Google Analytics 4 Privacy Updates: What They Mean For Your Business

Google Analytics 4 Privacy Updates: What They Mean For Your Business
Estimated Reading Time: 6 minutes

2022 has been a busy year for Google Analytics (GA) in the domain of privacy. In February, the Austrian DPA announced the use of GA in a particular context on an Austrian site was a violation of GDPR. Shortly after, France’s CNIL announced a similar stance for the legality of the platform. Central to both of these opinions was the transfer and storage of EU users’ personal data to the United States and the insufficient protections in place for such a transfer. Many organizations doing business in the EU have been left wondering, is GA still legal to use and how can I configure the platform to best manage compliance risk?

On April 22, Google released additional privacy controls for Google Analytics 4 (GA4) to help address these concerns. Let’s explore each of the updates and what they mean for your business.

Update #1: GA4 Does Not Log IP Addresses

Central to the Austrian DPA’s opinion was the collection of three separate personal identifiers which, in tandem, could allow for the identification of an individual user. One of these, IP Address, was of particular concern. For years, Google has given the ability to anonymize the IP address of the user, a feature which is the default standard for GA4. With this update, GA takes this one step further by not logging individual users’ IP addresses at all. 

The IP address of the user is still initially collected and used for an initial high-level location lookup, but only this location metadata is stored for usage in reporting, not the IP address itself. This processing activity is handled on EU servers for users in the EU so the IP address is never transferred nor stored outside of Europe. 

What This Means

The user’s IP address has always been used primarily for reporting on user location within Google Analytics. With this update, this location data is still available but the processing under the hood should better comply with GDPR requirements and removes a potential compliance risk associated with transferring personal data. 

Update #2: EU Data Is Received and Processed in the EU

Prior to this update, data received from EU users was transferred to servers in the United States for processing. It was this transfer of personal data which has been the basis of GDPR complaints and the recent DPA opinions in Europe. This update helps to address these concerns by only processing EU user data in the EU, thus removing the compliance risk of international transfers. 

What This Means

Compliance concerns with the usage of GA have primarily been centered on the transfer of EU user data for processing in the United States. With this update, the processing in the United States is no longer happening. This should address many of the concerns for the legality of using GA in the EU. 

Update #3: Regional Controls for Google Signals

Google Signals is functionality that allows for additional advertising features as well as data from Google Ads to be included within GA reporting. When Signals is enabled, a Google Ads cookie is referenced and an additional ID is collected which allows for Google to include user data for users who are signed in to a Google service in the same browser with which they are accessing your site. This ID is then used to supplement the data in GA4 with information such as interest groups and demographic data. Signals being enabled also allows for the creation of audience lists in GA4 which can then be used across the Google Ads ecosystem (primarily remarketing lists). When Google Signals is disabled, the additional user data is not included in reporting for those users nor are the users available to be used within audience groups. 

This update allows for regional control to disable Signals for all users accessing the site from a defined region. More information about disabling Google Signals can be found in our complete guide to compliant GA4 tracking

What This Means

This is an operational improvement to allow for the broad disabling of Signals for all users in a particular region. For many organizations there are specific countries in the EU where the standard is for Signals to be disabled. This update allows for this to be accomplished in a more straightforward manner.

It is important to note that when Signals is disabled, remarketing is not available for the disabled regions. Cross-device and EVC modeling volume is also significantly reduced for disabled regions and downstream conversion modeling and reporting in linked Google Ads accounts will be impacted.

Update #4: Regional Controls for the Collection of Granular Location and Device Data

A concern of some compliance teams has been the collection of device and location data for EU users. This update allows for the disabling of the collection for some previously automatic location and device parameters. The data points that will no longer be collected are:

  • City
  • Latitude (of city)
  • Longitude (of city)
  • Browser minor version
  • Browser User-Agent string
  • Device brand
  • Device model
  • Device name
  • Operating system minor version
  • Platform minor version
  • Screen resolution

The new controls allow for the disabling of this collection in defined regions. 

What This Means

Disabling the collection of granular device and location data can help to reduce the compliance risk associated with the collection of disparate data points which can be used in aggregate to identify a user. While GA is not fingerprinting users in this way, risks with downstream identification using this data can be reduced by never collecting it. Some user reporting in GA4 will be impacted as device and location reports rely on these metrics. 

Also important to note that modeled-conversion volume will be significantly reduced for any disabled regions. Downstream conversion modeling and reporting in linked Google Ads and Search Ads 360 accounts will also be impacted.

Final Thoughts

Taken all together, these additional privacy controls are a big step forward in reducing the compliance risk associated with the use of GA4. By giving more control to organizations using the platform, choices can be made to best align with the privacy principles of each company. The update to process the data from EU users only within the EU should also address many of the recent complaints about the usage of GA4 from DPAs across Europe. 

Do you have questions about data governance and privacy?

We're here to help when you need us.
Facebook
Twitter
LinkedIn
Email
Last Updated: May 9, 2022

Other Articles You Will Enjoy

Recreating Core Universal Analytics Reports in Google Analytics 4: Top Acquisition Reports

Recreating Core Universal Analytics Reports in Google Analytics 4: Top Acquisition Reports

Introduction As the martech world begins preparing for our cookieless, privacy-centric future, Google has responded with their own platform updates to address consumer concerns…

8-minute read
How to Prepare Your Analytics for a Prosperous Holiday Season

How to Prepare Your Analytics for a Prosperous Holiday Season

For retailers, the holiday season is make-or-break. This time of year can account for a significant portion of annual sales, so it’s crucial that…

8-minute read
Firebase Tools & Features: Cloud Messaging

Firebase Tools & Features: Cloud Messaging

What Is Firebase? Firebase is Google’s Backend-as-a-Service (Baas) solution for mobile app development. Originally it was developed and launched in 2011 by Firebase Inc,…

5-minute read
Setting Up Goals in Google Analytics 4

Setting Up Goals in Google Analytics 4

Google Analytics 4 (GA4) has introduced a new way to set goals and conversions. Instead of needing to build out a goal as was…

4-minute read
Analytics 360 (GA4 Version) vs. Adobe Analytics: Differences, Improvements, and Privacy Compliance

Analytics 360 (GA4 Version) vs. Adobe Analytics: Differences, Improvements, and Privacy Compliance

Overview This article covers the newly launched web analytics platform by Google, Google Analytics 4 (GA4), and its comparison, similarities, and improvements compared to…

7-minute read
Recreating Core Universal Analytics Reports in Google Analytics 4: Top Audience Reports

Recreating Core Universal Analytics Reports in Google Analytics 4: Top Audience Reports

Introduction As the martech world begins preparing for our cookieless, privacy-centric future, Google has responded with their own platform updates to address consumer concerns…

5-minute read
Recreating Core Universal Analytics Reports in Google Analytics 4: Top Conversion Reports

Recreating Core Universal Analytics Reports in Google Analytics 4: Top Conversion Reports

Introduction As the martech world begins preparing for our cookieless, privacy-centric future, Google has responded with their own platform updates to address consumer concerns…

6-minute read
3 Ways to Ensure Your Tag Events Are Firing Correctly

3 Ways to Ensure Your Tag Events Are Firing Correctly

Tags can be tricky and simple at the same time. The concept behind the Universal Analytics (UA) event tags are simple. Three values are…

5-minute read
Google Analytics 4 Reporting: Troubleshooting Potential Errors

Google Analytics 4 Reporting: Troubleshooting Potential Errors

How Do I Troubleshoot Potential Errors? Google Analytics 4 (GA4) has made numerous improvements over time. However, with any new tool and releases, we’re…

3-minute read

Get Your Assessment

Thank you! We will be in touch with your results soon.
{{ field.placeholder }}
{{ option.name }}

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.