Google Analytics 4 Privacy Updates: What They Mean For Your Business

Google Analytics 4 Privacy Updates: What They Mean For Your Business
Estimated Reading Time: 6 minutes

2022 has been a busy year for Google Analytics (GA) in the domain of privacy. In February, the Austrian DPA announced the use of GA in a particular context on an Austrian site was a violation of GDPR. Shortly after, France’s CNIL announced a similar stance for the legality of the platform. Central to both of these opinions was the transfer and storage of EU users’ personal data to the United States and the insufficient protections in place for such a transfer. Many organizations doing business in the EU have been left wondering, is GA still legal to use and how can I configure the platform to best manage compliance risk?

On April 22, Google released additional privacy controls for Google Analytics 4 (GA4) to help address these concerns. Let’s explore each of the updates and what they mean for your business.

Update #1: GA4 Does Not Log IP Addresses

Central to the Austrian DPA’s opinion was the collection of three separate personal identifiers which, in tandem, could allow for the identification of an individual user. One of these, IP Address, was of particular concern. For years, Google has given the ability to anonymize the IP address of the user, a feature which is the default standard for GA4. With this update, GA takes this one step further by not logging individual users’ IP addresses at all. 

The IP address of the user is still initially collected and used for an initial high-level location lookup, but only this location metadata is stored for usage in reporting, not the IP address itself. This processing activity is handled on EU servers for users in the EU so the IP address is never transferred nor stored outside of Europe. 

What This Means

The user’s IP address has always been used primarily for reporting on user location within Google Analytics. With this update, this location data is still available but the processing under the hood should better comply with GDPR requirements and removes a potential compliance risk associated with transferring personal data. 

Update #2: EU Data Is Received and Processed in the EU

Prior to this update, data received from EU users was transferred to servers in the United States for processing. It was this transfer of personal data which has been the basis of GDPR complaints and the recent DPA opinions in Europe. This update helps to address these concerns by only processing EU user data in the EU, thus removing the compliance risk of international transfers. 

What This Means

Compliance concerns with the usage of GA have primarily been centered on the transfer of EU user data for processing in the United States. With this update, the processing in the United States is no longer happening. This should address many of the concerns for the legality of using GA in the EU. 

Update #3: Regional Controls for Google Signals

Google Signals is functionality that allows for additional advertising features as well as data from Google Ads to be included within GA reporting. When Signals is enabled, a Google Ads cookie is referenced and an additional ID is collected which allows for Google to include user data for users who are signed in to a Google service in the same browser with which they are accessing your site. This ID is then used to supplement the data in GA4 with information such as interest groups and demographic data. Signals being enabled also allows for the creation of audience lists in GA4 which can then be used across the Google Ads ecosystem (primarily remarketing lists). When Google Signals is disabled, the additional user data is not included in reporting for those users nor are the users available to be used within audience groups. 

This update allows for regional control to disable Signals for all users accessing the site from a defined region. More information about disabling Google Signals can be found in our complete guide to compliant GA4 tracking

What This Means

This is an operational improvement to allow for the broad disabling of Signals for all users in a particular region. For many organizations there are specific countries in the EU where the standard is for Signals to be disabled. This update allows for this to be accomplished in a more straightforward manner.

It is important to note that when Signals is disabled, remarketing is not available for the disabled regions. Cross-device and EVC modeling volume is also significantly reduced for disabled regions and downstream conversion modeling and reporting in linked Google Ads accounts will be impacted.

Update #4: Regional Controls for the Collection of Granular Location and Device Data

A concern of some compliance teams has been the collection of device and location data for EU users. This update allows for the disabling of the collection for some previously automatic location and device parameters. The data points that will no longer be collected are:

  • City
  • Latitude (of city)
  • Longitude (of city)
  • Browser minor version
  • Browser User-Agent string
  • Device brand
  • Device model
  • Device name
  • Operating system minor version
  • Platform minor version
  • Screen resolution

The new controls allow for the disabling of this collection in defined regions. 

What This Means

Disabling the collection of granular device and location data can help to reduce the compliance risk associated with the collection of disparate data points which can be used in aggregate to identify a user. While GA is not fingerprinting users in this way, risks with downstream identification using this data can be reduced by never collecting it. Some user reporting in GA4 will be impacted as device and location reports rely on these metrics. 

Also important to note that modeled-conversion volume will be significantly reduced for any disabled regions. Downstream conversion modeling and reporting in linked Google Ads and Search Ads 360 accounts will also be impacted.

Final Thoughts

Taken all together, these additional privacy controls are a big step forward in reducing the compliance risk associated with the use of GA4. By giving more control to organizations using the platform, choices can be made to best align with the privacy principles of each company. The update to process the data from EU users only within the EU should also address many of the recent complaints about the usage of GA4 from DPAs across Europe. 

Do you have questions about data governance and privacy?

We're here to help when you need us.
Facebook
Twitter
LinkedIn
Email
Last Updated: January 17, 2023

Other Articles You Will Enjoy

How To Fix Multiple Payment Method Issues In Google Analytics

How To Fix Multiple Payment Method Issues In Google Analytics

Most online businesses, including eCommerce, accept payment online using multiple payment methods. These payment methods may include PayPal, card payment, Stripe, etc. This is…

5-minute read
Better Conversion Data with Looker Studio

Better Conversion Data with Looker Studio

Conversion rates are a simple percentage of “how many people visited my website vs. how many people fulfilled the site’s objective?” As kids, that…

8-minute read
Considerations When Migrating from Adobe Analytics to Google Analytics 4

Considerations When Migrating from Adobe Analytics to Google Analytics 4

Migrating from one analytics platform to another can be compared to moving from one house to another. Just like how you carefully plan and…

11-minute read
Google Signals in Google Analytics 4 and How It Impacts Your Audience Strategy

Google Signals in Google Analytics 4 and How It Impacts Your Audience Strategy

About Google Signals Google Signals is an analytics feature provided by Google that enables cross-device reporting and remarketing. Integrated with Google Analytics, Signals helps…

9-minute read
Sessions in Google Analytics 4: What Are They and Where Can You Find Them?

Sessions in Google Analytics 4: What Are They and Where Can You Find Them?

As we enter the new year, we are getting closer to welcoming Google Analytics 4 (GA4) as the replacement to our beloved Universal Analytics…

5-minute read
Overview of Audiences in Google Analytics 4

Overview of Audiences in Google Analytics 4

As a website owner or digital marketer, it’s crucial to understand your website visitors’ behavior to make informed decisions. That’s where audience overview in…

3-minute read
What Do Media Companies Need to Know about Google Analytics 4?

What Do Media Companies Need to Know about Google Analytics 4?

So we all know that Google Analytics 4 is coming and coming fast. And we know if you use Google Analytics that you will…

6-minute read
What Happened to Views and Filters in Google Analytics 4?

What Happened to Views and Filters in Google Analytics 4?

For years, Google Analytics has been known for its simple hierarchy of Account > Property > View. If you took a Google Analytics Academy…

10-minute read
Google Releases A/B Testing Partners to Replace Google Optimize at Sunset

Google Releases A/B Testing Partners to Replace Google Optimize at Sunset

As Google continues on the path towards creating a better overall experience for experiments in Google Analytics 4 (GA4), they recently announced more news…

2-minute read

Get Your Assessment

Thank you! We will be in touch with your results soon.
{{ field.placeholder }}
{{ option.name }}

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.