Is Google Analytics Illegal in the EU? 10 Steps to Make GA4 Legal
You may have heard people recently asking ‘is Google Analytics illegal in the EU’. There’s a fair amount of confusion around this subject and we wanted to clear things up and tell you what you can do to keep within privacy laws and remain GDPR compliant.
Is Google Analytics illegal?
No, Google Analytics is not illegal for most countries in the EU and it’s not illegal in the US or any other country. It is, however, currently illegal in Austria, France, Italy, Denmark, Finland, Norway and Sweden. Sweden have even issued the first significant fine of €1 million for using Google Analytics.
Why is Google Analytics illegal in some countries of the EU?
This is due to a problem with IP addresses. IP addresses are considered personal data, and thus hashing the last 3 octets is not considered strong enough anonymisation as there’s a 1 in 255 chance of re-identify. Thus DPO are requiring the IP address not to leave the EU region.
This is a problem as the IP is sent natively from the browser to the server. A lot of Google’s servers are based in the US, which is outside of the EU. Thus violating GDPR.
There is a way to get around this though…
You can load the gtag.js and associated pixels via Server-side Google Tag Manager from an EU server. Then purge IPs before they are sent to Google Analytics for processing in order to make GA4 legal in the EU. Here’s how to do that.
The older version of GA collects full IP addresses by default, a practice now violating the EU’s strict data privacy regulations. Given that GA3 no longer works, it should be removed from your website.
Here’s a step-by-step guide on how to remove Universal Analytics from your GTM:
Run ga4migrator.com but with only “CLEAN GTM and RECOMMENDED FOLDER STRUCTURE” enabled.
Then, search for UA event and UA pageviews and bulk pause these using the pause button in the top navigation. Create a version and deploy this change.
The trail toward GA4 compliance in the European Union (EU) requires a keen understanding of data protection regulations. A crucial component of this process involves updating your website’s cookie consent banner to reflect GDPR standards. Let’s delve into what this means for your website.
Understanding the GDPR requirement
GDPR requires explicit consent before collecting user data. This brings us to the essential distinction between opt-in and opt-out cookie banners.
- Opt-In Cookie Banner: This type of banner requires users to actively give their consent before any cookies are placed on their device. It’s essentially a ‘permission-first’ approach where users must agree to the use of cookies ahead of time.
- Opt-Out Cookie Banner: Contrarily, an opt-out banner allows cookies to be placed on the user’s device by default. Users are then given the option to withdraw their consent and remove the cookies after they have been placed.
In the EU and its GDPR law context, an opt-in cookie banner is mandatory for analytics cookies. This means that users must give their consent to use analytics cookies before these can be set on their devices. The shift from opt-out to opt-in cookie banners is fundamental in making your GA4 compliant with EU regulations.
For example, if you use Cookiebot as your CMP, the banner setup window has an option labelled ‘Opt-in / Opt-out settings.’ Here you have to choose ‘Accept/ Decline’, effectively setting your cookie banner to opt-in mode.
In essence, transitioning your cookie banner to opt-in mode is critical to making your GA4 EU compliant. It aligns your site with GDPR standards and secures website visitors retain complete control over personal data, fortifying their confidence in your site’s data handling practices.
3. Adjusting GA4 config settings
To make GA4 legal in the EU, adjusting your GA4 configuration settings is essential. Set both allow_google_signals and allow_ad_personalization_signals to ‘off’ by default. Only turn them ‘on’ once you’ve received explicit user consent, aligning with GDPR’s opt-in policy. This small but crucial step helps ensure your website complies with EU data privacy regulations.
4. Configuring GA4 with SGTM while prioritising privacy
Loading your Google Analytics 4 (GA4) via Server-side Google Tag Manager (SGTM) has several advantages, such as improved loading speed and better data privacy control.
While configuring your GA4 tags, you need to enable the “Redact visitor IP address” option. It ensures user IP addresses are not captured, offering an extra layer of privacy in line with the EU’s data privacy laws.
On top of that, for geolocation data, you should set the following Event Parameters ‘geolocation_city={{Request X-Appengine-City}}‘ and ‘geolocation_country={{Request X-Appengine-Country}}‘. These parameters ensure that only the city and country data are collected, providing useful location-based analytics without violating user privacy regulations.
By following these steps, you can balance useful insights and compliance with EU regulations, making your GA4 legal in the EU.
5. Applying region-specific settings in GA4 client
You have another option to enhance your GA4 compliance within the EU which can be achieved by using a transform function to set “Enable region-specific settings” in the GA4 client. It is set in a way that only invokes “Redact visitor IP address” if the visitor IP resolves to EU. But it doesn’t redact the IP addresses when it receives hits from non-EU visitors.
6. Adjusting GA4 data settings for EU compliance
Achieving compliance with EU regulations in Google Analytics 4 (GA4) involves careful attention to data settings. This includes adjusting features such as Ads Personalisation, Granular Location Data Collection, and Google Signals to align with EU-specific requirements. This concise guide provides the steps to make these crucial adjustments to your GA4 property.
Step 1. Navigate to the ‘Admin’ section of your google analytics account.
Step 2. In the Property column, select the GA4 property you want to adjust.
Modifying granular location and device data collection
Once you’ve selected the correct property, follow these steps:
Step 3. Click the ‘Data Settings‘ dropdown menu under the property column and select ‘Data Collection.’
Step 4. Find and toggle the switch for ‘Granular location and device data collection.’
Step 5. But if you want to do this for the EU countries only, Click on the ‘Settings‘ icon under this section, set the switch to ‘OFF’ for each EU country, and hit ‘Apply.’
Adjusting settings for ads personalisation
Next, we’ll alter settings related to Ads Personalisation:
Step 6. Look for ‘Advanced Settings to Allow for Ads Personalisation.’
Step 7. Click on the ‘Settings‘ icon, toggle the switch to ‘OFF’ for each EU country, and then select ‘Apply.’
Turning off Google signals
Lastly, to improve user data protection, you can disable Google Signals:
Step 8. Locate the ‘Google signals data collection’ switch and toggle it to off.
By following these steps, you ensure more excellent user data protection and move towards more robust GA4 EU compliance.
Making Google Analytics 4 (GA4) compliant with EU regulations requires careful consideration of tag adjustments, cookie settings, and third-party tracking adjustments. Let’s delve into how these modifications can be implemented.
Cleaning PII within GA4 tag
In GA4, you need to remove Personally Identifiable Information (PII) within page_location and page_referrer to prevent accidental PII capture.
For the page_referrer, you can either
- Add a JavaScript variable to override page_referrer with location.protocol +”//” + new URL(document.referrer).hostname + new URL(document.referrer).pathname
or - Add this into your global header <meta name=”referrer” content=”origin” /> to clean document.referrer
In order to purge page_location using GTM, please read this guide.
When making GA4 compliant with EU regulations, it’s recommended to reduce cookie duration within your Google Analytics settings so that you do not store data for longer than it is needed. By doing this, you balance valuable insights with respect for user privacy. GA4’s standard-setting retains cookies for 24 months. However, we can reduce this period to 12 months to provide additional data privacy.
Here are the steps to achieve this:
Step 1. While in the ‘Admin‘ section of your Google Analytics account, select the ‘Data Stream‘ option under the ‘Property‘ column.
Step 2. Choose the particular data stream you want to change the cookie duration.
Step 3. Scroll to the ‘Google Tag‘ section, and click ‘Configure tag settings.’
Step 4. In the next window, click the ‘Show All‘ drop-down.
Step 5. Scroll down and click on ‘Override cookie setting‘.
Step 6. Check the box for ‘Override default cookie settings‘ under the ‘Configuration‘ section.
Step 7. Finally, adjust the ‘Cookie expiration‘ drop-down from the default 24 months to 12 months. Then, hit ‘Save‘.
By altering these cookie settings, we respect user privacy choices, align more closely with EU data regulations, and ensure GA4’s operational compliance.
Addressing third-party tracking
Lastly, we need to address third-party tracking, such as Facebook. The requirement here is to strip away the IP address from these trackers as well. You can accomplish this by employing the ‘transform’ function with Server-Side Google Tag Manager (SGTM).
In summary, by successfully executing these modifications, you’ll honour your users’ privacy rights and strengthen the virtue of your data management practice.
8. Utilising Facebook’s limited data use mode
Understanding and executing user data privacy norms becomes vital as digital businesses increasingly cross borders. Beyond GA4, it’s essential to remember other platforms that gather substantial amounts of user data, like Facebook. Thankfully, It offers a feature known as the Limited Data Use (LDU) mode, which further anonymises data sent to it.
Enabling LDU mode allows Facebook to limit the collection and usage of user data, encouraging an atmosphere of clarity and care for user privacy. You can also activate Meta’s geolocation. The combined effect can improve compliance with EU laws while providing a personalized user experience.
Here’s a simplified guide to enable LDU and have Meta perform geolocation:
Step 1. Ensure the Facebook Pixel base code is present on your website.
Step 2. Insert the following code into your Facebook Pixel’s base code.
fbq('dataProcessingOptions', ['LDU'], 0, 0);This line of code effectively triggers the LDU mode. The zeros function as placeholders for the country and state codes and instruct Meta to automatically apply geolocation settings based on the user’s location. A detailed understanding of this process can be found in Facebook’s official documentation on data processing options.
Using LDU mode and Meta’s geolocation, you can demonstrate your commitment to privacy, align with EU laws, and enhance your business credibility while providing an optimal user experience.
9. Setting up Google Ads’ restricted data processing mode
Google Ads offers a “Restricted Data Processing” mode to help businesses align with data privacy regulations. Include the ‘var google_restricted_data_processing = true;’ code into your Google Ads tag to enable this mode. This code instructs Google Ads to limit using specific user data, such as demographics and device identifiers.
While this may help align with GDPR, it doesn’t automatically guarantee full compliance. Consult a Google ads agency to ensure your practices meet the latest requirements.
10. Adjusting user-provided data capabilities in GA4
Google Analytics 4 offers a notable feature called ‘User-Provided Data Capabilities.’ It enhances your measurement metrics, providing deeper insights using data willingly supplied by your website visitors. It’s important to note that Google solely uses this data to offer you services, including technical support and assures it is not shared with third parties.
Step 1. Head over to the ‘Admin‘ area of your Google Analytics account.
Step 2. Under the ‘Property‘ column, you’ll find the ‘Data Stream‘ option. Select it.
Step 3. Choose the specific data stream you wish to modify.
Step 4. Scroll to the next window’s ‘Google Tag‘ section and select ‘Configure tag settings.’
Step 5. Click ‘Show all‘ to expand the settings list.
Step 6. Find and select the ‘Allow user-provided data capabilities‘ option from the list.
Step 7. In the new window, uncheck the box next to “Automatically detect user-provided data” in the ‘Configuration’ section and then hit ‘Save.’
If ‘Enhanced Conversions’ for Google or Facebook isn’t a part of your strategy, you can switch OFF the ‘Allow user-provided data capabilities’ button.
By making these changes, you can continue utilising GA4 to its fullest potential while respecting your users’ data privacy and aligning with EU data privacy regulations.
Conclusion
Navigating data privacy can seem daunting, but it becomes manageable with the right steps and tools. These journeys, transitioning to GA4, tweaking SGTM locations, and enabling key modes like Facebook’s Limited Data Use and Google Ads’ Restricted Data Processing, are pivotal in creating a GDPR-compliant environment.
As anyone can see, these steps can become quite technical for some people. To make these changes effectively and effortlessly, considering a professional Cookie and GDPR compliance service is an efficient move. Not only does it simplify the process, but it also ensures your business operates within legal boundaries. Remember, data compliance is a commitment to user privacy, fostering a trustworthy digital space.
- What is a Customer Data Platform (CDP) & How to Use One - 25/04/2024
- What is Google Consent Mode V2 & How to Implement It - 24/04/2024
- How to Implement Consent Mode with Cookiebot CMP - 09/04/2024