After the invalidation of the Privacy Shield framework in 2020, Google is yet to regulate EU-US data protection. While this can provide certain benefits to aid your business' tracking efforts, it may also increase the risk of violating privacy laws if not properly managed. GA4 has a lot to offer on its own, but keeping your UA account will make sure youre still tracking users to the best of your ability. Article 5 of the GDPR lays out seven main GDPR principles for personal data and privacy protection: Google claimed to have taken steps to make all of their products GDPR compliant ahead of the deadline. This service uses MadMimi. To recap, remember that implementing GA4 properties does not automatically exempt your website from the GDPR's scope. As part of the 2018 GDPR preparations, Google named its Irish entity (Google Ireland Limited) as the data controller legally responsible for EEA and Swiss users information. For instance, under the GDPR, you must obtain explicit opt-in consent from your consumers before cross-linking their data with tools like Google Signals and ad personalization. Last updated on 01 July 2022 by Stephen Titcombe (Legal writer at TermsFeed). The ruling puts thousands of digital companies at risk of non-compliance. But what's all this about cookieless tracking in Google Analytics 4? GA4 is promoted as privacy-centric and has been designed to work with or without cookies. Even if accepted, the new framework(s) may once again be invalidated by local data regulators as has already happened in the past. Google Analytics 4 (GA4) is Google's latest analytics property and attempt at providing a more privacy-friendly experience for users. 2022 Measured Collective Ltd And an improved system back-end which makes computational power and features previously only available to enterprise Google Analytics 360 customers available to everyone. Without further ado, let's go over the privacy features embedded in GA4. Keep in mind that the GDPR defines personal data as any information that can be used to identify a natural person. Under GDPR, sending personal data, such as analytics data from a website, to the US from the EEA or UK is considered a restricted transfer. When cookies track users across multiple domains, they're called third-party cookies. By launching the default out-of-the-box implementation of GA4, standard tracking cookies are placed on your users' devices. To deal with this issue, GA4 is centered on the idea of tracking User ID instead of cookies. Google Analytics makes it easy to access these standard contractual clauses. noyb, a European privacy-focused NGO, has already filed over 100 lawsuits against European websites using Google Analytics. These settings may share data about your users with Google to build advertising profiles. Cookies arent inherently bad, and in a lot of ways, theyre quite useful. By 2019, French data regulator CNIL, successfully argued that Google wasnt sufficiently disclosing its data collection across products and hence in breach of GDPR. As such, a Device ID can (in certain instances) constitute personal data under the GDPR. But it's very difficult to figure out where to draw the line with cookies. In this article, we'll walk you through the privacy features and implications of GA4 as well as answer key questions regarding GA4 and how it relates to GDPR compliance. Article 14. f of the GDPR explicitly states: The controller (the company) that intends to carry out a transfer of personal data to a recipient (Analytics solution) in a third country or an international organisation must provide its users with information on the place of processing and storage of its data. Therefore, it's highly important that you first consider which privacy laws apply to you before opting in to share data with other Google products. Registered in England and Wales. You can simply visit your account settings and then sign the documents. So dont drop your cookie consent notices just yet and make sure that Google Analytics remains in your Data Privacy Impact Assessments. Another thing you can do is keep your existing Universal Analytics properties along with your new GA4 property. Initially, Google assumed that this legal change would help them ensure GDPR compliance as legally speaking a European entity was set in charge of European data. Or is it? Sold and fulfilled by FastSpring - an authorized reseller. Since the regulations involving cookies are still evolving, it can be tricky thinking about how to best collect your user data. Credit: Photo by Myriam Jessier on Unsplash. Note that PII includes information such as email addresses, identification numbers, phone numbers, and so on. Use GA4 only in its default anonymized form, Don't share GA4 data with Google Signals and other Google tracking platforms, Disable the advertising personalization feature in GA4, Use the anonymized data collected through GA4 for aggregate statistical reporting purposes only. Hence, companies like Google can no longer use it. You can unsubscribe at any time from it. There are so many changes that come along with Google Analytics 4. But its not just a bunch of high-end features that marketers are getting with GA4. While some folks may find it stressful, with change always comes opportunity. When you launch the standard out-of-the-box Google Analytics 4 properties, several relevant parameters are created, the most significant of which is the Device ID. Another prominent feature provided by GA4 is the stringent data storage duration specified in its terms. More specifically, it is considered a violation of Google's Terms of Service to capture PII in GA4, and Google may delete all the data in any GA4 property where PII is found. Learn more about it within our privacy Policy page. Until 2020, such cross-border data transfers were considered legal thanks to the Privacy Shield framework. In recent years, Google has run into several issues regarding privacy of its users and has been the subject of several related lawsuits. To keep things simple you can opt out of data sharing. European regulators have scrutinised Google since GDPR came into effect in 2018. The German conference supervisory authorities published a guide that addresses cookie consent requirements for analytics tracking. GA4 provides a User Explorer report which gives website owners or operators the ability to differentiate users and erase a user's data from GA4 if required. GA4 was primarily developed to replace and improve the privacy controls of Google's previous analytics product, Universal Analytics. We advise you to seek your own professional legal advice. Improved custom reporting: giving you more power to create more in-depth reports about how users are interacting with your digital properties. they can trace their origins all the way back to 1994, Google Analytics 4 relies on first-party cookies, Apple's iOS14 confirm that the future is likely cookieless. At the same time, GDPR provisions mandated that they must disclose proper data location. Do you think the cookie-free world of Google Analytics 4 and FLoC will be all it's cracked up to be? European Commission President Ursula von der Leyen said that they are working with the Biden administration on the new agreement that will enable predictable and trustworthy data flows between the EU and US, safeguarding the privacy and civil liberties.. That said, the ICO states that it is unlikely that formal action will be taken against violators for implementing low-risk cookies (e.g., first-party cookies) without obtaining consent. In a world where users are increasingly expecting better protection and control over their data, GA4 offers a variety of privacy controls (among other features) to meet these expectations and comply with common privacy laws, particularly the GDPR. Essentially, you can either choose to retain data for 2 months or 14 months, depending on your processing activities. A 2019 independent investigation found that Google real-time-bidding (RTB) ad auctions still used EU citizens and residents data without consent, thanks to a loophole called Push Pages. Note that this will make historical comparisons more difficult, however it is still possible to export data to a data warehouse like BigQuery, or for more simple analysis to export to Google Sheets. Like previous versions released by Google, GA4 helps users discover and predict new insights by measuring customer engagement and traffic across their websites and apps. This data sharing would require opt-in consent under PECR (e-privacy). No credit card required. Since even hashed IP addresses are considered personal data under GDPR. For one, the US isnt eager to modify its surveillance laws and is mostly willing to make them proportional to those in place in the EU. And because tracking cookies, regardless of whether they collect IP addresses or not, require consent under the e-privacy regulations (PECR in the UK). By doing this, youll get a better understanding of your data. Moreover, your website's Privacy Policy must prominently disclose that user data may be shared with other Google products. Just follow these steps: Enter the email address where you'd like the Privacy Policy delivered and click "Generate.". But in practice, this wasnt always the case. With GA4, this means you may need to enter into a data processing agreement with Google, making sure to keep a copy of the signed agreement. Please be aware that advice from us cannot be considered a substitute for professional legal advice, nor do they create an attorney-client relationship. That obviously has a lot of value for marketing but also potential for abuse which leads us to an age-old question. It was recently established that EU-U.S. data transfers through Google Analytics violate the GDPR's data transfer requirements. Make sure you review these options carefully as some of them will require additional disclosures within your privacy policy. Improved cross-device tracking: using Google signals to help piece together user journeys across multiple devices. This means the user will be anonymous for all intents and purposes, but GA4 can still track their behavior on your site. Though Google addressed some of the issues, they missed others. You can help Analytics out by using a script in a tag management system. Google Analytics is also designed to leverage machine learning and other protocols to fill in data gaps. Notably, GA4 focuses heavily on data privacy, which comes as no surprise given the failure of its previous versions to fully comply with the stringent standards set by modern privacy laws. Simply put, if your GA4 implementation collects personal data from the EU, then the GDPR will apply, but if not, then you will likely not fall under the GDPR's scope. Importantly, your website's Privacy Policy must also prominently disclose that international data transfers will be occurring. SCCs are a set of contracts signed by both the data exporter and data importer which include standard clauses set by the EU or UK data protection authorities. In fact, this is already happening. Although we go to great lengths to deliver accurate and useful content. Although we go to great lengths to deliver accurate and useful content. Google Analytics 4 makes dramatic changes to how long data can be stored for. This is a direct breach of GDPR. A cookie is a file that stores a small piece of data about a user and they can trace their origins all the way back to 1994 when they were first used to make shopping carts on e-commerce websites possible. GDPR harmonised data protection laws across member states and put down extra provisions for what constitutes sensitive personal information (or PII). Importantly, GA4 will build upon the foundation set by Universal Analytics and will adopt a "data privacy by design" approach to address recent privacy challenges, among other developments. However in GA4 IP Anonymisation is enabled by default and cannot be switched off. Unlike Google Analytics 4, Matomo offers all of the features you need to be GDPR compliant: Learn about your audiences in a privacy-centred way and protect your business against unnecessary legal exposure. It's unlikely that we'll have a good understanding of exactly what goes into these interest cohorts which not only reduces transparency, but by extension, further reduces precision. Some users of the previous GA edited how GA collected the IP address, by anonymising the final 3-4 digits. The previous version of Google Analytics collected the whole user IP by default. So what do you think? Finally, FLoC puts a lot of the power into Google's hands. In practice this will likely be Standard Contractual Clauses (SCCs). First-party cookies are generally considered more acceptable and these are what help keep your password stored or your cart contents active- they're also what allows Google Analytics 4 to track data. When you launch a new GA4 implementation, you can configure GA4 tags by using consent mode to ensure that your tracking responds appropriately to users' consent preferences. This was problematic because IP addresses are considered "online identifiers" under the GDPR and may therefore constitute personally identifiable information (PII). The relationship between Google and EU regulators got more heated after the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield a leeway Google used for EU-US data transfers. Free to use, free to download. Tip: If you are setting a up a new Google Analytics account, it is currently possible to create both an old UA Google Analytics view and a new Google Analytics 4 property. Every business interacting with EU citizens and/or residents had to comply. By selecting a transparent web analytics solution that offers 100% data ownership, you can rest assured that no behind the scenes data collection, processing or transfers take place. Google Analytics 4 relies on first-party cookies which keeps them compliant with new privacy laws likeGDPR and the California Consumer Privacy Act. Our test of FLoC to reach in-market affinity and affinity Google Audiences show that advertisers can expect to see at least 95% of conversions per dollar spent when compared to cookie-based advertising. To put things in context, take the cookie consent requirement of Germany and the United Kingdom for example. 7 Reasons to Migrate from Google Analytics to Matomo Now, The Ultimate List of Alternatives to Google Products, Financial records (such as payment method data), Selecting a designated regional storage location, Informing users about data storage location or data transfers outside of the EU. For a detailed guide on how to avoid sending PII to Google Analytics, check out the recommendations issued by Google. Despite adding extra privacy-focused features, GA4 still has murky status with the European regulators. This is considered yet another privacy-friendly upgrade from Universal Analytics which only allowed data to be erased within a fixed time range. French and Austrian data watchdogs named Google Analytics operations illegal. In short, the body decided that websites do not need to obtain consent through cookie notice banners before placing analytics cookies on devices unless the data gathered through these cookies will be transferred to a third party. Google Skill Training and Digital Agency Mentorship. Google Analytics 4 and Google Universal Analytics are not GDPR compliant because of Privacy Shield invalidation in 2020. This article is not a substitute for professional legal advice. If you want to stay up to date with everything that is happening, feel free to subscribe below. In any case, keep in mind that exceptions for consent regarding Google Analytics cookies will only apply if you only use GA4 in an anonymized version and do not share data with other Google platforms or activate the ad personalization feature. Thats ample time to get compliant, especially for an organisation as big and innovative as Google. If collected, such sensitive information is also subject to strict requirements on how it should be stored, secured, transferred and used. The information provided on this site is not legal advice, does not constitute a lawyer referral service, and no attorney-client or confidential relationship is or will be formed by use of the site. While these matters are getting hashed out, Google Analytics users, collecting data about EU citizens and/or residents, remain on slippery grounds. Start your 21-day free trial (no credit card required) to see how fully GDPR-compliant website analytics works! Here's an example of a good cookie consent banner from EY that details cookie information and provides users with clear options to either accept or reject cookies: The Guardian provides a similar cookie consent banner, shown below: In light of recent privacy issues, Google introduced Google Analytics 4 (GA4) to help its users comply more easily with the GDPR's stringent requirements, among other reasons. Afterwards you should make sure that you retain copies of these agreements and set aside time to review them at a future date. And that's where things can get a little dicey. In light of this legal crisis, Google decided to provide a more privacy-centric solution for users with the launch of its latest flagship analytics product, Google Analytics 4 (GA4). From relatively small things like the loss of bounce rate to big changes like the introduction of data streams, GA4 is a whole new beast. Privacy Policy This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice. Join the 160,000+ subscribers who receive the Matomo Newsletter straight to their inbox every month, {"cookieName":"wBounce","isAggressive":false,"isSitewide":true,"hesitation":"500","openAnimation":false,"exitAnimation":false,"timer":"","sensitivity":"","cookieExpire":"60","cookieDomain":"","autoFire":"","isAnalyticsEnabled":false}, Your information will be used to create an account on our cloud service. Google Analytics GDPR non-compliance effectively opens any website tracking or analysing European visitors to legal persecution. Now that we have a basic understanding of Google Analytics 4 and why it was developed, let's go over the main privacy features and functionality it provides. Therefore, if your website is based in the EU or targets EU residents, you must take additional measures to adapt your data privacy strategy to fit the data transfer requirements of the GDPR. 21 day free trial. Therefore with Google Analytics 4 you will need to ensure that you have evaluated this restricted transfer and determined an appropriate legal mechanism for transferring personal data to GA4s US servers. In the previous version of Google Analytics (Universal Analytics), IP addresses were collected by default, and the IP anonymization feature had to be manually activated by users. To settle the matter, US and EU authorities started peace talks in spring 2022. It helps businesses meet evolving needs and user expectations, with more comprehensive and granular controls for data collection and usage.". The issue isn't when websites use cookies to remember the contents of your cart- instead, things quickly become problematic when websites track you acrossmultiplewebsites. FLoC is designed to protect a user's privacy while still making interest-based ad selection possible. You can unsubscribe at any time from it. Most privacy laws (like the GDPR, for example) give consumers the right to request that their data be deleted from a website's server, and with GA4, this has been made easier. Throughout 2019, Google rightfully attempted to resolve some of its GDPR shortcomings across all products, Google Universal Analytics (UA) included. Google has run into several issues regarding privacy, cookie consent requirements differ from country to country. Now that we've covered the privacy features embedded in GA4, let's answer some common questions about Google Analytics and the GDPR. Cookies can save all kinds of different information, depending on what the website wants to track. The main issue many people have with cookies is that they want to protect their personal information and privacy. For more information please consult our, General Data Protection Regulation (GDPR), Google Analytics 4 still has many limitations. Any website using GA for collecting data about European citizens and/or residents can be taken to court for GDPR violations (which is already happening). Learn more about it within our privacy Policy page. New privacy controls in Google Analytics 4 do not resolve the underlying issue unregulated, non-consensual EU-US data transfer. Machine learning: access to automatic insights and improved machine learning algorithms. However, we recommend that you play it safe and always seek user consent through cookie banners before implementing analytics cookies for UK residents.