Four years have passed since the European General Data Protection Regulation (GDPR) became law in May 2018. However, it seems that it's not enough time for such a tech giant as Google to prepare its privacy products to be GDPR compliant.
In March 2020, Sweden fined Google LLC a €7 million fine for violating article 17.1(a) of the GDPR for not deleting Google searches.
The Austrian, the Dutch, and the Norwegian Data Protection Authorities also found Google Analytics GDPR non-compliant and breaching DGPR, and now seek to fine Google too or to limit Google Analytics usage.
Moreover, in July 2020, the EU Court of Justice ruled out the Privacy Shield framework, a legal framework for regulating the EU-USA and Swiss - USA exchanges of personal data to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements. Google can't send any more users' data to the USA, where most Google data centers are located.
In response to such a complex relationship between Google Universal Analytics and GDPR, Google released Google Analytics 4, due to replace Universal Analytics and to solve GDPR privacy issues.
Overview of Google Analytics 4
Google Analytics 4 (GA4) is the latest Google analytics service that allows you to measure traffic and users' engagement with your websites and apps. GA4 was released on October 14, 2020, and is due to replace Universal Analytics. On July 1, 2023, standard Universal Analytics will stop working and the default analytics service of Google will be GA4.
GA4 gives marketers and site managers many benefits that could be employed for content marketing:
- Better cross-device tracking, that allows tracking of user journeys across multiple devices.
- Better cross-app tracking, that collects both website and app data to track interactions across websites and mobile apps.
- Uses events instead of session-based data.
- Better data accuracy, that allows tracking of more complete and complex user interactions with your website.
- Direct integrations to media platforms, that allow driving actions immediately.
- Machine learning, that allows for automatic insights and predictive capabilities.
- Heavily focused on data privacy.
Privacy Features in Google Analytics 4
Most importantly, GA4 focuses on data privacy and provides updated privacy features which should help users comply more easily with most data privacy laws. GA4 introduced many features of privacy control to comply with majority privacy laws, particularly the GDPR.
The previous version of Google Analytics (GA) collected users' IP addresses by default. This was breaching a GDPR law since an IP address is considered personally identifiable information (PII) that is protected by the law. Google Analytics allowed activation of the IP anonymization feature so that GA anonymized the final 3-4 digits to eliminate the privacy of the users. However, IP anonymization had to be manually activated by users, it was required to edit the tagging code, and was not straightforward.
In GA4, IP Anonymisation is enabled by default and cannot be switched off. This means that GA4 will not store the IP addresses of users and could not track users. From the GDPR perspective, this is considered the most important change in GA4, helping users to comply with the GDPR.
Data storage duration
Another important feature provided by GA4 is a much shorter data storage duration. In the previous GA version, you could choose to store collected data for up to 64 months.
In GA4 you only have two options for personal data storage: 2 months or 14 months, depending on your analytical activities.
This feature will help users comply with the storage limitation principle of the GDPR since according to the law, the data must only be kept for as long as it is absolutely necessary. However, if your business needs a longer data storage period than 14-month data, it is possible to store the data for an extended period using a data warehouse such as BigQuery, provided by Google.
Server location and restricted data transfer
Google Analytics data processing occurs across multiple servers, located around the world, the majority of them being located in the USA. Before 2020 the data transfer was regulated according to the Privacy Shield framework. In July 2020, the EU Court of Justice ruled out the Privacy Shield framework, a legal framework for regulating the EU-USA and Swiss - USA exchanges of personal data to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements.
However, like Universal Analytics, GA4 doesn't allow users to choose where their data will be stored.
This means that if your website is based in the EU or it has users from the EU, you must take additional measures regarding the data transfer requirements of the GDPR. Under the GDPR, sending personal data from the EU or UK to the USA is considered a restricted transfer.
However, if you simply signed a data processing agreement, it does not make your data transfer legal in the terms of the GDPR!
Google Consent Mode is a privacy feature that allows modifying the behavior of Google tags on your website based on user's consent preferences. With a new GA4 consent implementation, you can instruct GA4 to track users' behavior according to users' consent preferences.
Users' personal data deletion
Most privacy laws, including the GDPR, give consumers the right to request their data deletion. In response to this, GA4 gives the ability to delete an individual user’s data within a set time range. This feature will also help users to comply with the GDPR.
Rules regarding Personally Identifiable Information (PII)
To comply with most privacy laws, including the GDPR, Google doesn't allow users to collect personally identifiable information (PII) in GA4. It is considered a violation of Google's Terms of Service to collect PII using GA4, and Google has the right to delete all the data of a user if PII is found.
GDPR Article 4 defines personal data: “Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Personal data also includes:
- Religious views
- Ethnic origins and identities
- Genetic data
- Biometric data
- Philosophical beliefs
- Health records
- Sexual orientations
- Political opinions
Data sharing with other Google products
Google promotes you to share your data with other Google products like Google Signals or Google Ads since this gives certain benefits and increases your business' tracking outcome.
However, data sharing increases the risk of breaching privacy laws, especially the GDPR, if not properly managed.
You can also opt-out of data sharing, to be on the safe side regarding compliance with privacy laws.
Is Google Analytics 4 (GA4) GDPR Compliant?
So, after you implemented all the features of GA4 regarding the users' privacy, is GA4 GDPR Compliant?
The simple answer is: no!
The EU – US Privacy Shield Framework invalidation ruling
The EU–US Privacy Shield went into effect on 12 July 2016, and it was a legal framework for regulating transatlantic exchanges of personal data to comply with data protection requirements. However, the EU – US Privacy Shield became invalid on 16 July 2020.
In September 2020, the Swiss Federal Data Protection and Information Commissioner (FDPIC) informed that the Swiss - U.S. Privacy Shield Frameworks also became invalid.
The new proposed regulation of data transfer, the Trans-Atlantic Data Privacy Framework (TADPF), is at the negotiation stage and is expected to be available by the end of 2022. At the moment, there are no agreed regulations on data transfer between the EU and the USA.
As of end of 2022, GA4 isn’t fully GDPR compliant. Despite adding all the above-mentioned privacy-orientated features, GA4 still has not reached a consensus with European regulators. After the invalidation of the Privacy Shield framework in 2020, Google is yet to regulate EU-US data protection. At present, the company doesn’t sufficiently protect EU citizens’ and residents’ data against US surveillance laws. GA4 has no mechanism for guaranteeing intra-EU data storage or even selecting a designated regional storage location. Google also does not inform users about data storage locations or data transfers outside of the EU. This is a direct breach of GDPR, the data processing agreement with Google regarding a restricted transfer of data does not fully solve the problem.
Do I Need a Cookie Banner if I Use GA4?
By using GA4 on your website, standard Tracking Cookies are dropped on your users' devices. The usage of tracking and other cookies is regulated by cookie laws in countries where your users come from. If your website is accessed by users from the EU, then the usage of cookies and thus GA4 is regulated by GDPR.
On October 14, 2020, Google released Google Analytics 4 (GA4) which is due to replace Universal Analytics and will help its users comply with the GDPR's requirements.
GA4 introduced a variety of privacy features, including default IP anonymization, shorter data storage duration, location of servers, consent mode, users' personal data deletion, and rules regarding PII. The most significant privacy improvement is the default IP anonymization feature, which means that Google Analytics will no longer store the IP addresses of your devices.
However, as of 2022, implementing all the privacy features of GA4 does not automatically make your website GDPR compliant. Privacy requirements differ for each country, even within the EU, and the decisions of each European country regarding GA4 compliance with the GDPR should follow in the near future.
To increase your chances to be GDPR compliant while using GA4, take the following actions:
- Use GA4 only with its default anonymization;
- Don't share GA4 data with Google products, such as Google Signals or Google Ads;
- Sign a data processing agreement with Google regarding a restricted data transfer;
- Disable the advertising personalization feature in GA4;
- Use the anonymized data for aggregate statistical reporting purposes only;
- Obtain the explicit consent of end-users to use the Google Analytics cookies.
Do not wait until July 2023 to migrate to GA4: even if GA4 is not fully GDPR compliant as of today, it has more advanced privacy features in comparison to Google Universal Analytics. Switch to GA4 now. If your business is based in Europe, consider choosing an alternative EU-hosted web analytics tool, so that your data is stored in Europe, and no data is transferred to the US. Also, if you choose to self-host, the data is stored in your country of choice.
Frequently Asked Questions
Is GA4 GDPR compliant?
As of 2020, GA4 is not fully GDPR compliant, despite implementing extra privacy features. GA4 still has not reached a consensus with the European regulators regarding data transfer between the EU and the USA. There are also other selected features like data sharing between other Google products, which would breach the GDPR law.
Is using Google Analytics 4 GDPR compliant?
What is Google Analytics GA4?
Google Analytics 4 (GA4) is the latest Google analytics service that allows you to measure traffic and users' engagement with your websites and apps. It was released on October 14, 2020, and is due to replace Universal Analytics on July 1, 2023, when standard Universal Analytics will stop working.
Do I need a Cookie Banner if I use Google Analytics 4?
Regulations regarding Cookie Consent requirements differ for each country, even within the EU. In most cases, if you use GA4 with IP anonymization and do not share users' data with other Google products, you do not need to receive explicit Cookie Consent. However, if you do not use IP anonymization or share GA4 data with Google Ads or Google Signals, then you need to obtain active users' consent by providing a Cookie Banner.
When will standard Google Universal Analytics stop working?
Google Universal Analytics will stop working on July 1, 2023, and the default analytics service of Google will become Google Analytics 4 (GA4). Read more about GA4 compliance with the GDPR.
What are the privacy features, introduced by Google Analytics 4 (GA4)?
GA4 introduced a variety of privacy features, including default IP anonymization, shorter data storage duration, location of servers and restricted data transfer, consent mode, users' personal data deletion, and rules regarding PII. The most significant of them is the default IP anonymization feature, which means that Google Analytics will no longer store the IP addresses of your devices.
GA4 uses first-party cookies to separate unique users and unique sessions from a single user. GA4 does not require you to set cookies on your website to receive data and transmit it to Google Analytics.