Don’t Assume, Ensure: Navigating Privacy Compliance in Google Analytics 4

By: Elena Karolik. Data Analyst, CvE

Privacy protection regulations are being developed around the world: Europe’s GDPR, California’s CCPA, Canada’s PIPEDA, Brazil’s LGPD, and South Africa’s POPIA, among others, with varying degrees of rigidity and how much of a challenge they pose to ensure privacy compliance. GDPR is one of the most rigid of these, and the one that’s most challenging for Google at the moment with their new Google Analytics 4 platform. Hence, let’s focus on the GDPR as a comprehensive example for the purposes of this article, bearing in mind everything said is equally applicable to other privacy protection regulations around the globe. 

Sadly, GDPR compliance cannot be taken for granted within Google Analytics 4. Google has introduced a number of measures to ensure the processing of personal data through GA4 is more secure and protective of end-user privacy, but even implementing all of its features does not automatically guarantee privacy compliance. Ultimately, it is up to the owner to maximise the chances of their website and/or app being compliant with the relevant privacy regulations while using GA4.

The General Data Protection Regulation –GDPR– is a comprehensive set of regulations introduced in the EU in 2018. It applies to all organizations that process the personal data of individuals in the EU, regardless of where these organizations are based. The key elements of these requirements are transparency, purpose and storage limitations, data minimization, accuracy, security and data subject rights. There are considerable penalties for non-compliance.

What does Google offer in GA4 to ensure GDPR compliance?

GA4 is the latest version of Google’s web analytics platform replacing their Universal Analytics package. One of the reasons for the upgrade (but more accurately, replacement) is improving individuals’ privacy. Besides some technical measures, GA4 offers the platform user greater control of the way collected data is processed, ensuring a higher degree of data subject privacy.

The IP addresses can be anonymized (though not stored or logged), and user-level and event-level data can have a set retention period with automatic deletion at the end of it.

Google has updated its data processing agreements to incorporate the GDPR requirements, including provisions relating to the protection of personal data, and the obligations of the data controller (website owner) and data processor (GA4).

All data from EU users is now collected on servers located within the EU (a marked improvement in GA4 compared to its predecessor), which eliminates the data transfer concerns that directly breached GDPR rules. This improves the security and privacy of EU users’ data, reducing the risk of data breaches and unauthorised access.

What’s more, GA4 provides the tools for data subjects to exercise their rights under the GDPR (to access, correct or delete their personal data).

Ultimately, Google has developed GA4 with privacy by design principles at its core from the outset.

It is worth noting that Google’s user-level privacy policy states that collected data is processed in Ireland for users based in the EEA or Switzerland, while users of Google services based in the UK have their data processed in California.

Does the use of GA4 guarantee GDPR compliance then?

Implementing GA4 with all of its privacy features on your website and/or app does not constitute automatic privacy compliance with GDPR. To have the best chances of meeting all the requirements, the owner (data controller) has a set of responsibilities and obligations. These include obtaining appropriate consent for personal data collection and processing, being transparent about the purposes, and implementing appropriate technical and organizational measures to protect the privacy of the individuals. However, condoning these details to the privacy policy on your website/app and simply signing the updated version of Google’s data processing agreement does not make your data processing legal in terms of the GDPR!

Some of your key responsibilities as a GA4 user as a data controller under the GDPR are:

  • Having a legal basis for processing: consent or legitimate interest (& communicating this basis to the data subjects).
  • Data minimization: only collecting the necessary data for the specific purpose.
  • Data security: having appropriate technical and organizational measures to ensure data security (a particular concern if you export any data from GA4).
  • Data retention: retaining personal data no longer than necessary for the purpose (GA4 offers the choice of storing data for two or fourteen months for standard properties, and up to 50 months for properties under Analytics360. Any data you export will need to have a set retention period, too).
  • Transparency: providing information to individuals about processing their data (identifying the data controller and purposes of the processing, clearly stated in your privacy policy).
  • Rights of individuals: respecting individuals’ rights to access, rectify and delete their personal data.

Consent, consent, consent…

The use and GA4 data sharing with any other Google products, such as Google Signals or Google Ads, increases the risk of breaching privacy laws (GDPR in particular) and needs to be properly managed. Explicit consent must be obtained from users for their data to be shared between Google products – and this consent needs to be obtained before the data is shared. Naturally, this must be disclosed in your privacy policy as well.

If you choose not to use IP anonymization or you want to share GA4 data with other Google products, you need to get users’ consent by using a custom cookie banner (widget in apps). While there’s some variation in the cookie consent requirements between countries (even with the EU), the general rule is that you need to get explicit consent for their use on your website or app. Of course, anonymizing IP addresses and especially choosing not to share data with other Google products offers your end user the highest degree of privacy but somewhat limits your tracking analysis.

Another feature of GA4 worth considering is the consent mode. It allows you to modify the behaviour of Google tags on your website or app based on user consent preferences. This can be done when configuring GA4 tags. (Note: for Google’s machine learning powered behavioural modelling to provide insights even with consent mode use, your property must have enough data to train the model. See details here.)

Conclusion

Tread carefully as you take on the GA4 implementation for your website and app. User privacy and data protection concerns should not be an afterthought or taken lightly. You cannot hide it in the small print of your privacy policy, click a few checkboxes as you set up your Google Analytics property, assume all is well and forget. The penalties for non-compliance with the privacy protection regulations are hefty!

So, what’s the best practice? It is absolutely worthwhile to take your time and ensure you actually put all the key principles of the relevant regulations into practice at the outset, and keep your hand on the pulse as the privacy landscape is everchanging.

I hope you enjoyed this article. We intimately understand the pain points of the modern marketer and have designed CvE to help solve your most complex challenges. Contact us to discover how we can help you upgrade your marketing sophistication.

News & Blog