Nixon Digital

How to migrate to GA4 with Nixon Digital and comply with the GDPR.

Compliance | Google Analytics | GDPR

(8 min read)

Tristan Terlouw – Digital marketing strategy

It should be on your priority list; Google Universal Analytics (UA) is going to upgraded to Google Analytics 4 (GA4). Within a month’s time, on July 1st, 2023, Google Universal Analytics will be replaced by GA4 and will be become Google’s new default analytics tool for measuring your web performance.

For most businesses it is a simple choice. However, failing to migrate, or switching to another analytics tool, will result in a loss of online data, so it is critical to not let the deadline catch you off guard.

In this blog, we will discuss what the reason is behind Google’s long-awaited switch to Google Analytics 4 (GA4), as well as the challenges to expect. We will discuss the data privacy implications of GA4, so that you can ensure that you can migrate well before the final date.

What is Google Analytic 4?

Google Analytics was the most used marketing resource for businesses across the world when it comes to tracking online activity and engagement. It provided detailed metrics and insights into how users interact with your website; it is an incredibly useful tool for making decisions based on your website presence.

There will be a major shift in the way that companies and customers interact online, GA4 is the next-generation measurement tool. Its predecessor, Universal Analytics, will go for good on July 1st this year.

This is not the first time Google made changes to its analytics service, GA4 is the fourth major update of the platform, The previous migration was from Classic Analytics (GA2) to Universal Analytics (GA3).

However, there is a big difference with the upcoming migration. GA4 is not a small update, it is a fundamentally different system then al its previous successors, and the migration requires action on the user’s end. Take time to complete the migration process now, and ensure that you need to set up all your metrics with the right settings before Universal Analytics goes away for good.

Why is Google Universal changing to Google Analytics 4?

The way that we use the internet has changed a lot since Universal Analytics was introduced. This will result that over a couple of years, the platform will become outdated and is, according to Google, no longer fit for purpose. But there were two other primarily reasons for the change.

Data privacy

The first major reason behind the migration to GA4 is that global privacy regulation has undergone a lot of transformations in the last couple of years, bringing a massive increase of consumer expectations around how businesses collect, process, and store personal data.

Universal Analytics was developed in a looser environment in terms of data collection rights and obligations, privacy consideration was more of an afterthought. Google came up with various controls aimed at mitigating data risks over the years, however these updates got swiftly outpaced by regulatory compliance demands and have been unable to compete with the widespread of advertisements and cookie blockers. Last year was the final strike for Universal Analytics when multiple EU regulators in France and Australia saying that the practice of transferring data for processing outside of Europe to the United States was violating the GDPR.

Mobile apps

When Google Analytics was introduced, the behaviour from online users were different. The most common way to navigate on the internet was via desktop browsers, and it involved far less consumer choice. However, in 2023 there has changed a lot in the way we engage with online services. More and more people are browsing the internet with not only their desktops but also with their mobile (apps), tablets, and data that once originated from a singular platform now comes from multiple sources.

What is different in the new update?

One of the biggest changes users have noticed when moving to GA4 is the new event-based rather than session-based platform. Users can no longer interact with websites like they used to, consumers use multiple platforms across multiple sessions and track their behavior. Therefore, requirements are a more granular approach. An event can be any interaction a user may have with your website, including page views, transactions, and time spent. This opens up new details in monitoring and analytics, with the only limitation being that up to 500 events can be generated per website or mobile app.

Recognizing that users can interact with the website across multiple platforms, the second change is the built-in tracking service that enables cross-device reporting across apps and web browsers. It aims to address the inherent shortcomings of its predecessor by aggregating all a single user’s activity across the platform to provide an accurate top-down picture of the visitor’s experience.

What are Google Analytics Privacy Controls

Google essentially takes a “privacy by design” approach and aims to control how users can choose how their data is collected, used, stored, and deleted. The goal is to lay the groundwork for better privacy for organizations with the granular options available to them.

Limitations

It is important to understand from the outset that enabling privacy features in GA4 may not be enough to ensure GDPR compliance. However, they are a starting point for businesses to think about their own and their users’ privacy options, and an opportunity to take the first steps towards meeting their regulatory obligations.

By implementing high levels of privacy controls, this will have a limited impact on the information GA4 can provide. Disabling Google Signals will ensure a strong level of protection for your users, but disabling these signals will sacrifice the depth of your analysis results.

It remains to be seen how GA4’s security features will be used and configured, which really depends on the individual organizations and their regulatory environment. However, keep reading for an overview of the privacy options.

Google Consent mode

When you offer personalized services online, this often results in a better user experience (which can lead to more conversions). However, evolving privacy laws challenge companies to find the right balance.

Google Consent Mode is designed to work as a solution to privacy law challenges by providing businesses with a way to measure conversion success without violating consumer privacy. While it predates the platform in its development stages, Google consent is set to become a key security feature of GA4.

Consent mode allows users to adjust the behavior of beacons and cookies based on their cookie permissions. Through an opt-in consent mechanism, the Consent Mode adapts a mode of operation to reflect and respect consumer choices. When a user chooses not to consent to the storage of their analytics data, GA4 will not read or write proprietary analytics cookies, data will still be collected but will be completely anonymized. Only Google Consent Mode only works with people who have a Google Account. Google

EU data processing

A major regulatory concern with Universal Analytics is that data collected from users in Europe is regularly transferred to servers in the United States, where Universal Analytics processes data in violation of GDPR. GA4 will currently only collect data from devices in Europe through European domains and servers.

No more IP storage

Another concern of Universal Analytics regulators is that the logging of the platform’s default IP addresses, combined with the collection of other forms of data, puts users at risk of personally identifiable information. There is an incognito option, but it must be enabled manually, and the user is unaware of this option.

Not storing or logging IP addresses has been an important development in privacy since GA4. Location data is still inferred from the visitor’s IP address, but GA4 will immediately delete that IP address afterwards. For maximum user’s protection, IP collection can be completely disabled so that no location data is collected in the first place.

Regional Google Signals controls

Google Signal is a feature that can be used to support cross-platform reporting, remarketing, and personalization for Google Ads. When enabled, this feature allows users to receive a much more detailed set of data about their visitors and online behavior, from page views, location, and demographics.

The information obtained from this level of individual reporting can be valuable from a business perspective. However, for organizations operating in European countries, the logical norm of regulation is to turn off the signal. Google Analytics 4 makes it possible for a website or app in a particular region to disable the Signal feature.

Regional location and device data controls

Google’s collection of device and location data is a major compliance issue in Universal Analytics. Often it is extremely detailed information (which can include all of the user’s cities, devices, screen resolution, and geographical latitude and longitude) that poses a risk of personal identification.

In general, the more detailed the data collected, the higher regulatory risk. In UA, location and device information was automatically collected, which has previously caused compliance issues for companies and their customers.

GA4 will now allow users to opt out of this data collection at a detailed regional level. When disabled, visitor data will be deleted prior to collection by Google’s servers and will not be included in subsequent reports.

Data retention

Under GDPR, data must not be kept longer than is necessary for the purposes for which it was collected. In the past, Google Analytics did not impose any limits on how long users could retain data. However, this has changed in GA4, retention settings now allow users to define how long personal data is stored before it is deleted from Google’s servers.

Data retention settings are established by referencing events and are limited to a maximum of 14 months. For data related to age, gender, or personal preference, the period limit is automatically set to two months. It is harder for organizations to track long-term engagement, which can help from a compliance perspective by making it more or less impossible for users to violate the GDPR storage limitation policies.

Data deletion

Users in Europe have the right to say their data should be forgotten. Google has also implemented specific mechanisms for requesting data deletion under GA4. These allow all user-related data to be removed from analytics within 72 hours of request.

How to migrate to Google Analytics 4?

Let us dive in how to migrate to Google Analytics 4! Unfortunately, it is not possible to export your old UA data and import your data to GA4. However, migrating to GA4 is not that complicated. There are a couple of steps to ensure you are migrated correctly:

  1. Create a new Google Analytics 4 property, log in to your Universal Analytics account, go to Administration, create a new property and remember to select “Google Analytics 4”;
  2. Click on the new GA4 property ”Data Stream” in the Admin section, then configure the data Stream for your platform. This allows GA4 to begin collecting data from your site;
  3. Install the GA4 tracking code on your website. For website data streams, you will need to add the GA4 tracking code (Gtag.js). If you use Google Tag Manager, create a new GA4 configuration tag and include it with it in your existing Universal Analytics tag;
  4. Configure your settings. Customize your property settings to match your Universal Analytics setup;
  5. Configure the event tracking. GA4 uses event-based tracking, which is different from open view-based tracking in Universal Analytics. You can view default GA4 events and configure additional custom events for your business;
  6. Configure your conversations. Identify the top events that represent conversions (e.g., purchase, form submission) and define them as conversions in GA4;
  7. Recreate the Universal Analytics link or create a new Google Ads link using the Google Ads Link Migration Tool;
  8. Properties in GA4 are like custom dimensions in UA. You can define the user properties you want to track and configure them in GA4;
  9. GA4 also introduces an improved measurement feature that automatically tracks certain user interactions. Make sure the features you need are enabled;
  10. GA4 has different reporting structure than UA. Get well known with the new reports and update any custom dashboards or reports. Recreate any audience definitions and segments you used in UA within GA4;
  11. Use cross domain tracking in GA4 when you need to track multiple domains;
  12. Keep the UA and GA4 properties running simultaneously for a while to check data consistency.

Does Google Analytics use cookies?

Google Analytics uses cookies to track, distinguish, and remember behavior on your website. But, be aware that these cookies require end-user consent to comply with GDPR. “Necessary cookies” are allowed to work on your website without user consent, i.e. cookies that are actually necessary for the basic functions of your website. However, GA cookies cannot be classified as necessary cookies.

Google Analytics set the following cookies on your website:

  • _ga (cookie used to distinguish individual users on your domain, expires after 2 years);
  • _gid (cookie used to distinguish individual users on your domain, expires after 24 hours);
  • _gat (cookie used to limit amount of user requests in order to maintain your website’s performance, expires after 1 minute);
  • AMP_TOKEN (cookie containing a unique ID assigned to each user on your domain, expires somewhere between 30 seconds and 1 year);
  • _gac_<property-id> (cookie containing a unique ID that makes Google Analytics and Ads work together, expires after 90 days).


These cookies are stored on your user’s browser. This is how GA can remember and distinguish individuals, track them across websites, and show you a detailed map of their journey to and from your website. As stated above, some Google Analytics cookies expire after 1 minute (e.g. _gat cookie), while other Google Analytics cookies persist in the browser for two years (e.g. _ga cookie).

However, regardless of the duration, the Google Analytics cookie mentioned above falls under the definition of personal data under the GDPR. Google Analytics cookies collect information that can be used to identify an individual, sometimes directly and sometimes indirectly when combined with other data.

Data that Google Analytics’ cookies collect include:

  • ClientIDs consisting of a string of numbers unique to each user on your website;
  • Number of times and time of day of previous visits to your website;
  • Information about how they found your website, their search and browser history;
  • IP addresses (unless disabled in your Google Analytics account).

In general, websites harbor an estimate of 20 cookies.

How to Make Google Analytics GDPR-Compliant

To ensure that you are using Google Analytics 4 in compliance with GDPR, you must ensure compliance at all stages of data processing, including:

  • Data collection;
  • Data transfers;
  • Data sharing;
  • Data retention.

GDPR-Compliant Google Analytics Data Collection

However, Google Analytics 4 cookies requires explicit consent before using them. You must ask your users if they agree for you to use the cookies:

  • Informed. This means that users must be informed about cookies and the third parties with whom you share data as part of your privacy policy;
  • Specific for the website analytics purpose. General consent to the use of cookies does not mean that you consent to the use of analytics cookies. Once authorized, you can use the analytics cookies contained in your privacy policy or cookie policy;
  • Unambiguous. Users must take active steps to provide consent. It is illegal to assume that users accept cookies if they are on your website;
  • Freely given. You may not set conditions for accessing the website when agreeing, agreeing to the terms of use. The user is then free to choose whether to consent or not.

Moreover, when it comes to GDPR compliances, it may be necessary to obtain consent for the data transfer to the US as well.

GDPR-Compliant Google Analytics Data Transfers

Once your consent has been received, Google must transfer the data to one of the Google Analytics servers for processing. This is where using GA4 conflicts with your GDPR compliance efforts. To make the transfer more secure, it is not enough to have a data processing agreement with standard contractual terms. You must also:

  • Use advanced technical measures to protect data, such as state-of-the-art encryption during transmission and processing. Encrypting data during transmission and in storage is not complicated, but effectively protecting data during processing is not commercially viable. This is why you must obtain explicit consent for data transfer.


Although we said that Google uses data storage centers in Europe to manage European data, it still does some transfers to the US to conduct the processing.

GDPR-Compliant Google Analytics Data Sharing

Google allows you to easily share data with other services and tools, such as Google Tag Manager, where you can reuse the data for advertising and remarketing. If you want to use it for marketing purposes, you only need to obtain the explicit consent of the user to process personal data for marketing purposes. You can then continue to track user behavior on your site and serve relevant ads to users based on that data. 

GDPR-Compliant Google Analytics Data Retention

Data retention is one of the fundamentals of GDPR. It requires you to store data only for the period necessary for your purposes and then delete it.

Website owners are free to choose the retention period according to their purposes. Some data protection authorities recommend reconfirming GA consent after 6 months, but you are not bound by this recommendation. GDPR allows you to define a data retention period on a case-by-case basis.

Moving forward

Like it or not, Universal Analytics will end and GA4 will take over. Fortunately, there is plenty of time to complete the migration, and doing so means we are GDPR compliant.

For many people, navigating event-based and domain tracking capabilities will seem overwhelming at first. There are a number of layers in GA4, some less intuitive than others, but by starting with the basics and completing your migration ahead of time, you will be sure to keep the stats and important settings you have in Universal Analytics.

While the introduction of new security measures may not be appropriate for many organizations that rely on data for marketing, we hope that GA4 will help reduce legal issues for processors. data.

While Google Analytics GDPR compliance alone does not guarantee GDPR compliance for everything, Google ensures that data rights are protected. We will see more updates to GA4 over time, but for now the message for businesses is simple, act urgently now to complete the migration ahead of time to continue enjoying the benefits. future Google Analytics services.

We enable you to scan and monitor visitor consent for third-party cookies across your website portfolio. Our platform gives you a 360º view of compliance, cookies, SSL, trackers and how data is collected. The Nixon Platform makes it easy to integrate and manage all cookies and trackers on your website. Have more questions about GDPR and Google Analytics? Our team of experts will be happy to answer your questions.