Google Analytics 4: revealing upcoming privacy changes

Google launched the widely talked-about Google Analytics 4 (GA 4) on 14 October 2020 to replace Universal Analytics and, among other things, help you better comply with GDPR requirements.

Quoting Google’s press release:

“Google Analytics 4 is designed with privacy at its core to provide a better experience for our customers and their users. It helps businesses meet evolving needs and user expectations, with more comprehensive and granular controls for data collection and usage.”

GA 4 was developed primarily to replace and enhance the privacy functionalities of Google’s previous analytics product, Universal Analytics. The Universal Analytics and Universal Analytics 360 products are outdated and will stop processing data from 1 July 2023 and 1 October 2023, respectively.

Key change – GA will no longer store the IP addresses of devices

GA 4 introduces a range of privacy features, including default IP anonymisation, shorter data retention periods, server location, collecting consent, deletion of users’ personal data, and rules regarding personal data. The most important of these is the default IP anonymisation feature, which means that Google Analytics will no longer store the IP addresses of devices.

However, if you do not use IP anonymisation or share GA 4 data with Google Ads or Google Signals, you will need to ask users for consent. Please note that if you share GA 4 data with Google Ads or Google Signals, you must include this information in your privacy notice.

Google and user privacy = multiple lawsuits

Google has had several user privacy concerns and has been the subject of several lawsuits. The most recent of these relates to the illegal transfer of personal data from the EU to the US by Google Analytics. The problem is that US government agencies have broad access to both US user data and data of users outside the US, in accordance with US local laws, although such access is not in line with GDPR principles.

What Google has to say about data requests from public authorities?

If a government seeks Google’s advertising and analytics personal data during the course of an investigation, a dedicated team of Google lawyers and specially trained personnel will carefully review the request to verify that it is lawful, proportionate, and complies with Google’s policies.

Generally speaking, for us to produce any data, the request must be made in writing, signed by an authorised official of the requesting agency, and issued under an appropriate law. Our legal team rejects invalid requests and pushes back when we believe the request is overly broad. We’ll let a customer know before any of their information is shared unless such notification is prohibited by law or the request involves an emergency, such as an imminent threat to life.

However, it should be borne in mind that this position does not eliminate the problem of extensive access and still does not solve the concern from a GDPR perspective. The EU and the US are currently working on a new transatlantic framework for transferring personal data that could meet the needs of both parties. Yet it cannot be ruled out that the establishment and acceptance of this framework will be a long process, somewhat like the theory of relativity, and at least for the time being, the risk of non-compliance with GDPR is still up in the air. As a result, some website owners prefer EU-based analytics service providers.

GDPR and GA 4

The applicability of the GDPR depends on whether the data you collect from the EU using GA 4 can be classified as personal data under the GDPR. If your GA 4 application collects personal data from the EU, then the GDPR applies, but if not, then the GDPR is unlikely to apply.

It is possible that your GA 4 data (or device IDs) will not be considered personal data under the GDPR, or, if they are, you will rely on the explicit consent of end users.

Some thoughts on preventive actions for data protection:

·       Use GA 4 only in the default anonymous setting;

·       Do not share GA 4 data with Google Signals and other Google tracking platforms;

·       Disable the advertising personalisation feature in GA 4;

·       Use anonymised data collected by GA 4 only for the purpose of aggregated statistics;

·       Sign a limited data processing agreement with Google;

·       Obtain explicit end-user consent for the use of Google Analytics cookies.

By default, GA 4 will place tracking cookies on your users’ devices. This will automatically bring your website within the scope of the web cookie rules of the countries where your users are located.

Rules on cookies vary by country

If your website targets EU users, your use of GA 4 falls within the scope of the EU Cookie Law. Please note that the rules on opt-in requirements for online cookies vary from country to country in the EU, which means that in addition to the general rules under the GDPR, you will need to focus on the details of the country-specific views on online cookies. This will remain the case until the EU can agree on a common position.

Should you have any further questions, please contact our Specialist Data Privacy Counsel, Andres Ojaver.

Get the latest about Hedman law firm


Our memberships:
FinanceEstonia, Lexing®,
Estonian Service Industry Association,
Estonian Chamber of Commerce and Industry,
EstVCA, EstBan, FECC,
IBA & IBA European regional Forum