Disclaimer: This article provides a general overview of the topic. The content is not intended to replace or substitute professional advice.
Google Analytics is not the only company that has compliance issues with The General Data Protection Regulation (GDPR). Many of your favorite tools, such as HubSpot, Meta, Mailchimp, and the list goes on, have difficulties with regard to being more aligned with GDPR.
Imagine you are borrowing your friend’s car to go pick up something in the grocery store. After asking for his consent, there is an unspoken agreement that you will:
The General Data Protection Regulation known as GDPR has as a main goal to protect our data (the car) from being wrongly used by businesses for other purposes other than what we agreed to when we visited the business’s platform.
Although the new version of Google Analytics, GA4, has made some improvements when it comes to user privacy, as of the moment of writing this, it’s not fully compliant with GDPR.
Analytics tools, in general, need to have basic information to be able to identify users. In the case of Google Analytics, this data needs to be sent to the US for processing before it gets displayed on your GA Dashboards.
GDPR considers this data transfer illegal, as the data could allegedly be accessed by other government agencies, although Google denies such practices
Google Analytics uses a bunch of identifiers to distinguish unique visitors.
Website visitors are assigned a unique ID once they create an account on a website/app.
Think of it as the home address for the device you are using. Each device logged onto the internet has a unique address to identify it
The role of a user agent is to gather basic information about your device, such as the operating system and browser.
GA4 is the latest version of Google Analytics, which places a stronger emphasis on data privacy compared to its predecessor, Universal Analytics (UA).
IP address data is no longer available in Google Analytics reports. While Google Analytics still uses IP addresses to identify users, this data is now deleted after processing.
First-party cookies are used to maintain basic functionality, such as remembering the products you left in a cart on your last visit, language, and other preferences. More importantly, they are generated by the website you visit, unlike third-party cookies.
GA4 relies more on first-party cookies, as they are generally considered better for data privacy since they belong to the website the user chooses to visit, rather than being controlled by third parties.
GA4 is unlinked from Google Ads and other products by default.
If you decide to enable data sharing with other Google products, such as Google Ads, you need to include this in your cookie banner and privacy policy.
Google Signals is a feature in GA4 that enhances user tracking by utilizing “signals” or session data from other platforms like YouTube and Google Maps. This allows the identification of users who are logged in using their Google account.
Google signals is inactive by default as well.
If you have collected personal information and wish to delete it using GA4, the data deletion feature allows you to remove personally identifiable information (PII). Here is how it works:
Head to your administration panel and look for data deletion request at the property level.
GA4 provides multiple options for deleting data.
In GA4, the option to retain data indefinitely is no longer available. The maximum data retention period is now limited to 14 months (50 months for Google Analytics 360, with Google recommending a retention period of 2 months. After the specified retention period, the data will be automatically deleted.
By now, you understand that GA4 is still grappling with GDPR. A standard configuration alone may not be sufficient as of the time of writing this. However, you can modify the data collection process by utilizing a proxy server.
A proxy server acts as an intermediary between the user’s data and GA4. Instead of directly sending user data to GA4, it passes through the proxy server. The proxy server is responsible for anonymizing all user identifiers, ensuring that the user’s identity remains anonymous.
Beyond the IP address, the configuration of the proxy server should prevent Google from collecting data such as user_agent and other IDs. This data can be reprocessed to create a “fingerprint” (a way to identify users based on different identifiers).
After the data has been cleaned of any user identifiers, it will be sent to GA4 servers.
If your device to use a proxy-server, choose a provider based in Europe to avoid any data-transfer issues outside of EU territory.
The loss of accuracy is a major drawback of using a proxy server. With this setup, GA4 will not receive as much data compared to the standard configuration. UTM parameters, device information, and location data, which are essential for attributing sessions to users from marketing channels, will not be as useful or reliable.
The cost of the setup is another factor to take into consideration. Big players can absorb the cost, but most businesses are small or medium-sized with a limited budget.
Keep the data you collect in GA4, do not share it with Google Ads, for example. If you want to track conversions, you can do it via Google Tag Manager.
As we saw earlier, Google Signals relies on platforms to keep track of users’ behavior.
Your URL shouldn’t contain any parameter that help GA4 identify where users are coming from, or any parameters such as IDs.
There is no straightforward answer to this question.
Some EU-based businesses are using GA4 in addition to another data-privacy focused analytics tool. Maybe this is the best approach next to quitting GA4 altogether.
The only downside is that a lot of these GA4 alternatives aren’t free. To name but a few: Matomo, Piwik Pro, and Piano are all decent alternatives to GA4.
Making GA4 GDPR-compliant is HARD.
There is no set-it-and forget solution that will save you from the hassle of keeping up with regulations. Google is working hard in resolving this issue. If you’re thinking about switching to another tool, don’t just give up on GA4. Use both.