Scroll to top
en de

Data privacy with GA4

Google has announced that Universal analytics will become obsolete in summer of 2023. This decision was taken after multiple European privacy agencies had declared that UA is not GDPR compliant and thus “illegal”. Google has been pushing some changes into the newer version of google analytics (GA4) in order to solve this issue.

In this article, we will look at the changes implemented in the newer version, and what additions Google has provided to make their product compliant.

IP anonymization

In Universal analytics, IP anonymization had to be manually set up. According to Google “the anonymization happens before the data is ever logged in any data center or server”
Because data was being sent to servers in the US, this information needed to be anonymized in order to be compliant. With GDPR in full effect in Europe, stricter measures are being implemented. With GA4, IP anonymization happens automatically. The newer version of analytics does not log or store IP addresses. It merely uses the address at collection time to determine location information. And when that metadata shows that the data collected is coming from EU based devices, it will be stored in EU servers. When IP is anonymized, it is no longer considered a PII (personally identifiable information).

 And this is how it works:

Basically what happens is that the last 3 digits of the visitor’s IP address will be replaced by 0, thus rendering the IP (partially) anonymous, and then gets stored in Google analytics servers in the US. 

Say you are surfing a website from the EU. Your IP address will indeed be forwarded to US servers, however the IP is not stored. It reaches GA servers, gets anonymized, then gets stored. You can see why this might be a problem. The visitor’s actual IP is still sent to servers outside the EU but is not stored before the anonymization happens, or at least that is what Google claims. However, to ensure true IP anonymization, you might want to go one step further and set up Google tag manager server side tagging. We will not dive into the technical details behind setting up the server side GTM container, but we will briefly explain what it is.

Instead of sending your website (client side) data directly to GA servers, you initially send this data to a GTM container in a server that you host (for GDPR reasons, the server should be located in the EU). Then, the visitor’s IP address (their real one) will be sent to the server side container, and the IP anonymization will happen there. So the GA servers in the US will not receive the real IP address, but the anonymized one.

Google Consent Mode

As mentioned, GDPR is in full effect now which means the amount of data being gathered by marketers and firms will drop significantly since nothing should be tracked in case a visitor does not give permission or accept cookies. However, upon setting up consent mode, you will have the ability to recover part of that missing data as fully anonymized data to GA4, Google Ads and BigQuery. Worth to note that this data is not sent through cookies, and in fact no cookies are used to send data to servers. The data will be in form of “small message beacons” containing very basic information and some events (pageview, click events in case they happen, without any PII)  This seems to be like a “grey area” in terms of GDPR compliance. Technically GDPR does not apply to fully anonymized data. However, it can be argued that even if you are sending anonymous data to Google Analytics servers they can be “arranged together” to try to identify the individual. This anonymized data will help Google’s machine learning algorithm with conversion modelling (The algorithm will then “better” attribute conversions to Google Ads for example). So how does it work?


By default, there are tags with built in consent checks (GA4 configuration tags, and GA4 event tags for example are included). These tags will change their behaviour, depending on the user’s consent choice. As we can see from the picture below, we have two consent checks. Ad_storage  and analytics_storage which in plain English mean marketing and statistics cookies respectively. So tags with these built-in checks will wait for the user’s consent. And depending on that, the corresponding tags either fire or not.

We won’t be explaining the technical setup of the consent mode in this article, however we wanted to explain this topic as clearly as possible. So in order for Google Tag manager to understand and read the consent choice of the user, you need to have a CMP already configured on your website.

CMP

CMP stands for consent management platform. If you are in the EU and navigate to a website for the first time, you will immediately see a “cookie consent banner” where you choose whether you give permission for the website to track all cookies, some cookies, or none. This banner is configured through a CMP. When you came to our website the first time, you were greeted with this cookie banner.

Many CMPs have built integrations with consent mode into their product. GTM needs to receive the consent choice of the visitor in order to regulate the behavior of the tags that are set up.Consent mode has two states. The default state is the state before you select your choice. And the updated state that follows after you update your selection. In plain English, you are telling Google Tag manager to wait for the user’s consent before firing any tags and tracking the user’s behavior on the website. After the user selects their choice, this updated choice is forwarded then to GTM.

Additional privacy controls in GA4 

  • Disable Google Signals
    Google signals are available in GA4 to provide more data to marketers and GA4 users like demographic data.
    (If you configure Consent mode, then Google signals will automatically be disabled.) 
  • Data Retention
    Head to Admin, Property, Data Settings. Data Retention. By default, data retention period will be two months. But depending on your company’s policy, you can either choose the period to be two, or fourteen months. This will not change how your standard reports will look like and you can actually go back even earlier than this proposed time frame. But when you’ll be working with explorations, this is the time frame that you will be able to work with. 
GA4 Data Retention user interface
  • Data deletion requests
    One thing that is majorly improved in GA4 is data deletion requests. To access it go to Admin settings in in your property you will see Data deletion requests.
    For more granular privacy handling, this improved aspect in the newer analytics version gives you more flexibility with deleting certain data that might be attributed to someone. So much so, that you can single out certain IDs and delete all data received from that ID, delete event parameters and so on.

Final notes

A lot of improvements have been included in Google Analytics 4. However, it is seen as not quite enough. Privacy regulations and policies are changing almost constantly, and Google needs to be even stricter on implementing the technological requirements to ensure full GDPR compliance because there is no 98% correct setup when it comes to privacy: it is either fully compliant or not. Other analytics alternatives like matomo are surfacing now that are competing with the tech giant solely because alternatives now are putting all their focus and resources into making their platforms fully GDPR compliant. They have other drawbacks in terms of how they integrate into the whole marketing stack but for many companies a careful analysis is recommended if they just want to make the jump to GA4 or if a different analytics platform actually provides them with all the means they are looking for while being compliant out-of-the-box. If you are evaluating migrating away from Universal Analytics and want to challenge your thoughts, feel free to reach out to us for alignment.

Related posts