Disclaimer: This article provides a general overview of the topic. The content is not intended to replace or substitute professional advice.
Why Google Analytics is not GDPR-compliant?
Not just Google Analytics
Google Analytics is not the only company that has compliance issues with The General Data Protection Regulation (GDPR). Many of your favorite tools, such as HubSpot, Meta, Mailchimp, and the list goes on, have difficulties with regard to being more aligned with GDPR.
General Data Protection Regulation (GDPR) in a nutshell
Imagine you are borrowing your friend’s car to go pick up something in the grocery store. After asking for his consent, there is an unspoken agreement that you will:
- Use it for this specific use (i.e., not drive it across the country)
- Not give it to someone else behind your friend’s back
- Ensure it’s safety by parking in somewhere safe and driving carefully.
The General Data Protection Regulation known as GDPR has as a main goal to protect our data (the car) from being wrongly used by businesses for other purposes other than what we agreed to when we visited the business’s platform.
Google Analytics and GDPR: where it went wrong?
Although the new version of Google Analytics, GA4, has made some improvements when it comes to user privacy, as of the moment of writing this, it’s not fully compliant with GDPR.
Data transfer to US territory
Analytics tools, in general, need to have basic information to be able to identify users. In the case of Google Analytics, this data needs to be sent to the US for processing before it gets displayed on your GA Dashboards.
GDPR considers this data transfer illegal, as the data could allegedly be accessed by other government agencies, although Google denies such practices
How Google Analytics 4 (GA4) identifies users?
Google Analytics uses a bunch of identifiers to distinguish unique visitors.
User ID
Website visitors are assigned a unique ID once they create an account on a website/app.
IP address
Think of it as the home address for the device you are using. Each device logged onto the internet has a unique address to identify it
User agent
The role of a user agent is to gather basic information about your device, such as the operating system and browser.
Google Analytics 4 (GA4) efforts to become GDPR-compliant.
GA4 is the latest version of Google Analytics, which places a stronger emphasis on data privacy compared to its predecessor, Universal Analytics (UA).
Anonymous IP addresses
IP address data is no longer available in Google Analytics reports. While Google Analytics still uses IP addresses to identify users, this data is now deleted after processing.
More reliance on first party cookies
First-party cookies are used to maintain basic functionality, such as remembering the products you left in a cart on your last visit, language, and other preferences. More importantly, they are generated by the website you visit, unlike third-party cookies.
GA4 relies more on first-party cookies, as they are generally considered better for data privacy since they belong to the website the user chooses to visit, rather than being controlled by third parties.
Data sharing and signals are inactive by default
GA4 is unlinked from Google Ads and other products by default.
If you decide to enable data sharing with other Google products, such as Google Ads, you need to include this in your cookie banner and privacy policy.
Google Signals is a feature in GA4 that enhances user tracking by utilizing “signals” or session data from other platforms like YouTube and Google Maps. This allows the identification of users who are logged in using their Google account.
Google signals is inactive by default as well.
Data deletion request to remove PII (personal identifiable information)
If you have collected personal information and wish to delete it using GA4, the data deletion feature allows you to remove personally identifiable information (PII). Here is how it works:
Head to your administration panel and look for data deletion request at the property level.
GA4 provides multiple options for deleting data.
- Delete all parameters from all events: this will completely remove all parameters from your events. All parameter values will be erased.
- Delete all registered parameters from selected events: you can choose the parameters that will be deleted for specific events.
- Delete selected parameters from all events: this option allows you to choose specific parameters, and GA4 will search for all events that contain these parameters and delete the corresponding values.
- Delete selected parameters from selected events: this option allows you to choose both the events and the parameters that will be deleted. Additionally, there is an option at the bottom that allows you to enter the specific text that will be deleted (case-insensitive).
- Delete selected user properties: user properties serve as attributes that provide information about the user, similar to custom dimensions. In the case where you have collected a user property that should be removed, you have the option to delete the entire parameter or a specific value within that parameter.
Shortened data retention period
In GA4, the option to retain data indefinitely is no longer available. The maximum data retention period is now limited to 14 months (50 months for Google Analytics 360, with Google recommending a retention period of 2 months. After the specified retention period, the data will be automatically deleted.
Is a GDPR-compliant configuration for GA4 even possible?
By now, you understand that GA4 is still grappling with GDPR. A standard configuration alone may not be sufficient as of the time of writing this. However, you can modify the data collection process by utilizing a proxy server.
What is a proxy server?
A proxy server acts as an intermediary between the user’s data and GA4. Instead of directly sending user data to GA4, it passes through the proxy server. The proxy server is responsible for anonymizing all user identifiers, ensuring that the user’s identity remains anonymous.
Beyond the IP address, the configuration of the proxy server should prevent Google from collecting data such as user_agent and other IDs. This data can be reprocessed to create a “fingerprint” (a way to identify users based on different identifiers).
After the data has been cleaned of any user identifiers, it will be sent to GA4 servers.
If your device to use a proxy-server, choose a provider based in Europe to avoid any data-transfer issues outside of EU territory.
The downside of using a proxy-server
The loss of accuracy is a major drawback of using a proxy server. With this setup, GA4 will not receive as much data compared to the standard configuration. UTM parameters, device information, and location data, which are essential for attributing sessions to users from marketing channels, will not be as useful or reliable.
The cost of the setup is another factor to take into consideration. Big players can absorb the cost, but most businesses are small or medium-sized with a limited budget.
Actions to take inside GA4 to improve GDPR compliance
Avoid linking GA4 with other product
Keep the data you collect in GA4, do not share it with Google Ads, for example. If you want to track conversions, you can do it via Google Tag Manager.
Keep Google Signals turned off
As we saw earlier, Google Signals relies on platforms to keep track of users’ behavior.
Steer clear of UTMs and other URL parameters
Your URL shouldn’t contain any parameter that help GA4 identify where users are coming from, or any parameters such as IDs.
GA4's alternatives: Should you quit using GA4?
There is no straightforward answer to this question.
Some EU-based businesses are using GA4 in addition to another data-privacy focused analytics tool. Maybe this is the best approach next to quitting GA4 altogether.
The only downside is that a lot of these GA4 alternatives aren’t free. To name but a few: Matomo, Piwik Pro, and Piano are all decent alternatives to GA4.
Final words
Making GA4 GDPR-compliant is HARD.
There is no set-it-and forget solution that will save you from the hassle of keeping up with regulations. Google is working hard in resolving this issue. If you’re thinking about switching to another tool, don’t just give up on GA4. Use both.
