Introduction
Google Analytics 4 (GA4) is Google’s newest tool for market insights. The development of e-
commerce worldwide has simultaneously seen the development of analytic tools, leading to the
development Google’s most recent product, GA4.
GA4’s predecessor, Google Analytics Universal (GAU), will sunset in July 2023 where it will be
replaced by GA4. If an organisation wishes to continue using Google’s analytical tool, the transition
to GA4 is mandatory.
What’s New in Google Analytics 4?
Google Analytics is a widely popular tool designed by Google and used by organisations to bolster
their marketing ROI (return on investment) and better understand customer experiences. This tool
provides organisations with insights as to how customers interact online with their service. This is
done by collecting location and device data from users who visit the organisation’s platforms.
The transition to GA4 will be quite a change for users of the tool as it is not simply an update or
development to the existing GAU tool, but it will be a completely new software, with new interfaces
and reporting mechanisms.
Google have labelled GA4 as the solution to the many privacy-centred concerns which were
associated with GAU and have incorporated some new “privacy features” within the tool, such as:
(1) anonymisation of IP addresses;
(2) shorter retention periods; and
(3) simplification of user data deletion for organisations.
Extra Features of Google Analytics 4
There are numerous features of GA4 which organisations can choose to “turn on” in order to gain
extra insights into how users navigate websites, how they engage with content and their behaviours.
Two of the more common features which we have seen are Google Signals and Consent Mode,
which are explained below.
Google Signals is a standalone Google product, which can be integrated with GA4 to enable cross-
device tracking and remarketing. This is a big change for users of Google Analytics as an individual’s
browsing can now be tracked across multiple platforms. Google Signals allows an organisation to
track and understand how users interact with their content and products across (i) multiple devices,
for example, one’s laptop and iPhone, (ii) web and app platforms and (iii) different browsing
sessions. For Google Signals to operate, an individual must be signed into their Google Account.
Consent Mode is a new set of website settings which use Google’s analytics and advertising services
to provide organisations with basic, non-identifying information when a user has declined analytics
cookies. When a user gives consent, Google Consent Mode will collect data as it normally would
through Google Ads and Google Analytics. However, when users withhold consent, Google will
anonymize and aggregate data, such as (i) the time a user visited the site, (ii) how the user came to
the site, and (iii) ad-click data, which will be obtained through “cookieless pings” instead of actual
cookies. “Cookieless pings” are achieved by an organisation embedding tags into the website.
Turning on either or both of these features may pose issues to an organisations data protection
compliance without adequate prior consideration, particularly given the unsettled opinions on
whether cookie data constitutes personal data, across Europe.
Data Protection Considerations
Based on what is known about GA4 so far, and despite Google’s push that GA4 has the answer to
previous privacy concerns, it appears that little will change from a data protection perspective.
There are some lingering drawbacks associated with the tool that an organisation must address
before going live or “turning on” additional features.
Concerns
Server Location and/or US access: most GA4 servers are hosted in the US and like GAU, GA4 does not
give users the ability to choose where their data may be stored. Even in instances where EU servers
can be selected, it is still possible that US subprocessors or US based Google Affiliates will have
access to an organisations GA4 data;
Data Sharing with other Google products such as Google Signals and Google Ads: while this is an
attractive element that can provide certain benefits to a business’ tracking efforts, it may also
facilitate cross referencing or combinations of datasets that could potentially result in re-
identification of individuals;
User Control: As explained above, information about site visits will be collected, even where
individuals have not provided consent to analytics or advertising cookies. This begs the question
about how much control users can be exercise on a webpage that utilises Consent Mode settings.
Legal Positions
As many of our readers will know, the law and legal position in the area surrounding cookies and
what constitutes “personal data”, particularly in relation to analytical data, remains largely
unsettled. Different jurisdictions, even within Europe, have taken different approaches to how this is
regulated. For example, just last year, Data Protection Regulators in Italy, France and Austria
prohibited organisations from using GAU without gathering user consent. Whereas in Ireland, no
formal position has been established by the Data Protection Commission.
This raises the question about how organisations will be expected to manage legal bases for GA4
processing from both an e-Privacy and data protection perspective. And how organisations with
webpages in various jurisdictional domains will adapt to ensure they are compliant.
Certainties
There are of course some certainties. When it comes to processing personal data, data controllers
must, among other things, adhere to the six Principles of data protection, consider data subject
rights, international data transfers, and their accountability obligations.
Under Article 5(1) of the GDPR, the Principles require that:
- Processing must be lawful, fair and transparent;
- Processing must be limited to the stated purpose for which it was originally collected;
- Personal data collected for processing must be limited to what is necessary to achieve the
stated purpose; - Personal data must be accurate and, where necessary, kept up to date;
- Personal data must not be stored for longer than is necessary to achieve the original
purpose; - Personal data must processed in a manner that ensures appropriate security of the personal
data.
Similarly, when it comes to placing cookies:
- Users must be given control over what cookies they wish to accept before they are placed by
the webpage; - Organisations must provide accurate and specific information about the data each cookie
tracks and its purpose, before consent is received; - Organisations must document and store consent from users;
- Users must be able to withdraw their consent to certain or all cookies in a manner which is
as easy as it was to give consent in the first place.
So… What should GA4 Users Bear in Mind and Pembroke Privacy’s Recommendations:
Google has implemented a number of features with GA4 which do aim to protect privacy rights of
individuals. However, from what information currently exists about GA4, many of the same data
protection concerns first raised with GAU, remain with the newer product.
Organisations who are set to make the switch this summer should try, insofar as is possible, to
choose the most privacy centric, data-sparing settings available, for example, not turning on Google
Signals or Consent Mode.
Recommendations:
- Privacy and Cookie Notice Updates
Privacy Notices must be updated to transparently inform website users about your specific use of
GA4, what data is collected, how it is processed, for how long it is stored, to whom it is shared, and
how to exercise rights in relation to this processing. If Google Signals and Consent Mode are
implemented, each will also need to be transparently explained to users.
The Cookie Notice must also be updated to reflect any new Cookies to be deployed on the website.
- Review Cookie Consent Mechanisms and Banners
We recommend relying on consent for any processing activities arising from the use of GA4. To
achieve this, the cookie consent mechanism ought to be updated to provide more explicit
information such as: (1) the cookies that are being set: the type, scope, and purpose; and (2) the
user should also be able to recognise that Google has access to the content of the Cookie.
Revocation of consent must be as simple as giving it. In updating the cookie consent mechanism, we
recommend that the Banner is designed in such a way that users can easily access it and change
their cookie preferences.
- Conduct a Data Protection Impact Assessment
While the processing activity (i.e., transition to and subsequent use of GA4) may not necessarily
meet the threshold of a legal requirement to carry out a DPIA, it may be a best-practice approach to
ensure that privacy measures are built-in to the use of GA4 and that, insofar as is possible, the data protection risk, which is inherently associated with the implementation of Google Analytics, is
mitigated.
Carrying out a DPIA will highlight any areas that will need to be addressed in line with the six
Principles, data subject rights and international transfers, and the assessment will act as
documented evidence that consideration was given, and necessary adaptations were made to
mitigate risk to data subjects.
- Choose Minimum Retention Periods
Data retention within GA4 can be for a minimum of 2 months and a maximum of 14 months. Our
recommendation is to stick to the shortest retention periods possible.
- Review Google Agreements to Ensure all Data Protection Terms are Met
We recommend reviewing the GA4, or other Google agreements associated with the transition, to
ensure that any data protection terms/obligations placed on your organisation are sufficiently met.