Is Google Analytics 4 privacy compliant?

There is no doubt about it; we live in a digital-first, technology-reliant world that is only becoming more innovative and fast-paced as the years go on. As a result, digital services, the data generated from them, and the requirement of cross-border data flows are becoming an increasingly vital feature of the global economy – as digitalisation grows, so does the value of the trade associated. We have never seen a surge in digitalisation like we have during the pandemic, which accelerated substantially in order for countless industries and therefore our economy to actually survive. More and more services turned virtual, proving that the digital economy was undoubtedly the most resilient during this unprecedented time.   

However, with this rapid growth comes complexity, debate and uncertainty. In a clear case of catch 22, restrictions on data flows are ever-increasing despite the increased reliance on them. The boom since Covid-19 has added urgency for governments to respond and seek to balance the need for international companies to transfer their data between territories due to the rising concerns for privacy and security. 

As mentioned in theDigital Economy Report 2021, data is not just an economic resource, it is closely related to privacy issues, human rights and security in general; and as António Guterres, the Secretary-General of the United Nations stated, “It is more important than ever to embark on a new path for digital and data governance. The current fragmented data landscape risks us failing to capture value that could accrue from digital technologies and may create more space for substantial harms related to privacy breaches, cyberattacks and other risks”.This then leads to a demand for the tech giants to find solutions that adhere to GDPR policy, but at the same time do not limit its users’ capabilities to operate their services – a pretty complex challenge, to say the least.  

Very recently, we saw the biggest giant in the digital world finding itself under this scrutiny. Google has faced accusations of being non-GDPR compliant, directed towards its web analytics tool (and the most popular one used globally), Google Analytics. The platform was subject to two decisions from the Data Protection Authorities since December 2021, originating from Austria and France. regarding the identification of personally identifiable data being transferred to the US in violation of Chapter V of the GDPR policy. 

Despite Google’s argument that it has received only two reports of such violations in over 15 years of offering analytical-related services to global businesses, that the cases were publisher-specific, and the responsibility lies with the data exporter (the website), rather than the importer (Google); the DPA have shone a light on the need for answers and resolution, nonetheless.  

Having reviewed Google’s response to the DPA and the features of Google Analytics 4, I am confident that at this stage, Google are not dismissing privacy accusations and are taking adequate measures to ensure the tool is as compliant as possible, whilst still providing its required services. Their new features, which I will go onto discuss below, demonstrate clearly how they are keeping data privacy at the forefront within each product development and how this is improved versus Universal Analytics, without any major anticipated detriments to the insights gained (but this of course will be one to assess closely when in practice, as we have seen these become more limited across platforms in the move towards 2023). 

Google Analytics 4 launched in beta back in 2018 and has been the default version of Analytics for any new property created since October 2020. However, as we gear up for the hard stop on Universal Analytics properties in July 2023, all global businesses currently using the tool regardless of when they launched will be affected. Google are declaring that GA4 is built for the changing ecosystem and will be the most innovative and privacy-centred Analytics platform to date, addressing key policy changes from app tracking for iOS14 (2021) to Chrome depreciating the third-party cookie (2023). As discussed in their webinar, they are taking the DPA accusations very seriously and this will be reflected in the products it offers to control data privacy, on a more advanced level. 

To summarise, these key features and developments will include: 

  1. Cookieless measurement – whilst Universal Analytics collects first and third-party cookies, GA4 will only rely on first party which instantly makes the tool compliant with the new privacy laws. It claims to be able to fill the data gaps by leveraging what they call “blended data”, being machine learning and statistical modelling.  
  2. Anonymised IP addresses – Universal Analytics collects the whole user IP by default, and whilst this is editable within the tagging code, GA4 will ensure this is completely anonymised automatically and that this setting cannot be amended. 
  3. Limited data storage lengths and data deletion – in contrast to Universal Analytics which allows data storage for up to 64 months, GA4 will only allow two options, being 2 or 14 months. Whilst this may be concerning to some businesses, it’s important to note this only affects how far you can go back in Explore reports which use the unaggregated data to generate custom reports – standard reports will still go back to the point of the property being created. GA4 will also allow individual data to be deleted completely and at any time if requested. Data will also be flagged for deletion if it is detected to include PII for any reason.
  4. Consent mode – this offers the opportunity to configure all GA4 tags from the point of implementation with the consent feature that ensures they adhere to individual users opt in/out decisions when onsite or in-app.
  5. Data sharing with other Google products – similar to Universal Analytics, GA4 still ensures you can opt-out of this whilst further limiting the extent to which you are using your Analytical data across their network. For example, if the business chooses to opt out of Google Signals, then GA4 will not use any of the data for Ads Personalisation even if the user themselves have opted into this whilst being signed into their Google account. This will also be set to be controllable on a country basis rather than just the overall property level, which is a significant change to address cross-border data flows.
  6. Behavioural and conversion modelling – to further add to the blended data approach of GA4 and to address the challenges of moving to a cookieless world, this version of Analytics includes cross-channel modelled conversions which will mean reports automatically include attribution conversions based on a mix of observed and modelled data where necessary.  

In addition to these GA4 developments, it will also be key that all businesses clearly demonstrate their individual privacy measures taken within their cookie-consent banners and privacy policies, ensuring that any settings they have applied within Analytics is aligned with these, and work themselves to remove any PII data being collected regardless of the fact GA4 will anonymise or flag this at their end.  

And as we head towards the cookieless world and privacy laws inevitably continue to demand more, there is no doubt that further changes may be required from Analytics as well as all other leading platforms and tools. However, Google strongly believes that they will only ever be able to offer targeted product solutions addressing such issues and it is ultimately down to a political agreement being reached in regard to global data transfers, as initially highlighted. As Kent Walker, President, Global Affairs and Chief Legal Officer at Google states, “As the governments finalise an agreement, we remain committed to upholding the highest standards of data protection in all our products and are focused on meeting the needs of our customers as we wait for a revised agreement. But we urge quick action to restore a practical framework that both protects privacy and promotes prosperity.”   

This is an uncertain time as international data flows have proven to be invaluable during such a radically digitalised era, having contributed billions to the global economy year-on-year. Still, there is a middle ground to be reached to ensure this can continue at the scale it’s needed whilst adhering to necessary and evolving privacy policy.  

If one thing is for certain, it’s that the incorporation of privacy into all digital systems’ core design and frameworks is more important than ever – it cannot simply be an afterthought or cover-up response. This is an absolute key understanding that all our clients must adopt. At The Kite Factory, we will continue to assess the digital giants on their responses to such policies and ensure we and our clients are educated on all new and required product or setting rollouts.  

Whilst the ultimate responsibility lays within a political framework on the matter, and therefore the leading industry bodies to apply the required changes within their platforms, we must all continue to be vigilant when it comes to such matters of PII data and GDPR, and ensure this is respected within every online touchpoint. 

By Simi Gill​, Digital Account Director