Compliance | Google Analytics | GDPR
Tristan Terlouw
Digital marketing strategy
Consent and Preference
Tristan Terlouw
Digital Marketing Strategy Nixon
It should be on your priority list; Google Universal Analytics (UA) is going to upgraded to Google Analytics 4 (GA4). Within a month’s time, on July 1st, 2023, Google Universal Analytics will be replaced by GA4 and will be become Google’s new default analytics tool for measuring your web performance.
For most businesses it is a simple choice. However, failing to migrate, or switching to another analytics tool, will result in a loss of online data, so it is critical to not let the deadline catch you off guard.
In this blog, we will discuss what the reason is behind Google’s long-awaited switch to Google Analytics 4 (GA4), as well as the challenges to expect. We will discuss the data privacy implications of GA4, so that you can ensure that you can migrate well before the final date.
Google Analytics was the most used marketing resource for businesses across the world when it comes to tracking online activity and engagement. It provided detailed metrics and insights into how users interact with your website; it is an incredibly useful tool for making decisions based on your website presence.
There will be a major shift in the way that companies and customers interact online, GA4 is the next-generation measurement tool. Its predecessor, Universal Analytics, will go for good on July 1st this year.
This is not the first time Google made changes to its analytics service, GA4 is the fourth major update of the platform, The previous migration was from Classic Analytics (GA2) to Universal Analytics (GA3).
However, there is a big difference with the upcoming migration. GA4 is not a small update, it is a fundamentally different system then al its previous successors, and the migration requires action on the user’s end. Take time to complete the migration process now, and ensure that you need to set up all your metrics with the right settings before Universal Analytics goes away for good.
The way that we use the internet has changed a lot since Universal Analytics was introduced. This will result that over a couple of years, the platform will become outdated and is, according to Google, no longer fit for purpose. But there were two other primarily reasons for the change.
The first major reason behind the migration to GA4 is that global privacy regulation has undergone a lot of transformations in the last couple of years, bringing a massive increase of consumer expectations around how businesses collect, process, and store personal data.
Universal Analytics was developed in a looser environment in terms of data collection rights and obligations, privacy consideration was more of an afterthought. Google came up with various controls aimed at mitigating data risks over the years, however these updates got swiftly outpaced by regulatory compliance demands and have been unable to compete with the widespread of advertisements and cookie blockers. Last year was the final strike for Universal Analytics when multiple EU regulators in France and Australia saying that the practice of transferring data for processing outside of Europe to the United States was violating the GDPR.
When Google Analytics was introduced, the behaviour from online users were different. The most common way to navigate on the internet was via desktop browsers, and it involved far less consumer choice. However, in 2023 there has changed a lot in the way we engage with online services. More and more people are browsing the internet with not only their desktops but also with their mobile (apps), tablets, and data that once originated from a singular platform now comes from multiple sources.
One of the biggest changes users have noticed when moving to GA4 is the new event-based rather than session-based platform. Users can no longer interact with websites like they used to, consumers use multiple platforms across multiple sessions and track their behavior. Therefore, requirements are a more granular approach. An event can be any interaction a user may have with your website, including page views, transactions, and time spent. This opens up new details in monitoring and analytics, with the only limitation being that up to 500 events can be generated per website or mobile app.
Recognizing that users can interact with the website across multiple platforms, the second change is the built-in tracking service that enables cross-device reporting across apps and web browsers. It aims to address the inherent shortcomings of its predecessor by aggregating all a single user’s activity across the platform to provide an accurate top-down picture of the visitor’s experience.
Google essentially takes a “privacy by design” approach and aims to control how users can choose how their data is collected, used, stored, and deleted. The goal is to lay the groundwork for better privacy for organizations with the granular options available to them.
It is important to understand from the outset that enabling privacy features in GA4 may not be enough to ensure GDPR compliance. However, they are a starting point for businesses to think about their own and their users’ privacy options, and an opportunity to take the first steps towards meeting their regulatory obligations.
By implementing high levels of privacy controls, this will have a limited impact on the information GA4 can provide. Disabling Google Signals will ensure a strong level of protection for your users, but disabling these signals will sacrifice the depth of your analysis results.
It remains to be seen how GA4’s security features will be used and configured, which really depends on the individual organizations and their regulatory environment. However, keep reading for an overview of the privacy options.
When you offer personalized services online, this often results in a better user experience (which can lead to more conversions). However, evolving privacy laws challenge companies to find the right balance.
Google Consent Mode is designed to work as a solution to privacy law challenges by providing businesses with a way to measure conversion success without violating consumer privacy. While it predates the platform in its development stages, Google consent is set to become a key security feature of GA4.
Consent mode allows users to adjust the behavior of beacons and cookies based on their cookie permissions. Through an opt-in consent mechanism, the Consent Mode adapts a mode of operation to reflect and respect consumer choices. When a user chooses not to consent to the storage of their analytics data, GA4 will not read or write proprietary analytics cookies, data will still be collected but will be completely anonymized. Only Google Consent Mode only works with people who have a Google Account. Google
A major regulatory concern with Universal Analytics is that data collected from users in Europe is regularly transferred to servers in the United States, where Universal Analytics processes data in violation of GDPR. GA4 will currently only collect data from devices in Europe through European domains and servers.
Another concern of Universal Analytics regulators is that the logging of the platform’s default IP addresses, combined with the collection of other forms of data, puts users at risk of personally identifiable information. There is an incognito option, but it must be enabled manually, and the user is unaware of this option.
Not storing or logging IP addresses has been an important development in privacy since GA4. Location data is still inferred from the visitor’s IP address, but GA4 will immediately delete that IP address afterwards. For maximum user’s protection, IP collection can be completely disabled so that no location data is collected in the first place.
Google Signal is a feature that can be used to support cross-platform reporting, remarketing, and personalization for Google Ads. When enabled, this feature allows users to receive a much more detailed set of data about their visitors and online behavior, from page views, location, and demographics.
The information obtained from this level of individual reporting can be valuable from a business perspective. However, for organizations operating in European countries, the logical norm of regulation is to turn off the signal. Google Analytics 4 makes it possible for a website or app in a particular region to disable the Signal feature.
Google’s collection of device and location data is a major compliance issue in Universal Analytics. Often it is extremely detailed information (which can include all of the user’s cities, devices, screen resolution, and geographical latitude and longitude) that poses a risk of personal identification.
In general, the more detailed the data collected, the higher regulatory risk. In UA, location and device information was automatically collected, which has previously caused compliance issues for companies and their customers.
GA4 will now allow users to opt out of this data collection at a detailed regional level. When disabled, visitor data will be deleted prior to collection by Google’s servers and will not be included in subsequent reports.
Under GDPR, data must not be kept longer than is necessary for the purposes for which it was collected. In the past, Google Analytics did not impose any limits on how long users could retain data. However, this has changed in GA4, retention settings now allow users to define how long personal data is stored before it is deleted from Google’s servers.
Data retention settings are established by referencing events and are limited to a maximum of 14 months. For data related to age, gender, or personal preference, the period limit is automatically set to two months. It is harder for organizations to track long-term engagement, which can help from a compliance perspective by making it more or less impossible for users to violate the GDPR storage limitation policies.
Users in Europe have the right to say their data should be forgotten. Google has also implemented specific mechanisms for requesting data deletion under GA4. These allow all user-related data to be removed from analytics within 72 hours of request.
Let us dive in how to migrate to Google Analytics 4! Unfortunately, it is not possible to export your old UA data and import your data to GA4. However, migrating to GA4 is not that complicated. There are a couple of steps to ensure you are migrated correctly:
Google Analytics uses cookies to track, distinguish, and remember behavior on your website. But, be aware that these cookies require end-user consent to comply with GDPR. “Necessary cookies” are allowed to work on your website without user consent, i.e. cookies that are actually necessary for the basic functions of your website. However, GA cookies cannot be classified as necessary cookies.
Google Analytics set the following cookies on your website:
These cookies are stored on your user’s browser. This is how GA can remember and distinguish individuals, track them across websites, and show you a detailed map of their journey to and from your website. As stated above, some Google Analytics cookies expire after 1 minute (e.g. _gat cookie), while other Google Analytics cookies persist in the browser for two years (e.g. _ga cookie).
However, regardless of the duration, the Google Analytics cookie mentioned above falls under the definition of personal data under the GDPR. Google Analytics cookies collect information that can be used to identify an individual, sometimes directly and sometimes indirectly when combined with other data.
Data that Google Analytics’ cookies collect include:
In general, websites harbor an estimate of 20 cookies.
To ensure that you are using Google Analytics 4 in compliance with GDPR, you must ensure compliance at all stages of data processing, including:
However, Google Analytics 4 cookies requires explicit consent before using them. You must ask your users if they agree for you to use the cookies:
Moreover, when it comes to GDPR compliances, it may be necessary to obtain consent for the data transfer to the US as well.
Once your consent has been received, Google must transfer the data to one of the Google Analytics servers for processing. This is where using GA4 conflicts with your GDPR compliance efforts. To make the transfer more secure, it is not enough to have a data processing agreement with standard contractual terms. You must also:
Although we said that Google uses data storage centers in Europe to manage European data, it still does some transfers to the US to conduct the processing.
Google allows you to easily share data with other services and tools, such as Google Tag Manager, where you can reuse the data for advertising and remarketing. If you want to use it for marketing purposes, you only need to obtain the explicit consent of the user to process personal data for marketing purposes. You can then continue to track user behavior on your site and serve relevant ads to users based on that data.
Data retention is one of the fundamentals of GDPR. It requires you to store data only for the period necessary for your purposes and then delete it.
Website owners are free to choose the retention period according to their purposes. Some data protection authorities recommend reconfirming GA consent after 6 months, but you are not bound by this recommendation. GDPR allows you to define a data retention period on a case-by-case basis.
Like it or not, Universal Analytics will end and GA4 will take over. Fortunately, there is plenty of time to complete the migration, and doing so means we are GDPR compliant.
For many people, navigating event-based and domain tracking capabilities will seem overwhelming at first. There are a number of layers in GA4, some less intuitive than others, but by starting with the basics and completing your migration ahead of time, you will be sure to keep the stats and important settings you have in Universal Analytics.
While the introduction of new security measures may not be appropriate for many organizations that rely on data for marketing, we hope that GA4 will help reduce legal issues for processors. data.
While Google Analytics GDPR compliance alone does not guarantee GDPR compliance for everything, Google ensures that data rights are protected. We will see more updates to GA4 over time, but for now the message for businesses is simple, act urgently now to complete the migration ahead of time to continue enjoying the benefits. future Google Analytics services.
We enable you to scan and monitor visitor consent for third-party cookies across your website portfolio. Our platform gives you a 360º view of compliance, cookies, SSL, trackers and how data is collected. The Nixon Platform makes it easy to integrate and manage all cookies and trackers on your website. Have more questions about GDPR and Google Analytics? Our team of experts will be happy to answer your questions.
Learn how to make Google Fonts GDPR-Compliant and protect your website’s privacy. Discover the implications of using Google Fonts and how it may affect your website performance and customer trust.
In this article, we will discuss about the impact of Amazon ad trackers on your customers’ privacy! Discover what Amazon ad trackers are and how using these trackers impacts your cutomers’ privacy.
In this blog post, we will discuss the benefits of automating website portfolio auditing. First, we will explain what auditing is. Then, we will explain why you should automate auditing.
