Is Google Analytics Illegal in the EU? 10 Steps to Make GA4 Legal

Will Rice
First published July 26th, 2023
Last updated June 18th, 2024
Learn whether Google Analytics is illegal in the EU and 10 steps you can take to make GA4 legal and GDPR compliant.
Is Google Analytics Illegal in the EU? 10 Steps to Make GA4 Legal

You may have heard people recently asking ‘is Google Analytics illegal in the EU’. There’s a fair amount of confusion around this subject and we wanted to clear things up and tell you what you can do to keep within privacy laws and remain GDPR compliant.

Is Google Analytics illegal?

No, Google Analytics is not illegal for most countries in the EU and it’s not illegal in the US or any other country. It is, however, currently illegal in Austria, France, Italy, Denmark, Finland, Norway and Sweden. Sweden have even issued the first significant fine of €1 million for using Google Analytics.

 

Why is Google Analytics illegal in some countries of the EU?

This is due to a problem with IP addresses. IP addresses are considered personal data, and thus hashing the last 3 octets is not considered strong enough anonymisation as there’s a 1 in 255 chance of re-identify. Thus DPO are requiring the IP address not to leave the EU region.

This is a problem as the IP is sent natively from the browser to the server. A lot of Google’s servers are based in the US, which is outside of the EU. Thus violating GDPR.

There is a way to get around this though…

You can load the gtag.js and associated pixels via Server-side Google Tag Manager from an EU server. Then purge IPs before they are sent to Google Analytics for processing in order to make GA4 legal in the EU. Here’s how to do that.

 

1. Removing Universal Analytics tags from GTM

The older version of GA collects full IP addresses by default, a practice now violating the EU’s strict data privacy regulations. Given that GA3 no longer works, it should be removed from your website.

Here’s a step-by-step guide on how to remove Universal Analytics from your GTM:

Run ga4migrator.com but with only “CLEAN GTM and RECOMMENDED FOLDER STRUCTURE” enabled.


Then, search for UA event and UA pageviews and bulk pause these using the pause button in the top navigation. Create a version and deploy this change.

 

2. Changing your cookie banner to opt-in mode

The trail toward GA4 compliance in the European Union (EU) requires a keen understanding of data protection regulations. A crucial component of this process involves updating your website’s cookie consent banner to reflect GDPR standards. Let’s delve into what this means for your website.

 

Understanding the GDPR requirement

GDPR requires explicit consent before collecting user data. This brings us to the essential distinction between opt-in and opt-out cookie banners.

 

Opt-In vs opt-out cookie banners

  • Opt-In Cookie Banner: This type of banner requires users to actively give their consent before any cookies are placed on their device. It’s essentially a ‘permission-first’ approach where users must agree to the use of cookies ahead of time.
  • Opt-Out Cookie Banner: Contrarily, an opt-out banner allows cookies to be placed on the user’s device by default. Users are then given the option to withdraw their consent and remove the cookies after they have been placed.

 

Embracing the opt-In banner in the EU

In the EU and its GDPR law context, an opt-in cookie banner is mandatory for analytics cookies. This means that users must give their consent to use analytics cookies before these can be set on their devices. The shift from opt-out to opt-in cookie banners is fundamental in making your GA4 compliant with EU regulations.

For example, if you use Cookiebot as your CMP, the banner setup window has an option labelled ‘Opt-in / Opt-out settings.’ Here you have to choose ‘Accept/ Decline’, effectively setting your cookie banner to opt-in mode.

 

opt-in mode for cookie banner in cookiebot

 

In essence, transitioning your cookie banner to opt-in mode is critical to making your GA4 EU compliant. It aligns your site with GDPR standards and secures website visitors retain complete control over personal data, fortifying their confidence in your site’s data handling practices.

 

3. Adjusting GA4 config settings

To make GA4 legal in the EU, adjusting your GA4 configuration settings is essential. Set both allow_google_signals and allow_ad_personalization_signals to ‘off’ by default. Only turn them ‘on’ once you’ve received explicit user consent, aligning with GDPR’s opt-in policy. This small but crucial step helps ensure your website complies with EU data privacy regulations.

 

4. Configuring GA4 with SGTM while prioritising privacy

Loading your Google Analytics 4 (GA4) via Server-side Google Tag Manager (SGTM) has several advantages, such as improved loading speed and better data privacy control.

While configuring your GA4 tags, you need to enable the “Redact visitor IP address” option. It ensures user IP addresses are not captured, offering an extra layer of privacy in line with the EU’s data privacy laws.

 

 

redacting visitor ip address in gtm

 

On top of that, for geolocation data, you should set the following Event Parameters ‘geolocation_city={{Request X-Appengine-City}}‘ and ‘geolocation_country={{Request X-Appengine-Country}}‘. These parameters ensure that only the city and country data are collected, providing useful location-based analytics without violating user privacy regulations.

 

geolocation parameters while configuring ga4 tags

 

By following these steps, you can balance useful insights and compliance with EU regulations, making your GA4 legal in the EU.

 

5. Applying region-specific settings in GA4 client

You have another option to enhance your GA4 compliance within the EU which can be achieved by using a transform function to set “Enable region-specific settings” in the GA4 client. It is set in a way that only invokes “Redact visitor IP address” if the visitor IP resolves to EU. But it doesn’t redact the IP addresses when it receives hits from non-EU visitors.

 

enabling region-specific settings in ga4 client

 

6. Adjusting GA4 data settings for EU compliance

Achieving compliance with EU regulations in Google Analytics 4 (GA4) involves careful attention to data settings. This includes adjusting features such as Ads Personalisation, Granular Location Data Collection, and Google Signals to align with EU-specific requirements. This concise guide provides the steps to make these crucial adjustments to your GA4 property.

Step 1. Navigate to the ‘Admin’ section of your google analytics account.

 

'Admin' section of your google analytics account

 

Step 2. In the Property column, select the GA4 property you want to adjust.

 

Choosing the right GA4 property from a google analytics 4 account

 

Modifying granular location and device data collection

Once you’ve selected the correct property, follow these steps:
Step 3. Click the ‘Data Settings‘ dropdown menu under the property column and select ‘Data Collection.’

 

'Data collection' from the Data Settings dropdown under the Property column of a google analytics 4 account

 

Step 4. Find and toggle the switch for ‘Granular location and device data collection.’

 

Toogle switch to on/off Granular location and device data collection in google analytics 4

 

Step 5. But if you want to do this for the EU countries only, Click on the ‘Settings‘ icon under this section, set the switch to ‘OFF’ for each EU country, and hit ‘Apply.’

 

Setting to switch off Granular location and device data collection for EU countries only

 

Adjusting settings for ads personalisation

Next, we’ll alter settings related to Ads Personalisation:

Step 6. Look for ‘Advanced Settings to Allow for Ads Personalisation.’
Step 7. Click on the ‘Settings‘ icon, toggle the switch to ‘OFF’ for each EU country, and then select ‘Apply.’

 

Setting to switch off Ads Personalisation for EU countries only

 

Turning off Google signals

Lastly, to improve user data protection, you can disable Google Signals:

Step 8. Locate the ‘Google signals data collection’ switch and toggle it to off.

 

Toogle switch to on/off Google signals in google analytics 4

 

By following these steps, you ensure more excellent user data protection and move towards more robust GA4 EU compliance.

 

7. Adjusting GA4 tag, cookie settings, and third-party tracking

Making Google Analytics 4 (GA4) compliant with EU regulations requires careful consideration of tag adjustments, cookie settings, and third-party tracking adjustments. Let’s delve into how these modifications can be implemented.

 

Cleaning PII within GA4 tag

In GA4, you need to remove Personally Identifiable Information (PII) within page_location and page_referrer to prevent accidental PII capture.

For the page_referrer, you can either

  1. Add a JavaScript variable to override page_referrer with location.protocol +”//” + new URL(document.referrer).hostname + new URL(document.referrer).pathname
    or
  2. Add this into your global header <meta name=”referrer” content=”origin” /> to clean document.referrer

In order to purge page_location using GTM, please read this guide.

 

Reducing cookie duration in GA4

When making GA4 compliant with EU regulations, it’s recommended to reduce cookie duration within your Google Analytics settings so that you do not store data for longer than it is needed. By doing this, you balance valuable insights with respect for user privacy. GA4’s standard-setting retains cookies for 24 months. However, we can reduce this period to 12 months to provide additional data privacy.

Here are the steps to achieve this:
Step 1. While in the ‘Admin‘ section of your Google Analytics account, select the ‘Data Stream‘ option under the ‘Property‘ column.

 

'Data Stream' option under the 'Property' column of a google analytics 4 account

Step 2. Choose the particular data stream you want to change the cookie duration.

 

Choosing the data stream to change the cookie duration.

Step 3. Scroll to the ‘Google Tag‘ section, and click ‘Configure tag settings.’

 

'Configure tag settings.' section in the google analytics data stream

Step 4. In the next window, click the ‘Show All‘ drop-down.

 

'Show All' drop-down in the Configure tag settings window

Step 5. Scroll down and click on ‘Override cookie setting‘.

 

'Override cookie setting' option in the Configure tag settings window

Step 6. Check the box for ‘Override default cookie settings‘ under the ‘Configuration‘ section.

 

box named 'Override default cookie settings' under the 'Configuration' section

Step 7. Finally, adjust the ‘Cookie expiration‘ drop-down from the default 24 months to 12 months. Then, hit ‘Save‘.

 

Changing the 'Cookie expiration' drop-down from the default 24 months to 12 months

By altering these cookie settings, we respect user privacy choices, align more closely with EU data regulations, and ensure GA4’s operational compliance.

 

Addressing third-party tracking

Lastly, we need to address third-party tracking, such as Facebook. The requirement here is to strip away the IP address from these trackers as well. You can accomplish this by employing the ‘transform’ function with Server-Side Google Tag Manager (SGTM).

In summary, by successfully executing these modifications, you’ll honour your users’ privacy rights and strengthen the virtue of your data management practice.

 

8. Utilising Facebook’s limited data use mode

Understanding and executing user data privacy norms becomes vital as digital businesses increasingly cross borders. Beyond GA4, it’s essential to remember other platforms that gather substantial amounts of user data, like Facebook. Thankfully, It offers a feature known as the Limited Data Use (LDU) mode, which further anonymises data sent to it.

Enabling LDU mode allows Facebook to limit the collection and usage of user data, encouraging an atmosphere of clarity and care for user privacy. You can also activate Meta’s geolocation. The combined effect can improve compliance with EU laws while providing a personalized user experience.

Here’s a simplified guide to enable LDU and have Meta perform geolocation:

Step 1. Ensure the Facebook Pixel base code is present on your website.
Step 2. Insert the following code into your Facebook Pixel’s base code.

fbq('dataProcessingOptions', ['LDU'], 0, 0);

This line of code effectively triggers the LDU mode. The zeros function as placeholders for the country and state codes and instruct Meta to automatically apply geolocation settings based on the user’s location. A detailed understanding of this process can be found in Facebook’s official documentation on data processing options.

Using LDU mode and Meta’s geolocation, you can demonstrate your commitment to privacy, align with EU laws, and enhance your business credibility while providing an optimal user experience.

 

9. Setting up Google Ads’ restricted data processing mode

Google Ads offers a “Restricted Data Processing” mode to help businesses align with data privacy regulations. Include the ‘var google_restricted_data_processing = true;’ code into your Google Ads tag to enable this mode. This code instructs Google Ads to limit using specific user data, such as demographics and device identifiers.

While this may help align with GDPR, it doesn’t automatically guarantee full compliance. Consult a Google ads agency to ensure your practices meet the latest requirements.

 

10. Adjusting user-provided data capabilities in GA4

Google Analytics 4 offers a notable feature called ‘User-Provided Data Capabilities.’ It enhances your measurement metrics, providing deeper insights using data willingly supplied by your website visitors. It’s important to note that Google solely uses this data to offer you services, including technical support and assures it is not shared with third parties.

Step 1. Head over to the ‘Admin‘ area of your Google Analytics account.

 

Navigate to the 'Admin' section

 

Step 2. Under the ‘Property‘ column, you’ll find the ‘Data Stream‘ option. Select it.

 

'Data Stream' option under the 'Property' column of a google analytics 4 account

 

Step 3. Choose the specific data stream you wish to modify.

 

Choosing the data stream to change the cookie duration.

 

Step 4. Scroll to the next window’s ‘Google Tag‘ section and select ‘Configure tag settings.’

 

'Configure tag settings.' section in the google analytics data stream

 

Step 5. Click ‘Show all‘ to expand the settings list.

 

'Show All' drop-down in the Configure tag settings window

 

Step 6. Find and select the ‘Allow user-provided data capabilities‘ option from the list.

 

'Allow user-provided data capabilities.' option from the Google tag settings list

 

Step 7. In the new window, uncheck the box next to “Automatically detect user-provided data” in the ‘Configuration’ section and then hit ‘Save.’

 

"Automatically detect user-provided data" box in the 'Configuration' section

 

If ‘Enhanced Conversions’ for Google or Facebook isn’t a part of your strategy, you can switch OFF the ‘Allow user-provided data capabilities’ button.

 

Switching OFF the 'Allow user-provided data capabilities' button

 

By making these changes, you can continue utilising GA4 to its fullest potential while respecting your users’ data privacy and aligning with EU data privacy regulations.

 

Conclusion

Navigating data privacy can seem daunting, but it becomes manageable with the right steps and tools. These journeys, transitioning to GA4, tweaking SGTM locations, and enabling key modes like Facebook’s Limited Data Use and Google Ads’ Restricted Data Processing, are pivotal in creating a GDPR-compliant environment.

As anyone can see, these steps can become quite technical for some people. To make these changes effectively and effortlessly, considering a professional Cookie and GDPR compliance service is an efficient move. Not only does it simplify the process, but it also ensures your business operates within legal boundaries. Remember, data compliance is a commitment to user privacy, fostering a trustworthy digital space.

Will Rice
Follow me
0 0 votes
Article Rating
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
Articles from our Blog
0
Would love your thoughts, please comment.x
()
x