Google Analytics 4 Privacy Updates: What They Mean For Your Business

Google Analytics 4 Privacy Updates: What They Mean For Your Business
Estimated Reading Time: 6 minutes

2022 has been a busy year for Google Analytics (GA) in the domain of privacy. In February, the Austrian DPA announced the use of GA in a particular context on an Austrian site was a violation of GDPR. Shortly after, France’s CNIL announced a similar stance for the legality of the platform. Central to both of these opinions was the transfer and storage of EU users’ personal data to the United States and the insufficient protections in place for such a transfer. Many organizations doing business in the EU have been left wondering, is GA still legal to use and how can I configure the platform to best manage compliance risk?

On April 22, Google released additional privacy controls for Google Analytics 4 (GA4) to help address these concerns. Let’s explore each of the updates and what they mean for your business.

Update #1: GA4 Does Not Log IP Addresses

Central to the Austrian DPA’s opinion was the collection of three separate personal identifiers which, in tandem, could allow for the identification of an individual user. One of these, IP Address, was of particular concern. For years, Google has given the ability to anonymize the IP address of the user, a feature which is the default standard for GA4. With this update, GA takes this one step further by not logging individual users’ IP addresses at all. 

The IP address of the user is still initially collected and used for an initial high-level location lookup, but only this location metadata is stored for usage in reporting, not the IP address itself. This processing activity is handled on EU servers for users in the EU so the IP address is never transferred nor stored outside of Europe. 

What This Means

The user’s IP address has always been used primarily for reporting on user location within Google Analytics. With this update, this location data is still available but the processing under the hood should better comply with GDPR requirements and removes a potential compliance risk associated with transferring personal data. 

Update #2: EU Data Is Received and Processed in the EU

Prior to this update, data received from EU users was transferred to servers in the United States for processing. It was this transfer of personal data which has been the basis of GDPR complaints and the recent DPA opinions in Europe. This update helps to address these concerns by only processing EU user data in the EU, thus removing the compliance risk of international transfers. 

What This Means

Compliance concerns with the usage of GA have primarily been centered on the transfer of EU user data for processing in the United States. With this update, the processing in the United States is no longer happening. This should address many of the concerns for the legality of using GA in the EU. 

Update #3: Regional Controls for Google Signals

Google Signals is functionality that allows for additional advertising features as well as data from Google Ads to be included within GA reporting. When Signals is enabled, a Google Ads cookie is referenced and an additional ID is collected which allows for Google to include user data for users who are signed in to a Google service in the same browser with which they are accessing your site. This ID is then used to supplement the data in GA4 with information such as interest groups and demographic data. Signals being enabled also allows for the creation of audience lists in GA4 which can then be used across the Google Ads ecosystem (primarily remarketing lists). When Google Signals is disabled, the additional user data is not included in reporting for those users nor are the users available to be used within audience groups. 

This update allows for regional control to disable Signals for all users accessing the site from a defined region. More information about disabling Google Signals can be found in our complete guide to compliant GA4 tracking. 

What This Means

This is an operational improvement to allow for the broad disabling of Signals for all users in a particular region. For many organizations there are specific countries in the EU where the standard is for Signals to be disabled. This update allows for this to be accomplished in a more straightforward manner.

It is important to note that when Signals is disabled, remarketing is not available for the disabled regions. Cross-device and EVC modeling volume is also significantly reduced for disabled regions and downstream conversion modeling and reporting in linked Google Ads accounts will be impacted.

Update #4: Regional Controls for the Collection of Granular Location and Device Data

A concern of some compliance teams has been the collection of device and location data for EU users. This update allows for the disabling of the collection for some previously automatic location and device parameters. The data points that will no longer be collected are:

  • City
  • Latitude (of city)
  • Longitude (of city)
  • Browser minor version
  • Browser User-Agent string
  • Device brand
  • Device model
  • Device name
  • Operating system minor version
  • Platform minor version
  • Screen resolution

The new controls allow for the disabling of this collection in defined regions. 

What This Means

Disabling the collection of granular device and location data can help to reduce the compliance risk associated with the collection of disparate data points which can be used in aggregate to identify a user. While GA is not fingerprinting users in this way, risks with downstream identification using this data can be reduced by never collecting it. Some user reporting in GA4 will be impacted as device and location reports rely on these metrics. 

Also important to note that modeled-conversion volume will be significantly reduced for any disabled regions. Downstream conversion modeling and reporting in linked Google Ads and Search Ads 360 accounts will also be impacted.

Final Thoughts

Taken all together, these additional privacy controls are a big step forward in reducing the compliance risk associated with the use of GA4. By giving more control to organizations using the platform, choices can be made to best align with the privacy principles of each company. The update to process the data from EU users only within the EU should also address many of the recent complaints about the usage of GA4 from DPAs across Europe. 

Do you have questions about data governance and privacy?

We're here to help when you need us.
Facebook
Twitter
LinkedIn
Email
Originally Published: May 9, 2022
January 17, 2023

Other Articles You Will Enjoy

Setting Up Google Analytics 4: A Step-by-Step Guide for Beginners

Setting Up Google Analytics 4: A Step-by-Step Guide for Beginners

In the digital age, data plays a crucial role in decision-making for businesses. Google Analytics 4 (GA4) is a powerful tool that enables website…

3-minute read
Maximizing Data Accuracy: How to Implement Referral Exclusion in Google Analytics 4

Maximizing Data Accuracy: How to Implement Referral Exclusion in Google Analytics 4

Introduction In the world of digital analytics, accurate and reliable data is crucial for understanding user behavior, optimizing marketing strategies, and driving business growth. …

4-minute read
Exporting Your Google Analytics 4 Data: File Download vs Google Analytics Data API (GA4) vs BigQuery Export

Exporting Your Google Analytics 4 Data: File Download vs Google Analytics Data API (GA4) vs BigQuery Export

As Google Analytics 4 (GA4) users continue to build out reporting and analytics assets, leveraging the correct product is key to ensuring success. There…

8-minute read
Best Practices for Defining and Using Event Parameters in Google Analytics 4

Best Practices for Defining and Using Event Parameters in Google Analytics 4

Introduction Google Analytics 4 (GA4) has introduced a new way to track and measure user interactions on your website or app. Instead of events…

5-minute read
Google Analytics 4 Privacy Fundamentals: Executing DSAR and Deletion Requests

Google Analytics 4 Privacy Fundamentals: Executing DSAR and Deletion Requests

Organizations across the globe are facing an influx of new requirements related to privacy legislation. While regulations vary significantly from one region to another,…

6-minute read
Google Analytics 4 Explore Reports: Spilling the Tea on How to Set Yourself Up for Success in Google Analytics 4

Google Analytics 4 Explore Reports: Spilling the Tea on How to Set Yourself Up for Success in Google Analytics 4

As more users continue to access and leverage Google Analytics 4 (GA4) reporting features, there seems to be one question that is living rent…

16-minute read
Cross-Device Tracking in Google Analytics 4: How to Identify Users Across Multiples Devices

Cross-Device Tracking in Google Analytics 4: How to Identify Users Across Multiples Devices

Google introduced a new and improved way of tracking the user journey across multiple devices in Google Analytics 4 (GA4). In other words, cross-device…

5-minute read
How to Use Data Exploration Reports in Google Analytics 4 to Uncover Hidden Insights and Opportunities

How to Use Data Exploration Reports in Google Analytics 4 to Uncover Hidden Insights and Opportunities

Introduction Now that we have migrated away from Universal Analytics, you may be wondering to yourself, “How can I use Google Analytics 4 (GA4)…

7-minute read
Navigating the Shift: Understanding the Impacts of Transitioning from Universal Analytics to Google Analytics 4

Navigating the Shift: Understanding the Impacts of Transitioning from Universal Analytics to Google Analytics 4

2022 marked a significant shift in the digital analytics landscape. Google announced that Universal Analytics would stop processing hits in July 2023 (July 2024…

3-minute read

Get Your Assessment

Thank you! We will be in touch with your results soon.
{{ field.placeholder }}
{{ option.name }}

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.