terms approved by the European Commission to ensure that personal data transferred outside of the EU complies with the GDPR. New SSCs together with additional measures like encryption or anonymization, were viewed as adequate safeguards to make data inaccessible by US authorities and thus comply with the GDPR.

The New EU-US Data Privacy Framework

On 10 July 2023, the European Commission adopted its decision on the EU – US Data Privacy Framework (DPF), which entered into force immediately.

The decision concluded that the United States ensures a sufficient level of protection for personal data transferred from the EU.

The EU – US Data Privacy Framework sets the obligations for US companies like the requirement to obtain self-certification, comply with privacy principles, update the Privacy Policy, ensure personal data protection when it is shared with third parties, and other privacy measures. The DPF foresees limiting access to the data of EU citizens by US intelligence services and establishes a Data Protection Review Court (DPRC), which could be accessed by EU individuals.

Is Google Analytics 4 GDPR-compliant?

After a long uncertain period, the situation regarding Google Analytics 4 and GDPR compliance issues has changed significantly since 2023.

First, the new EU – US Data Privacy Framework entered into force, which was approved by the European Commission.

Second, Google replaced Universal Analytics with Google Analytics 4, which is the default analytics tool and is heavily focused on data privacy and compliance with the GDPR.

Google Analytics 4 has several significant changes compared to Universal Analytics. GA4 introduces several new features and privacy controls, including IP anonymization, an event-based measurement model, opposite to the session-based data model of Universal Analytics, cookieless pings, conversion modeling, granular user consent options, and others.

So, is Google Analytics 4 GDPR-compliant? Does the EU-US Data Privacy Framework make Google Analytics GDPR-compliant?

Google Analytics 4 is not yet fully GDPR-compliant. The EU-US Data Privacy Framework alone doesn’t make GA4 GDPR-compliant. The framework makes only data transfers to the US compliant.

To comply with the GDPR, website owners must ensure that all the data collection, transfer, and processing practices comply with the legal requirements of the GDPR. The compliance requirements include getting valid user consent, using IP anonymization and adequate data duration and retention practices, ensuring third-party contracts, and allowing only a certified US company to access data. Google also must inform users about data storage locations or data transfers outside of the EU.

Be GDPR-compliant while using GA4. Choose the right Consent Management Platform (CMP) like CookieScript CMP for serving ads in the EU and EEA.

Do I Need a Cookie Banner if I Use GA4?

By using GA4 on your website, standard Tracking Cookies are dropped on your users' devices. The usage of tracking and other cookies is regulated by cookie laws in countries where your users come from. If your website is accessed by users from the EU, then the usage of cookies and thus GA4 is regulated by GDPR.

Regulations regarding Cookie Consent requirements differ for each country, even within the EU. However, as a general rule, you need to get explicit consent to use cookies on your website. If you use GA4 with IP anonymization and do not share users' data with other Google products, you do not need to receive explicit Cookie Consent

If you do not use IP anonymization, you need to obtain explicit user consent to collect and manage user data. You also need user consent if you share GA4 data with Google Ads or Google Signals. User consent is usually collected through a cookie banner. Keep in mind, that when you share GA4 data with Google Ads or Google Signals, you must also update your privacy policy, including this information into it.

How to Become GDPR-Compliant with Google Analytics 4?

Follow these recommendations for companies to become GDPR-compliant with Google Analytics 4.

  1. Choose Google-certified CMP. On 16 May 2023, Google announced new requirements for CMP partners that use Google advertisement and analytics in the EEA or the UK. All CMP partners will have to use a Google-certified CMP that integrates with the IAB Europe’s Transparency and Consent Framework (TCF) when serving ads or using Google Analytics in the EEA or the UK. See Google’s list of Google-certified CMPs
  2. Use Google Consent Mode v2. Google Consent Mode v2 allows websites to dynamically adjust the behavior of Google tags based on the user’s consent choices. When a Cookie Banner has a granular Cookie Consent option, Google, like other third-party services, must respect user choices regarding cookies. This feature ensures that Google Analytics 4 collects only the information that the user has given their consent, even though the tags are loaded onto the webpage before the Cookie Consent banner appears. By implementing Google Consent Mode v2, websites can modify the behavior of Google tags after the user makes their cookie choice so that GA4 doesn’t collect data without consent.
  3. Enable explicit or opt-in cookie consent. All Google Analytics cookies should be set up only after users have granted explicit cookie consent. Users should also have a granular Cookie Consent option so that they can choose to allow just specific cookies while rejecting cookies for other purposes.
  4. Have a detailed privacy policy and Cookie Policy. Websites must inform users about their data collection and processing practices. All necessary information should be included in the privacy policy. The Cookie Policy should inform users about the use of cookies and other website trackers, including Google Analytics cookies, that are used on the site. The Cookie Policy could be a separate document, but it often makes a part within the privacy policy.
  5. Enter into a Data Processing Agreement with Google. A data processing agreement (DPA) is a legally binding contract and a crucial component of GDPR compliance. If you are using Google Analytics or advertisement products, you must sign a Data Processing Agreement with Google. The DPA covers important user data collection and management aspects such as compliance, security measures, confidentiality, sharing with third-parties, data subjects’ rights, and other aspects. The DPA helps to ensure Google Analytics GDPR-compliance and sets appropriate measures to protect personal data.

How to Use Google Analytics 4 and Achieve GDPR Compliance: Practical Tips

The easiest way to use Google Analytics 4 and achieve GDPR compliance is to choose the right Consent Management Platform (CMP).

CookieScript CMP could be your best choice since it has the following functionalities:

Frequently Asked Questions

What is Google Analytics GA4?

Google Analytics 4 (GA4) is the latest Google Analytics service, released on July 1, 2023, that allows you to measure traffic and users' engagement with your websites and apps. It is the default Google Analytics service, which is heavily focused on data privacy that aims to comply with the GDPR. Use CookieScript CMP, a Google-certified CMP, to comply with the GDPR.

Is GA4 GDPR compliant?

Google Analytics 4 is heavily focused on data privacy. It has introduced many new features to comply with the GDPR. The EU-US Data Privacy Framework, which regulates the international data transfer between the EU and the US, entered into force in 2023. However, Google Analytics 4 is not yet fully GDPR-compliant. It is the website owner’s responsibility to ensure GDPR compliance while using GA4. CookieScript CMP is a Google-certified CMP, that allows you to use GA4 and comply with the GDPR.

Does Google Analytics 4 collect personal data?

Yes, Google Analytics 4 (GA4) collects personal data such as IP addresses, user identifiers, browser and device information, geolocation data, and user interactions with the website (page views, clicks, conversions). GA4 uses IP anonymization, conversion modeling, and behavioral modeling. If users don’t grant user consent, the anonymized data could be used to analyze website traffic and user behavior without tracking a particular user. Use CookieScript CMP, a Google-certified CMP, to use GA4 and comply with the GDPR.

How to become GDPR-compliant with Google Analytics 4?

To become GDPR-compliant with Google Analytics 4, follow these recommendations: choose Google-certified CMP, use Google Consent Mode v2, enable explicit or opt-in cookie consent, have a detailed privacy policy and Cookie Policy, and enter into a Data Processing Agreement with Google. CookieScript CMP is a Google-certified CMPrecommended by Google.

How to use Google Analytics 4 and achieve GDPR compliance?

The easiest way to use Google Analytics 4 and achieve GDPR website compliance is to use a Google-certified Consent Management Platform (CMP). CookieScript CMP is a Google-certified CMP that is integrated with all the most popular CMS systems, supports Google Consent Mode v2, and is recommended by Google.

Do I need a privacy policy for Google Analytics?

Yes, if you use Google Analytics, you must have a privacy policy on your website that discloses the use of cookies, including Google Analytics cookies, and details on how you collect, process and share user data. CookieScript Privacy Policy Generator can help you to generate your privacy policy and comply with the GDPR.

Is GA4 legal in Europe?

Prior to 2023, there were some privacy issues related to the data transfer from the EU to the US, and some countries like Sweden, Denmark, France, or Italy did not recommend using Google Analytics 4. In July 2023, the EU – US Data Privacy Framework (DPF) entered into force, so personal data can be transferred to the US legally. Thus, it is legal to use GA4 in Europe as well as in the US. 

Do you need consent for GA4?

Personalized advertising and remarketing require explicit end-user cookie consent. If users don’t grant user consent, GA4 can still collect anonymized data that is used to analyze website traffic and user behavior without tracking a particular user. Use CookieScript CMP, a Google-certified CMP, to use GA4, get user consent, and comply with the GDPR.

Does Google Analytics break GDPR?

GDPR compliance is the website owners’ responsibility to ensure GDPR compliance. Website owners can adjust their analytics settings in a way that GA4 will comply with or will breach the requirements of GDPR. The easiest way to ensure GDPR compliance is to use a Google-certified CMP CMP. CookieScript CMP is a Google-certified CMP, that has hints regarding settings’ compliance with the GDPR.

Do I need a Cookie Banner if I use Google Analytics 4?

Regulations regarding Cookie Consent requirements differ for each country, even within the EU. In most cases, if you use GA4 with IP anonymization and do not share users' data with other Google products, you do not need to receive explicit Cookie Consent. However, if you do not use IP anonymization or share GA4 data with Google Ads or Google Signals, then you need to obtain active users' consent by providing a Cookie Banner.

What are the privacy features, introduced by Google Analytics 4 (GA4)?

GA4 introduced a variety of privacy features, including default IP anonymization, shorter data retention duration, Google Consent Mode v2, users' personal data deletion, and rules regarding PII. The most significant of them is the default IP anonymization feature.

Does GA4 use cookies?

Google Analytics 4 (GA4) uses Google Analytics cookies to separate unique users and unique sessions from a single user. GA4 mainly sets mainly first-party cookies, and does not require you to set cookies on your website to receive data and transmit it to GA4. Use CookieScript Cookie Scanner to scan all cookies and other trackers of your website.

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.