GA4 Privacy Features: Digital Analytics and Data Privacy in 2023
After GA4’s release, and the end of UA, where do we stand on the topic of data privacy? This article will explore GA4 privacy features, and you can implement the tool in a compliant way.
This is a write-up of Kevin Swelsen’s talk that he gave at GA4ward MK4. Here you can find his slides. You can watch his talk on our YouTube channel:
How people used to collect data
Let’s reflect on the state of the digital world more than ten years ago. The image below shows the kind of file that we used to work with. If we wanted to do an analysis of how a webpage was behaving, this was the sort of file we’d need.
We’d be given a file from the server containing a timestamp and the name of the URL that was visited. From there, we could begin to get a better understanding of what pages looked like. At the time, no one cared if that data contained an IP address.
These days, things have changed a little. Laws like the EU’s General Data Protection Regulation (GDPR) have come along. These have put topics like privacy and consent at the top of the priorities list. How we use, store, and process personal data is now heavily regulated.
And just because your business is based outside of the EU, don’t think you can avoid GDPR. The law still applies to you if you collect information about EU citizens. The legislation can be a minefield, and many organisations have had to invest in a GDPR compliance service.
The impacts of GDPR have already become clear. Here’s one example: the Swedish mobile network provider Tele2 was fined $1.1 million for breaching GDPR. But why was the company fined? An audit revealed that the organisation hadn’t implemented GA4 in a compliant way.
To be clear, this kind of situation doesn’t happen often. But it does underline how important it is to comply with the GDPR rules.
RIP Uninversal Analytics
As of July 1st 2023, Universal Analytics, the older version of Google Analytics, was discontinued. This gave rise to a lot of questions for companies specifically surrounding data privacy. What does the migration mean in terms of legislation like GDPR?
With that in mind, let’s look at how you can implement GA4 in a privacy-friendly manner. We’ll also talk about some of the GA4 privacy features.
Privacy & Google Analytics 4
There are three different elements for ensuring that GA4 is implemented in a privacy-friendly manner.
- Data collection. You want GA4 to collect data about people who are visiting your website.
- Whether you are using a tag management system to implement GA4. How can this system help to track the data that you need?
- What can you do within GA4 to better control your data?
Let’s dive into each of these points and hopefully give you a better idea of how to implement GA4 properly.
When it comes to data collection, there are two key points. Firstly, when was the data collected, and secondly, did a user consent?
The regulations are very clear on this topic (seen below).
If you’re using social media advertising and carrying out some form of tracking, you need consent. The same applies if you are sending data to some form of online advertising service.
If you are using any form of analytics tool, you also need to gain consent. Remember, analytics tools aren’t ‘strictly necessary’ for your website to function.
But it isn’t just fines you need to be concerned about. To users, data privacy is very important. This was emphasized in a study by Mackenzie – 71% of users would stop doing business with an organization that gave away sensitive data without permission.
But if all of this is common sense, why are so many companies failing? The image below shows an example of a UK supermarket. When a user arrives at the website, the first thing they see is a consent banner that reads ‘Your privacy is important to us’.
But on closer investigation, we can see that a lot of data is already been sent out. This is before a user has even chosen to accept or opt-out of cookies.
Below is another example, the Sky broadband website. Again, upon loading the website we get a cookie banner asking for our consent. And, like with the previous example, data is already being sent to various sources.
The image below is from a three-and-a-half-year-old article. The article claims that consent tools, instead of protecting data, are undermining privacy laws.
The fact is, either knowingly or unknowingly, companies are failing to adhere to consent given by users. And, even if you have a consent management system, it isn’t certain that you are adhering to the rules.
Ultimately, Implementing consent management is not a one-time task. Maintenance and documentation are key!
Google Tag Manager privacy features
Google has recently launched a new feature within GTM called consent mode. In theory, the tool sounds great. Consent mode connects with your consent management platform and allows you to adhere to GDPR rules. But does it really do everything that Google claims?
Below is the documentation for when your consent management system tells GTM that consent was not given. As a result of this, GTM will send cookieless data to Google Analytics for future measurement.
Without cookies, there is no personally identifiable information, meaning you are GDPR compliant. But at the same time, unless you alter your settings, GTM will still send a user ID and an IP address.
So, does consent mode really make you GDPR compliant? That topic is up for debate.
Back in the days of UA, you had to enable certain settings in your tags for GTM to anonymise IP addresses. GA4 privacy controls do this by default, ensuring analytics does not log any IP addresses.
Also on the list of new GA4 features is that all data collected from devices in the EU is stored in EU servers.
Finally, another feature is Google Signals. This is designed to help improve cross-device reporting. With Signals, we can create better remarketing audiences. It also provides access to demographic and interest data.
Whilst this feature is very nice, you do need permission before you can use it.
In GTM there are a number of fields you can set as a variable for enabling/disabling Google Signals. These include ‘allow_google_signals, ‘allow_ad_personlization_signals’. These allow you to set specific settings for certain users.
Of course, this can be done not just in GTM, but in most tag management systems.
Server-side GTM can also help!
A few years ago, Google launched GTM Server-side. This helps you to even better control the data that is being sent to GA4.
Previously, we had a Client-side GTM that would forward data and send requests to GA. With Server-side, your tag management system lives in the cloud. From there, calls are made to GA.
From Server-side you can enable and disable Google Signals. You can also determine whether a user’s IP address needs to be checked.
Another interesting feature of Serverside is called transformations. From here, we can assign specific parameters that we don’t want to pass on to GA4. Alternatively, we can modify an event before we pass it along.
This provides us with much more freedom and control over the data that is being to GA4.
If you want to implement GA4 in a privacy-friendly manner, a tag management solution like GTM can really help.
Client-side GTM offers many ways of adhering to the consent of users, but you need to know which parameters to set.
Finally, Server Side GTM has all of CS’ features with some benefits for even more control.
Google Analytics 4 privacy features
There are many GA4 privacy features. Let’s look at some of these tools and how they can help you.
Some of the account-level settings in GA4 seem obvious. But despite that, they are still often overlooked. Make sure to implement the features shown below, correctly.
Don’t just allow certain settings. As seen below, you alter advertising settings for individual regions. For EU members or other European countries, it may be better to choose different personalization settings.
Be sure also not to simply acknowledge or agree to certain settings. These will have implications for the way your data is being collected, and the kind of information being stored.
Another important aspect of GDPR is data retention. Make sure that your data retention settings are aligned with GDPR legislation. GA4’s data deletion feature makes sure that data is deleted regularly, in a compliant way.
Finally, a common mistake is how users approach linking with BigQuery. Many clients accidentally link their data with the US BigQuery table. This means they don’t get the same GDPR protections as with the EU table.
So, to sum it up, there are many GA4 privacy controls, but they are not necessarily easy to find.
Don’t just accept or acknowledge things or tick check marks without knowing what’s behind them!
Some things to consider
Before wrapping up this article, let’s reflect on a few things to consider in relation to privacy and GA4.
‘The accident sits in a small corner’.
A German website was fined by the courts for leaking user’s IP addresses via Google fonts. The site loaded its fonts via the Google server. Each time a user loaded the page, a call had to be made to Google with an IP address in order to load the necessary font. And of course, a user might not consent for their IP address to be sent to Google.
So, even with something relatively small like a font, you can find yourself in trouble. With that in mind, let’s recap some of the important data privacy points.
- Privacy is never finished – You’re not done when you implement a consent management system.
- As analysts we have a certain responsibility – Analysts should know what data is being collected for what purpose!
- Know what data you are collecting and for what purpose – Documentation is key!
- Audit your analytics and data collection setup – Don’t think you are done once you set everything up. Audit regularly!
But the BIG question: does this make GA4 legal under GDPR? The debate is long and complicated and it depends on who you ask. However, there have been some steps toward GDPR compliance. We may yet be heading to a future free from GA-related data privacy concerns.
About Kevin Swelsen
With over a decade of experience in the analytics & data field, Kevin Swelsen is a seasoned technical web analyst with experience working for agencies, end-clients as well as doing freelance projects. Kevin’s main ambition is to help companies become more data-driven and turn data into specific business insights, actions and strategy. Over the past few years, privacy and consent has gotten special interest from Kevin which is why he is covering this specific topic. Kevin is also one of the founders of Measurecamp Amsterdam.
- 21 Best Web Analytics Tools Recommended by Experts - 23/11/2023
- How to Use Google Analytics 4 (GA4) for Video Tracking - 01/11/2023
- Google Tag Manager Video Tracking: Full Guide - 01/11/2023