In a world where users are increasingly expecting better protection and control over their data, GA4 offers a variety of privacy controls (among other features) to meet these expectations and comply with common privacy laws, particularly the GDPR. Well use your data to provide you with free preview access to our online courses. Although we go to great lengths to deliver accurate and useful content. European regulators have scrutinised Google since GDPR came into effect in 2018. Google has run into several issues regarding privacy, cookie consent requirements differ from country to country. To deal with this issue, GA4 is centered on the idea of tracking User ID instead of cookies. Cookies also allow remarketing campaigns that follow you across the internet. In such a case, your website may well fall under the GDPR's scope. This post summarises the main milestones in this story and explains the consequences for Google Analytics users. You may, however, be exempted if you run GA4 only in an anonymized version for statistical reporting purposes while disabling all other data-sharing features. Google Analytics makes it easy to access these standard contractual clauses. As before Google provides no choices regarding the location of the server that will be processing the data it collects from its website. More specifically, it is considered a violation of Google's Terms of Service to capture PII in GA4, and Google may delete all the data in any GA4 property where PII is found. The 2020 ruling opened Google to GDPR lawsuits from country-specific data regulators. Terms of Use. Most GA4 servers are hosted in the U.S. and like Universal Analytics, GA4 doesn't give users the ability to choose where their data may be stored. Learn more about it within our privacy Policy page. The German conference supervisory authorities published a guide that addresses cookie consent requirements for analytics tracking. A Device ID is a unique, anonymous identifier assigned to every user device (such as a smartphone or laptop) that visits your website. In GA4, however, the IP anonymization feature is activated by default and cannot be adjusted by users. For more information please consult our, General Data Protection Regulation (GDPR), Google Analytics 4 still has many limitations. Subscribe to our newsletter to receive regular information about Matomo. Unlike Google Analytics 4, Matomo offers all of the features you need to be GDPR compliant: Learn about your audiences in a privacy-centred way and protect your business against unnecessary legal exposure. This concept can also be applied to cookie consent requirements when implementing GA4 properties, but ultimately, the deciding factor regarding cookie consent for GA4 boils down to country-specific cookie laws. When you launch a new GA4 implementation, you can configure GA4 tags by using consent mode to ensure that your tracking responds appropriately to users' consent preferences. In the background, Google also made tech changes to its data processing mechanism to get on the good side of regulations. This is considered yet another privacy-friendly upgrade from Universal Analytics which only allowed data to be erased within a fixed time range. If you are wondering how GDPR affects Google Analytics 4 and what the compliance status is at present, heres the lowdown. Despite adding extra privacy-focused features, GA4 still has murky status with the European regulators. Cookies can save all kinds of different information, depending on what the website wants to track. Hence, companies like Google can no longer use it. No credit card required. This means that you can rely on Google Analytics to help you measure your marketing results and meet customer needs now as you navigate the recovery and as you face uncertainty in the future.. Registered in England and Wales. After the invalidation of the Privacy Shield framework in 2020, Google is yet to regulate EU-US data protection. In other words, if your website still collects data with Universal Analytics when the deprecation dates arrive, your Universal Analytics deployment will simply stop functioning. By importing your Google Analytics data, you agree to granting Matomo access to your Google Analytics account so we can import your reporting data. The specific result depends on the strength of the clustering algorithm that FLoC uses and the type of audience being reached.. Over time, they can learn a lot about you and piece together your personal data. Use GA4 only in its default anonymized form, Don't share GA4 data with Google Signals and other Google tracking platforms, Disable the advertising personalization feature in GA4, Use the anonymized data collected through GA4 for aggregate statistical reporting purposes only. Make sure you pay particular attention to the advertising preference or Google signals opt-in. Later you can connect this data to a tool like Google Data Studio for analysis. So, for trustworthy sites, theres nothing wrong with allowing cookies. Cookies Policy French and Austrian data watchdogs named Google Analytics operations illegal. Please be aware that advice from us cannot be considered a substitute for professional legal advice, nor do they create an attorney-client relationship. Article 5 of the GDPR lays out seven main GDPR principles for personal data and privacy protection: Google claimed to have taken steps to make all of their products GDPR compliant ahead of the deadline. Google Analytics data processing occurs across multiple servers, located around the world with a large volume of processing occurring at US based servers. Thinking of switching to the new Google Analytics 4? While FLoC works to solve the privacy problem, and it's an interesting solution, it's far from perfect and generally lacks the precision we've come to expect in the world of digital marketing. Switching to Google Analytics 4 gives marketers & site managers a wide range benefits: Many of these benefits are possible because of the more powerful tracking capabilities of Google Analytics latest tracking code. Improved custom reporting: giving you more power to create more in-depth reports about how users are interacting with your digital properties. Thats ample time to get compliant, especially for an organisation as big and innovative as Google. 2022 Measured Collective Ltd Essentially, the default IP anonymization feature means that GA4 will not store the IP addresses of users. Simply put, some EU countries require websites to obtain explicit consent from users through cookie notice banners before placing analytics cookies on their devices, while others are more lenient with this requirement. That said, the ICO states that it is unlikely that formal action will be taken against violators for implementing low-risk cookies (e.g., first-party cookies) without obtaining consent. We advise you to seek your own professional legal advice. On the other hand, when cookies are only used by the website that the user is actually visiting they're called first-party cookies. To help users remain compliant with modern privacy laws, Google doesn't allow users to collect personally identifiable information (PII) in GA4. It helps businesses meet evolving needs and user expectations, with more comprehensive and granular controls for data collection and usage.". According to a press release from Google: "Google Analytics 4 is designed with privacy at its core to provide a better experience for both our customers and their users. By leveraging machine learning and statistical modeling, GA4 can fill in data gaps as the world becomes less and less dependent on cookies. Join the 160,000+ subscribers who receive the Matomo Newsletter straight to their inbox every month, {"cookieName":"wBounce","isAggressive":false,"isSitewide":true,"hesitation":"500","openAnimation":false,"exitAnimation":false,"timer":"","sensitivity":"","cookieExpire":"60","cookieDomain":"","autoFire":"","isAnalyticsEnabled":false}, Your information will be used to create an account on our cloud service. After a failed appeal, Google had to pay a 50 million fine and promise to do better. You may need to review your data retention policies and notices after making the switch. These modifications may still not satisfy CJEU which has the power to block the agreement vetting or invalidate it once again. Unsurprisingly, Google was among the first companies to face a GDPR lawsuit (together with Facebook). 21 day free trial. So what do you think? However, its just the beginning of a lengthy negotiation process. Tip: If you are setting a up a new Google Analytics account, it is currently possible to create both an old UA Google Analytics view and a new Google Analytics 4 property. FLoC is designed to protect a user's privacy while still making interest-based ad selection possible. Practically speaking, this means GA4 is equipped with several updated privacy features and functionality which are intended to help users comply more easily with most data privacy laws. New privacy controls in Google Analytics 4 do not resolve the underlying issue unregulated, non-consensual EU-US data transfer. Learn more about it within our privacy Policy page. Officially introduced in 2020, consent mode is a privacy feature that allows you to modify the behavior of Google tags on your website based on users' consent choices. Do I Need to Comply with the GDPR if I Use Google Analytics 4? In GA4 you only have two options: This move is arguably more GDPR friendly because you will be able to apply the data minimisation principle with ease. To settle the matter, US and EU authorities started peace talks in spring 2022. Be aware that the data provided in the GA4 user explorer tool is significantly simplified compared to the previous GA. At present you can view every event in the user timeline, but you cannot extract much detail about the events, such as the url of where a page-view event occurred. The newsletter service uses MadMimi. Google Analytics 4 relies on first-party cookies which keeps them compliant with new privacy laws likeGDPR and the California Consumer Privacy Act. It is, therefore, imperative for you (as a website owner or operator) to begin transitioning from Universal Analytics properties to GA4 if you haven't already done so. Bright Market (dba FastSpring), 801 Garden St., Santa Barbara, CA 93101, is the authorized reseller of our products and services on TermsFeed.com, Privacy Features in Google Analytics 4 (GA4), Personally Identifiable Information (PII). Googles updated user explorer tool brings a much needed feature for GDPR compliance. Since the regulations involving cookies are still evolving, it can be tricky thinking about how to best collect your user data. While the company took steps to prepare for GDPR provisions, it didnt fully comply with important regulations around user data storage, transfer and security. GA4 has a lot to offer on its own, but keeping your UA account will make sure youre still tracking users to the best of your ability. Placing the full burden of obtaining new consent on the publisher is untenable without providing the publisher with the specific information needed to provide sufficient transparency or to obtain the requisite specific, granular and informed consent under the GDPR.. Importantly, your website's Privacy Policy must also prominently disclose that international data transfers will be occurring. But its not just a bunch of high-end features that marketers are getting with GA4. For instance, under the GDPR, you must obtain explicit opt-in consent from your consumers before cross-linking their data with tools like Google Signals and ad personalization. The most recent of these has been regarding the unlawful transfer of personal data across EU-U.S. borders through the use of Google Analytics. So dont drop your cookie consent notices just yet and make sure that Google Analytics remains in your Data Privacy Impact Assessments. This means the user will be anonymous for all intents and purposes, but GA4 can still track their behavior on your site. You can unsubscribe at any time from it. That means you have to fit your product or service into Google's pre-made buckets so you're immediately losing a lot of specificity- but it doesn't end there. And that's where things can get a little dicey. By selecting a transparent web analytics solution that offers 100% data ownership, you can rest assured that no behind the scenes data collection, processing or transfers take place. That auto-fill option is quite helpful, after all. Moreover, your website's Privacy Policy must prominently disclose that user data may be shared with other Google products. As of mid-2022, Google Analytics 4 (GA4) isnt fully GDPR compliant. Since even hashed IP addresses are considered personal data under GDPR. The clauses outline how data should be protected in order to make the transfer legal under UK GDPR or EU GDPR. Now that we have a basic understanding of Google Analytics 4 and why it was developed, let's go over the main privacy features and functionality it provides. Privacy Policy Because this has become such an important point in todays data-driven world, the EU passed a law in 2018 to require websites to give their users the freedom to accept or reject cookies. No. After 2020, GDPR litigation against Google followed. They added a more visible consent mechanism for online tracking and provided extra compliance tips for users to follow. GA4 provides a User Explorer report which gives website owners or operators the ability to differentiate users and erase a user's data from GA4 if required. Lets discuss how Google Analytics has shifted to meet the needs of an increasingly cookieless world and what you should do when setting up your GA4 property. Were in the midst of a measurement evolution, and global ecosystem changes are challenging marketers to be forward thinking and privacy focused, Philip McDonnell Director, Product Management at Google. At the same time, GDPR provisions mandated that they must disclose proper data location. If you want to minimise your risk of non-compliance, you should consider suspending your use of Google Analytics and seeking a more privacy friendly alternative with data stored within the UK or EU. Google Analytics in particular was under a heavy cease-fire. Now that we've covered the privacy features embedded in GA4, let's answer some common questions about Google Analytics and the GDPR. But they managed to quickly patch this up before the allegations had made it to court. Another prominent feature provided by GA4 is the stringent data storage duration specified in its terms. The data transfer may still not offer adequate protections under GDPR. Do I Need a Cookie Consent/Notice Banner if I Use Google Analytics 4 (GA4)? In the previous GA you could choose a data retention period up-to 64 months. But in practice, this wasnt always the case. The ruling puts thousands of digital companies at risk of non-compliance. Keep in mind that the GDPR defines personal data as any information that can be used to identify a natural person. GA4 provides a variety of privacy-focused improvements from Universal Analytics, the most significant of which is the default IP anonymization feature. By launching the default out-of-the-box implementation of GA4, standard tracking cookies are placed on your users' devices. This notion has been supported in several cases and rulings by EU data protection authorities. Third-party cookies are where most people have a problem and these are used for things like remarketing campaigns. The issue isn't when websites use cookies to remember the contents of your cart- instead, things quickly become problematic when websites track you acrossmultiplewebsites. Google Analytics 4 (GA4) is Google's latest analytics property and attempt at providing a more privacy-friendly experience for users. There are so many changes that come along with Google Analytics 4. Swedish, Dutch and Norwegian authorities also claim its in breach of GDPR. But it's very difficult to figure out where to draw the line with cookies. In practice this will likely be Standard Contractual Clauses (SCCs). These settings may share data about your users with Google to build advertising profiles. No, but despite its flaws, it's still a good start as we enter a cookieless world. The relationship between Google and EU regulators got more heated after the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield a leeway Google used for EU-US data transfers. Make sure you review these options carefully as some of them will require additional disclosures within your privacy policy. Please be aware that advice from us cannot be considered a substitute for professional legal advice, nor do they create an attorney-client relationship. 7 Reasons to Migrate from Google Analytics to Matomo Now, The Ultimate List of Alternatives to Google Products, Financial records (such as payment method data), Selecting a designated regional storage location, Informing users about data storage location or data transfers outside of the EU. We advise you to seek your own professional legal advice. GA4 is promoted as privacy-centric and has been designed to work with or without cookies. To keep things simple you can opt out of data sharing. However you it is far more privacy friendly. Improved cross-device tracking: using Google signals to help piece together user journeys across multiple devices. Until 2020, such cross-border data transfers were considered legal thanks to the Privacy Shield framework. They can help create a personalized experience for you and make things easier. The Dutch Data Protection Authority and Norwegian Data Protection Authority also found Google Analytics guilty of a GDPR breach and seek to limit Google Analytics usage. In any case, keep in mind that exceptions for consent regarding Google Analytics cookies will only apply if you only use GA4 in an anonymized version and do not share data with other Google platforms or activate the ad personalization feature. While these matters are getting hashed out, Google Analytics users, collecting data about EU citizens and/or residents, remain on slippery grounds. You can simply visit your account settings and then sign the documents. The invalidation of the Privacy Shield framework put Google in a tough position. That obviously has a lot of value for marketing but also potential for abuse which leads us to an age-old question. Therefore, it's highly important that you first consider which privacy laws apply to you before opting in to share data with other Google products. This setup used to require you to edit your tagging code. Even if accepted, the new framework(s) may once again be invalidated by local data regulators as has already happened in the past. Here's an example of a good cookie consent banner from EY that details cookie information and provides users with clear options to either accept or reject cookies: The Guardian provides a similar cookie consent banner, shown below: In light of recent privacy issues, Google introduced Google Analytics 4 (GA4) to help its users comply more easily with the GDPR's stringent requirements, among other reasons.