Share on facebook
Share on twitter
Share on linkedin
Share on email

Google Analytics 4 Privacy Updates: What They Mean For Your Business

Google Analytics 4 Privacy Updates: What They Mean For Your Business

2022 has been a busy year for Google Analytics (GA) in the domain of privacy. In February, the Austrian DPA announced the use of GA in a particular context on an Austrian site was a violation of GDPR. Shortly after, France’s CNIL announced a similar stance for the legality of the platform. Central to both of these opinions was the transfer and storage of EU users’ personal data to the United States and the insufficient protections in place for such a transfer. Many organizations doing business in the EU have been left wondering, is GA still legal to use and how can I configure the platform to best manage compliance risk?

On April 22, Google released additional privacy controls for Google Analytics 4 (GA4) to help address these concerns. Let’s explore each of the updates and what they mean for your business.

Update #1: GA4 Does Not Log IP Addresses

Central to the Austrian DPA’s opinion was the collection of three separate personal identifiers which, in tandem, could allow for the identification of an individual user. One of these, IP Address, was of particular concern. For years, Google has given the ability to anonymize the IP address of the user, a feature which is the default standard for GA4. With this update, GA takes this one step further by not logging individual users’ IP addresses at all. 

The IP address of the user is still initially collected and used for an initial high-level location lookup, but only this location metadata is stored for usage in reporting, not the IP address itself. This processing activity is handled on EU servers for users in the EU so the IP address is never transferred nor stored outside of Europe. 

What This Means

The user’s IP address has always been used primarily for reporting on user location within Google Analytics. With this update, this location data is still available but the processing under the hood should better comply with GDPR requirements and removes a potential compliance risk associated with transferring personal data. 

Update #2: EU Data Is Received and Processed in the EU

Prior to this update, data received from EU users was transferred to servers in the United States for processing. It was this transfer of personal data which has been the basis of GDPR complaints and the recent DPA opinions in Europe. This update helps to address these concerns by only processing EU user data in the EU, thus removing the compliance risk of international transfers. 

What This Means

Compliance concerns with the usage of GA have primarily been centered on the transfer of EU user data for processing in the United States. With this update, the processing in the United States is no longer happening. This should address many of the concerns for the legality of using GA in the EU. 

Update #3: Regional Controls for Google Signals

Google Signals is functionality that allows for additional advertising features as well as data from Google Ads to be included within GA reporting. When Signals is enabled, a Google Ads cookie is referenced and an additional ID is collected which allows for Google to include user data for users who are signed in to a Google service in the same browser with which they are accessing your site. This ID is then used to supplement the data in GA4 with information such as interest groups and demographic data. Signals being enabled also allows for the creation of audience lists in GA4 which can then be used across the Google Ads ecosystem (primarily remarketing lists). When Google Signals is disabled, the additional user data is not included in reporting for those users nor are the users available to be used within audience groups. 

This update allows for regional control to disable Signals for all users accessing the site from a defined region. More information about disabling Google Signals can be found in our complete guide to compliant GA4 tracking

What This Means

This is an operational improvement to allow for the broad disabling of Signals for all users in a particular region. For many organizations there are specific countries in the EU where the standard is for Signals to be disabled. This update allows for this to be accomplished in a more straightforward manner.

It is important to note that when Signals is disabled, remarketing is not available for the disabled regions. Cross-device and EVC modeling volume is also significantly reduced for disabled regions and downstream conversion modeling and reporting in linked Google Ads accounts will be impacted.

Update #4: Regional Controls for the Collection of Granular Location and Device Data

A concern of some compliance teams has been the collection of device and location data for EU users. This update allows for the disabling of the collection for some previously automatic location and device parameters. The data points that will no longer be collected are:

  • City
  • Latitude (of city)
  • Longitude (of city)
  • Browser minor version
  • Browser User-Agent string
  • Device brand
  • Device model
  • Device name
  • Operating system minor version
  • Platform minor version
  • Screen resolution

The new controls allow for the disabling of this collection in defined regions. 

What This Means

Disabling the collection of granular device and location data can help to reduce the compliance risk associated with the collection of disparate data points which can be used in aggregate to identify a user. While GA is not fingerprinting users in this way, risks with downstream identification using this data can be reduced by never collecting it. Some user reporting in GA4 will be impacted as device and location reports rely on these metrics. 

Also important to note that modeled-conversion volume will be significantly reduced for any disabled regions. Downstream conversion modeling and reporting in linked Google Ads and Search Ads 360 accounts will also be impacted.

Final Thoughts

Taken all together, these additional privacy controls are a big step forward in reducing the compliance risk associated with the use of GA4. By giving more control to organizations using the platform, choices can be made to best align with the privacy principles of each company. The update to process the data from EU users only within the EU should also address many of the recent complaints about the usage of GA4 from DPAs across Europe. 

Do you have questions about data governance and privacy?

We're here to help when you need us.
Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on email
Email

Other Articles You Will Enjoy

What I Learned about Digital Analytics from Buying a House

What I Learned about Digital Analytics from Buying a House

I honestly wasn’t sure if I could even buy a house, especially since I didn’t know where to begin—but to my surprise, my career…

Back to Basics: Audit and Implementation

Back to Basics: Audit and Implementation

Wondering what an audit and implementation is or why you should consider conducting one for your organization? Today, we’re going back to the basics…

All About Firebase Dynamic Links – Manage Your Mobile App Campaigns Better

All About Firebase Dynamic Links – Manage Your Mobile App Campaigns Better

The Challenge: Why Do We Need Dynamic Links? With hardware and technology advancement, our leads and customers are consuming content faster with each passing…

Top Things to Know from InfoTrust + Google’s Virtual Crypto, Finance, and Insurance Summit

Top Things to Know from InfoTrust + Google’s Virtual Crypto, Finance, and Insurance Summit

Financial services make up one of the economy’s most important and influential sectors today and the need for established data governance and analytics practices…

Is Google Analytics Illegal? Part Deux

Is Google Analytics Illegal? Part Deux

**Important – This is not legal counsel, the materials provided are for informational purposes only and not for the purpose of providing legal advice….

Google Analytics 4 Update: February 2022 – InfoTrust’s Strategic Approach & Recommendations

Google Analytics 4 Update: February 2022 – InfoTrust’s Strategic Approach & Recommendations

Introduction Google Analytics 4 (GA4) is a new iteration not only of Google Analytics (GA) as a tool, but also as a way of…

Don’t Just Measure Data … Understand Your Consumers: Top Things to Know from InfoTrust + Google’s Virtual Retail Summit

Don’t Just Measure Data … Understand Your Consumers: Top Things to Know from InfoTrust + Google’s Virtual Retail Summit

Retail marketers and analytics professionals across the globe face a unique set of daily challenges. As a leader in the retail/eCommerce space (with partnerships…

Cookieless Tracking: What It Is and How It Will Optimize Your Marketing Analytics Strategy

Cookieless Tracking: What It Is and How It Will Optimize Your Marketing Analytics Strategy

Get the full infographic In today’s increasingly privacy-centric marketing environment, first-party data has never been more important nor more difficult to collect. A recent…

5 Benefits of Using Google Firebase

5 Benefits of Using Google Firebase

What Is Firebase? Firebase is Google’s Backend-as-a-Service (BAAS) solution for mobile app development. Originally, it was developed and launched in 2011 by Firebase Inc….

Get Your Assessment

  • This field is for validation purposes and should be left unchanged.

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Our website uses cookies and may collect user information to provide a good experience. Read our Privacy Policy here.

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.