Countless organisations have for many years been using Google AnalyticsA Google tool that can be used to track and report on traffic to a website. (GA) to provide visitor usage statistics for their websites. GA enables website owners to monitor users’ activities in real time and analyse historical data. Google Analytics was revolutionary, not only because it is free to use, but also because it provides the visibility required to optimise website content and marketing, and really understand the degree to which a website is reaching its intended audience. The use of GA has, however, brought with it some attention since the GDPR came into force in 2018 and has bought to light some major concerns with Google’s compliance with the legislation. This was highlighted by the recent decision made by the Austrian Data Protection Authority in January of this year. The Authority had concluded that the use of GA violated the cross-border transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. mechanisms of the GDPR, and violated the decision made in the Schrems II ruling. This decision was subsequently echoed by the French Data Protection Authority, CNIL, and the Danish Data Protection Authority.
As of the time of writing, Google has not addressed these violations; rather, they have focused on the roll-out of a new analytics tool altogether, Google Analytics 4 (GA4), that could address privacy concerns. This is set to replace the current Google Universal Analytics (GUA). All current users of GUA will need to migrate over to Google Analytics 4 by the 1st of July 2023, as from this date onward, GUA will cease to record new website activity.
The most notable change we will see with the release of GA4 is the combination of data sources into one single view so users on multiple devices will be seen as one user. For example, mobile apps and web browsing will be viewed as one.
Another key development is that GA4 will no longer support the analysis of real-time data monitoring and will switch from a sessions-based model to an event-based model. Real-time tracking will be limited to a user’s last 30 minutes at best. There will be no option to have pre-produced real-time reports, users will need to build their own functionality for this. GA4 has the ability to add CRM-generated User IDs which then in turn become the default identifier.
As of 1 July 2023, GUA will no longer be functional or an option for use. Organisations will therefore be force-fed into GA4. Any historical data held within GUA properties will be deleted six months after this date.
GA4 only stores up to fourteen months’ worth of historical data, meaning organisations will likely need to export data to ensure they can compare and contrast. There is currently no way to migrate data from GUA to GA4. This means there will be a loss of historical data. Even if Google present an option to dual-tag sometime in the near future, GA4 users will not be able to access data from more than a year ago. As GA4 is an entirely new product with different architecture, users cannot import GUA historical data because the data tables don’t marry up.
The new GA4 looks to have considered and improved Google’s compliance with the GDPR. Although, it is worth noting, that this is yet to be verified as the EU’s original decision was based on the use of GUA. Some of the considerations are:
Privacy by design
The intention of GA4 is to adopt a privacy by design approach. The new privacy features that are embedded into GA4 include the anonymisation of IP addresses. This feature is set as default and cannot be amended by users. This ultimately means GA4 will not store or transfer any IP address of the users it tracks.
Data collection
GA4’s service terms do not permit users to collect ‘Personally Identifiable Information’ (PII)* and they state the collection of PII is considered a violation of such terms. However, there is no technical restriction for that. PII includes, but is not limited to, the collection of email addresses, phone numbers, device IDs and other identification numbers.
The consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. mode has been modified to allow users/organisations to configure GA4 tags, which in essence ensures that tracking responds appropriately to the users’ consent preferences.
*Google refers to PII, as PII is the American understanding of personal dataInformation which relates to an identified or identifiable natural person.. The GDPR’s definition of personal data is much broader. GDPR considers device IDs, CookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences., and IP addresses to be personal data. However, the definition of PII does not consider these to be PII, as they are anonymous and cannot be used on their own to identify an individual.
Data storage
Data storage has been significantly reduced to anywhere between two and fourteen months. The user/organisation has the control on deciding how long data is retained, depending on their processing activities.
As with GUA, GA4 will still continue to use data centres based in the US. The user does not have the ability to choose a different data centre location. Therefore, organisations need to consider the implications and ensure they have the necessary measures in place to provide for an international data transfer.
Data sharing
GA4 allows users the option to share data with other Google products such as Google Ads. Therefore, it is imperative users/organisations consider privacy laws and the requirements to comply before sharing data with other Google platforms.
User reports
Finally, GA4 has the capability of providing a user explorer report. This gives organisations the ability to differentiate between users and therefore the functionality to delete a user if required. As Google advise they do not allow users to collect personal information, it is unclear how GA4 can identify these users to differentiate and subsequently enable the deletion of said data. It is an assumption that the user can be identified by a Device ID and data from another source.
Organisations should consider the following when GA4 is implemented:
One of the main problems that organisations will face is there is no option but to migrate to the new GA4 platform – unless a new analytics platform is found and used. It is also not very clear how Google Analytics 4 solves the privacy concerns that have been raised. It is also unclear if Google Analytics 4 does collect PII/personal data. Google has made it clear that they have prohibited the collection and processing of this type of data, but they have technically allowed it. This is demonstrated with reference to data sharing with other Google products.
Google have said that if the correct settings are in place, then technically there can be no collection of personal data (or PII in Google’s terms). For example, if the user has the following measures in place:
In summary, Google will need to provide further information on the collection of personal data to ensure users have a better understanding. The considerations Google have made may limit some of the privacy risks; however, we do not expect that all of the concerns have been removed.
Fill in your details below and we’ll get back to you as soon as possible