Data privacy is a crucial issue in the digital age, especially for companies operating in the European Union (EU). With the introduction of Google Analytics 4 (GA4), the question arises whether this new version of Google’s analytics tool complies with the EU’s General Data Protection Regulation (GDPR).
This article explores the main aspects of GA4 in relation to the GDPR, assessing its compliance and current status, as well as compiling the legal issues of non-compliance that have arisen in various countries and the implications they have had for public and private organisations.
What aspects of Google Analytics 4 do we need to consider?
Google Analytics 4 is the latest version of Google’s popular web analytics tool. Unlike its predecessor, Universal Analytics, GA4 is designed to focus on event analytics and provide a more complete view of the user journey across multiple platforms and devices. This focus on event data allows businesses to gain more detailed insights into user behaviour.
In the past, there have been problems with Google Analytics in ensuring compliance with the EU’s General Data Protection Regulation (GDPR). Given this history, private companies and public administrations are wondering whether this new version of Google’s tool will repeat the same mistakes or whether it will finally comply with Europe’s GDPR.
What is GDPR?
Regulation 2016/679, or also known as the GDPR, is EU legislation designed to protect the privacy and personal data of European citizens. This law came into force on 25 May 2018 and sets strict requirements for the collection, processing and storage of personal data.
The main areas of focus of the GDPR include user consent, the right of access and rectification, and the obligation to report data breaches.
GDPR features and compliance
GA4 introduces several new features that enhance the analytics capabilities of businesses, while seeking to comply with GDPR. These features include event-based analytics, integration with Google Ads, predictive modelling, and data privacy and control tools.
Also, one of the most significant changes is the automatic anonymisation of users’ IP addresses, meaning that these are not stored in logs. In addition, GA4 allows companies to set customised data retention periods, making it easier to delete old data and thus comply with GDPR data retention regulations.
It also provides tools to manage user consent, ensuring that data is only collected from users who have given explicit consent. Google provides clear documentation on how data is used and processed in GA4, helping businesses comply with GDPR transparency requirements.
Some of these requirements are:
- Explicit consent: Companies must obtain clear and explicit consent from users before collecting their personal data.
- Right to be forgotten: users have the right to request that their data be deleted.
- Transparency and access: companies should be transparent about how data is used and provide users with access to their own data.
- Data security: companies must implement adequate security measures to protect personal data.
GDPR: a strict legal framework
Google Analytics‘ non-compliance problems began with the Schrems II ruling that invalidated Privacy Shield 1.0. At that time, the EU demanded that the privacy rights of its citizens be respected by the US government.
In response, several EU countries decided to ban the use of Google Analytics. Austria was the first in December 2021, followed by the Netherlands and France in January and February 2022, respectively. Italy joined months later, becoming the fourth country to implement such a ban. They also argued that the collection and transfer of user data to the US did not comply with EU data protection rules.
The data collected in question included the date and time of the visit, browser information, IP address, screen resolution, operating system and the user’s language preference. In addition, US law obliged Google to share this data with intelligence agencies upon request, further raising concerns about the handling of European citizens’ personal data.
Thus, in 2023 the CNIL, the French data protection authority, published updated guidance on the use of Google Analytics, reiterating that the practice is illegal and together with the DSB (Austrian data protection watchdog) stated that the use of Google Analytics violates the GDPR and that EU companies that continue to use Google Analytics may be fined. Similarly, in Italy, the Garante per la Protezione dei Dati Personali recommended companies to switch tools and take additional data protection measures.
Is AG4 GDPR compliant in Europe?
Last year, the EU and the US announced a new agreement that would establish a new Privacy Shield, stressing that it is a political and not a legal agreement, and therefore its validity and continuity over time is doubtful.
In addition, question and answer sessions were held with the different EU bodies, such as the CNIL and the DBS, in which the following conclusions and possible measures were reached: encryption of data for export, the use of a proxy server and requesting the explicit consent of users for data transfers, a measure that is unfeasible because it would have to be for all European users who use this tool.
From the beginning of 2024, Google’s digital ecosystem faces two major changes in terms of privacy:
- The first requires the use of cookie banners certified as Consent Management Platforms (CMP) by Google and the IAB Transparency and Consent Framework (TCF) version 2.2.
- The second is the introduction of Version 2 of the Consent Mode in Google Analytics 4.
These amendments seek to address the growing regulatory challenges and demands on user privacy, especially in the European Economic Area (EEA) and the UK.
Tech4access and comprehensive GDPR compliance solution with Siteimprove Analytics
In summary, Google Analytics 4 includes several features designed to help businesses comply with GDPR such as IP anonymisation, consent tools and data retention controls. However, despite the update, GDPR compliance relies on an agreement that lacks legal validity and its continuity over time cannot be determined – illegalities can always recur over time.
At Tech4access, as expert consultants in innovative digital usability and accessibility solutions and services, we always work with the solutions that offer the best guarantee of regulatory compliance to prevent our clients from having problems, both now and in the future. For this reason, we offer you Siteimprove Analytics, which offers a robust and complete alternative to Google Analytics 4.
It is an advanced digital analytics platform that not only provides detailed, real-time insight into user behaviour, but also ensures compliance with data privacy regulations such as GDPR. Siteimprove Analytics includes features such as secure data storage, advanced event and target tracking, and comprehensive marketing solutions.
If you would like to know more about how to integrate Siteimprove Analytics as your web analysis and optimisation tool, please do not hesitate to contact us.
