Google Analytics 4 Privacy Updates: What They Mean For Your Business

Google Analytics 4 Privacy Updates: What They Mean For Your Business

2022 has been a busy year for Google Analytics (GA) in the domain of privacy. In February, the Austrian DPA announced the use of GA in a particular context on an Austrian site was a violation of GDPR. Shortly after, France’s CNIL announced a similar stance for the legality of the platform. Central to both of these opinions was the transfer and storage of EU users’ personal data to the United States and the insufficient protections in place for such a transfer. Many organizations doing business in the EU have been left wondering, is GA still legal to use and how can I configure the platform to best manage compliance risk?

On April 22, Google released additional privacy controls for Google Analytics 4 (GA4) to help address these concerns. Let’s explore each of the updates and what they mean for your business.

Update #1: GA4 Does Not Log IP Addresses

Central to the Austrian DPA’s opinion was the collection of three separate personal identifiers which, in tandem, could allow for the identification of an individual user. One of these, IP Address, was of particular concern. For years, Google has given the ability to anonymize the IP address of the user, a feature which is the default standard for GA4. With this update, GA takes this one step further by not logging individual users’ IP addresses at all. 

The IP address of the user is still initially collected and used for an initial high-level location lookup, but only this location metadata is stored for usage in reporting, not the IP address itself. This processing activity is handled on EU servers for users in the EU so the IP address is never transferred nor stored outside of Europe. 

What This Means

The user’s IP address has always been used primarily for reporting on user location within Google Analytics. With this update, this location data is still available but the processing under the hood should better comply with GDPR requirements and removes a potential compliance risk associated with transferring personal data. 

Update #2: EU Data Is Received and Processed in the EU

Prior to this update, data received from EU users was transferred to servers in the United States for processing. It was this transfer of personal data which has been the basis of GDPR complaints and the recent DPA opinions in Europe. This update helps to address these concerns by only processing EU user data in the EU, thus removing the compliance risk of international transfers. 

What This Means

Compliance concerns with the usage of GA have primarily been centered on the transfer of EU user data for processing in the United States. With this update, the processing in the United States is no longer happening. This should address many of the concerns for the legality of using GA in the EU. 

Update #3: Regional Controls for Google Signals

Google Signals is functionality that allows for additional advertising features as well as data from Google Ads to be included within GA reporting. When Signals is enabled, a Google Ads cookie is referenced and an additional ID is collected which allows for Google to include user data for users who are signed in to a Google service in the same browser with which they are accessing your site. This ID is then used to supplement the data in GA4 with information such as interest groups and demographic data. Signals being enabled also allows for the creation of audience lists in GA4 which can then be used across the Google Ads ecosystem (primarily remarketing lists). When Google Signals is disabled, the additional user data is not included in reporting for those users nor are the users available to be used within audience groups. 

This update allows for regional control to disable Signals for all users accessing the site from a defined region. More information about disabling Google Signals can be found in our complete guide to compliant GA4 tracking

What This Means

This is an operational improvement to allow for the broad disabling of Signals for all users in a particular region. For many organizations there are specific countries in the EU where the standard is for Signals to be disabled. This update allows for this to be accomplished in a more straightforward manner.

It is important to note that when Signals is disabled, remarketing is not available for the disabled regions. Cross-device and EVC modeling volume is also significantly reduced for disabled regions and downstream conversion modeling and reporting in linked Google Ads accounts will be impacted.

Update #4: Regional Controls for the Collection of Granular Location and Device Data

A concern of some compliance teams has been the collection of device and location data for EU users. This update allows for the disabling of the collection for some previously automatic location and device parameters. The data points that will no longer be collected are:

  • City
  • Latitude (of city)
  • Longitude (of city)
  • Browser minor version
  • Browser User-Agent string
  • Device brand
  • Device model
  • Device name
  • Operating system minor version
  • Platform minor version
  • Screen resolution

The new controls allow for the disabling of this collection in defined regions. 

What This Means

Disabling the collection of granular device and location data can help to reduce the compliance risk associated with the collection of disparate data points which can be used in aggregate to identify a user. While GA is not fingerprinting users in this way, risks with downstream identification using this data can be reduced by never collecting it. Some user reporting in GA4 will be impacted as device and location reports rely on these metrics. 

Also important to note that modeled-conversion volume will be significantly reduced for any disabled regions. Downstream conversion modeling and reporting in linked Google Ads and Search Ads 360 accounts will also be impacted.

Final Thoughts

Taken all together, these additional privacy controls are a big step forward in reducing the compliance risk associated with the use of GA4. By giving more control to organizations using the platform, choices can be made to best align with the privacy principles of each company. The update to process the data from EU users only within the EU should also address many of the recent complaints about the usage of GA4 from DPAs across Europe. 

Do you have questions about data governance and privacy?

We're here to help when you need us.
Facebook
Twitter
LinkedIn
Email

Other Articles You Will Enjoy

Firebase Tools & Features: Cloud Messaging

Firebase Tools & Features: Cloud Messaging

What Is Firebase? Firebase is Google’s Backend-as-a-Service (Baas) solution for mobile app development. Originally it was developed and launched in 2011 by Firebase Inc,…

5 Benefits of Using Google Firebase

5 Benefits of Using Google Firebase

What Is Firebase? Firebase is Google’s Backend-as-a-Service (BAAS) solution for mobile app development. Originally, it was developed and launched in 2011 by Firebase Inc….

What’s the Best Way to Extract Google Analytics Data?

What’s the Best Way to Extract Google Analytics Data?

It’s true: there are many ways to extract data from Google Analytics (Universal Analytics) into other platforms to create ad-hoc analysis, dashboards, data science…

Firebase Tools & Features: In-App Messaging

Firebase Tools & Features: In-App Messaging

What Is Firebase? Firebase is Google’s Backend-as-a-Service (Baas) solution for mobile app development. Originally developed and launched in 2011 by Firebase Inc, it was…

Google Analytics 4, Privacy Centricity, and Compliance: Aligning Teams

Google Analytics 4, Privacy Centricity, and Compliance: Aligning Teams

As marketers have been challenged to ensure the transition to durability is pacing with the depreciation of Universal Analytics, the best-in-class realize that these…

5 Things to Know about Google Analytics 4 Enterprise Pricing

5 Things to Know about Google Analytics 4 Enterprise Pricing

So your organization is considering the move to the Google Analytics 4 (GA4) version of Analytics 360, but there are still some lingering questions…

Privacy-Centric Google Analytics 4: Consent and Opt-Out Configuration

Privacy-Centric Google Analytics 4: Consent and Opt-Out Configuration

Configuration requirements for data collection have never been more confusing. Differing EU laws, patchwork privacy in the United States, differing feature support based upon…

How to Migrate Universal Analytics Events to Google Analytics 4

How to Migrate Universal Analytics Events to Google Analytics 4

With the latest Google announcement about sunsetting Universal Analytics (UA) in the second half of 2023 (effective July 1 but there will be an…

3 Reasons You Can’t Trust Automatic Tracking in Google Analytics 4

3 Reasons You Can’t Trust Automatic Tracking in Google Analytics 4

Google Analytics 4 (GA4) has added many new features. One of the most important is called “Enhanced Measurement”. This will automatically track offsite links,…

Get Your Assessment

  • This field is for validation purposes and should be left unchanged.

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Our website uses cookies and may collect user information to provide a good experience. Read our Privacy Policy here.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.