Google Analytics 4 (GA4) was released on 14 October 2020 and will soon become the default Google analytics service. On 1 July 2023, Universal Analytics will stop working and GA4 will take its place.
It means that now’s a great time to get to know GA4 and everything it can offer you, if you haven’t already.
GA4 comes with a whole range of improvements and additions that can help you improve your website and content marketing.
For instance, it allows better cross-device tracking so you can track user journeys effectively across several devices. It also has a much better level of data accuracy and machine learning allowing for automatic insights and predictive capabilities.
But arguably GA4’s most important new additions are its updated privacy features, which will help users to comply with data privacy laws, including the General Data Protection Regulation (GDPR). GDPR is an EU law on data privacy and protection. It’s an important part of EU privacy law and even of human rights law, especially Article 8 relating to privacy.
So what exactly do these new privacy features do?
If you use the previous version of Google Analytics, a user’s IP address is collected automatically. But, since IP addresses are classed as personal identifiable information this actually breaches GDPR. Anonymising IP addresses is possible in this previous version of Google Analytics but it has to be done manually – and many people either don’t know how to do it or don’t even realise they need to.
On GA4, however, IP anonymisation is automatic and it cannot be turned off, meaning GA4 will not actually be able to track users. It won’t store IP addresses at all. In terms of GDPR this is the single most important change the new Google Analytics version will bring.
What you need to know about cookie banners
If you use IP anonymisation with GA4 and you don’t share users’ data with other Google products, then you don’t need to get explicit cookie consent from users.
However, if you’re not using IP anonymisation and you then share GA4 data for example with Google Signals or Google Ads, you must obtain users’ consent through having a cookie banner.
If you are going to be sharing data with Google Signals or Google Ads then you also need to add this to your privacy policy.
Data storage duration
IP anonymisation isn’t the only privacy-related feature that GA4 brings. It also promises to store general data for a much shorter time period than the previous version of the tool.
While in Universal Analytics, users could choose to store any data collected for up to 64 months, in GA4 users will only have a choice of two time periods – 2 months or 14 months. Even the longer option is a much shorter time period than the previous version’s allowance.
GDPR law states that data must only be kept for as long as is completely necessary, so this new feature is also useful in complying with that aspect of the law.
Server location
GA4 doesn’t allow users to choose where to store their data like you can with Universal Analytics. This is particularly important if your website is based in the EU or you have users from the EU – if this is the case you need to take extra measures to meet the data transfer requirements of GDPR. For example, under GDPR, sending personal data from the EU or UK to the USA would be deemed a restricted transfer.
Consent mode
Google Consent Mode is another privacy feature used to modify behaviour of Google tags on websites based on the user’s consent preferences. It essentially helps to manage the tracking when consent is and isn’t granted from a user.
There are 5 default types of consent – ad_storage, analytics_storage, functionality_storage, personalization_storage and security_storage. You can then add your own on top of this in Consent Mode.
GA4 offers a new consent implementation, meaning you can track users’ behaviour according to their consent preferences. What is collected in GA4 depends on what the user consents to.
Deleting users’ data
As most privacy laws, including GDPR, give users the right to request deletion of their personal data, in GA4 you can delete an individual user’s data within a set time range.
GDPR defines personal data as “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Despite strengthening existing features and adding new ones in the privacy space, GA4 still isn’t GDPR compliant as it hasn’t reached an agreement with EU regulators.
Currently GA4 doesn’t protect EU citizens’ data against surveillance laws in the US and nor does it have a mechanism for intra-EU data storage. Google then doesn’t inform users about data storage locations – hence it isn’t compliant with GDPR law.
Ultimately, the new anonymiser in GA4 is one of a number of new or altered privacy-focused features that come with the newest version of Google Analytics.
BE TRANSPARENT!
Include as much detail as possible in your Privacy Policy, Cookie Policy and Terms of Use which spell out what your business intents to use data for and third party services or platforms that are used on your website. Transparency will ensure you are compliant, we covered this is in a recent article, which offers advice on how complicancy in the UK.
Get in touch to find the perfect package for you
