By: Elena Karolik. Data Analyst, CvE
Privacy protection regulations are being developed around the world: Europe’s GDPR, California’s CCPA, Canada’s PIPEDA, Brazil’s LGPD, and South Africa’s POPIA, among others, with varying degrees of rigidity and how much of a challenge they pose to ensure privacy compliance. GDPR is one of the most rigid of these, and the one that’s most challenging for Google at the moment with their new Google Analytics 4 platform. Hence, let’s focus on the GDPR as a comprehensive example for the purposes of this article, bearing in mind everything said is equally applicable to other privacy protection regulations around the globe.
Sadly, GDPR compliance cannot be taken for granted within Google Analytics 4. Google has introduced a number of measures to ensure the processing of personal data through GA4 is more secure and protective of end-user privacy, but even implementing all of its features does not automatically guarantee privacy compliance. Ultimately, it is up to the owner to maximise the chances of their website and/or app being compliant with the relevant privacy regulations while using GA4.
The General Data Protection Regulation –GDPR– is a comprehensive set of regulations introduced in the EU in 2018. It applies to all organizations that process the personal data of individuals in the EU, regardless of where these organizations are based. The key elements of these requirements are transparency, purpose and storage limitations, data minimization, accuracy, security and data subject rights. There are considerable penalties for non-compliance.
What does Google offer in GA4 to ensure GDPR compliance?
GA4 is the latest version of Google’s web analytics platform replacing their Universal Analytics package. One of the reasons for the upgrade (but more accurately, replacement) is improving individuals’ privacy. Besides some technical measures, GA4 offers the platform user greater control of the way collected data is processed, ensuring a higher degree of data subject privacy.
The IP addresses can be anonymized (though not stored or logged), and user-level and event-level data can have a set retention period with automatic deletion at the end of it.
Google has updated its data processing agreements to incorporate the GDPR requirements, including provisions relating to the protection of personal data, and the obligations of the data controller (website owner) and data processor (GA4).
All data from EU users is now collected on servers located within the EU (a marked improvement in GA4 compared to its predecessor), which eliminates the data transfer concerns that directly breached GDPR rules. This improves the security and privacy of EU users’ data, reducing the risk of data breaches and unauthorised access.
What’s more, GA4 provides the tools for data subjects to exercise their rights under the GDPR (to access, correct or delete their personal data).
Ultimately, Google has developed GA4 with privacy by design principles at its core from the outset.
Does the use of GA4 guarantee GDPR compliance then?
Some of your key responsibilities as a GA4 user as a data controller under the GDPR are:
- Having a legal basis for processing: consent or legitimate interest (& communicating this basis to the data subjects).
- Data minimization: only collecting the necessary data for the specific purpose.
- Data security: having appropriate technical and organizational measures to ensure data security (a particular concern if you export any data from GA4).
- Data retention: retaining personal data no longer than necessary for the purpose (GA4 offers the choice of storing data for two or fourteen months for standard properties, and up to 50 months for properties under Analytics360. Any data you export will need to have a set retention period, too).
- Rights of individuals: respecting individuals’ rights to access, rectify and delete their personal data.
Consent, consent, consent…
If you choose not to use IP anonymization or you want to share GA4 data with other Google products, you need to get users’ consent by using a custom cookie banner (widget in apps). While there’s some variation in the cookie consent requirements between countries (even with the EU), the general rule is that you need to get explicit consent for their use on your website or app. Of course, anonymizing IP addresses and especially choosing not to share data with other Google products offers your end user the highest degree of privacy but somewhat limits your tracking analysis.
Another feature of GA4 worth considering is the consent mode. It allows you to modify the behaviour of Google tags on your website or app based on user consent preferences. This can be done when configuring GA4 tags. (Note: for Google’s machine learning powered behavioural modelling to provide insights even with consent mode use, your property must have enough data to train the model. See details here.)
So, what’s the best practice? It is absolutely worthwhile to take your time and ensure you actually put all the key principles of the relevant regulations into practice at the outset, and keep your hand on the pulse as the privacy landscape is everchanging.
I hope you enjoyed this article. We intimately understand the pain points of the modern marketer and have designed CvE to help solve your most complex challenges. Contact us to discover how we can help you upgrade your marketing sophistication.