Is Google Analytics 4 legal?

With the introduction of Google Analytics 4, Google wants to solve (among other things) the privacy issues of Universal Analytics, the predecessor of GA4.

Many companies are now wondering whether the use of Google Analytics 4 is actually legal in the EU and whether it can be used in a GDPR-compliant manner without risk. We want to answer the question in this article:

The previous version of Google Analytics (GA) collected users’ IP addresses by default. This was, of course, a violation of European data protection. The IP address is considered personally identifiable information (PII), which is protected by law. Google Analytics allowed the IP anonymization feature to be enabled, so GA anonymized the last three to four digits to protect user privacy. However, IP anonymization had to be manually enabled by users, required editing of the tracking code.

In GA4, IP anonymization is now enabled by default and cannot be disabled. This means that GA4 does not store users’ IP addresses and cannot track users. From a GDPR perspective, this is the most important change in GA4 that helps users comply with the GDPR.

On this basis, Google claims that it does not collect personal data. However, in the April 2022 partial decision, the Austrian DPA reconfirmed that Google Analytics’ IP anonymization is not sufficient. She reasoned, as follows:

IP anonymization only affects the IP address as such. Google transmits data such as online identifiers set via cookies or device data in plain text.
IP anonymization takes place only after the data has been transferred to Google.
This means that Google Analytics still collects personal data.

The Austrian DPO already emphasized in its first partial decision that “IP address (…) is only one of many ‘puzzle pieces’ of the digital footprint (…)”. Anonymization of IP addresses does not necessarily lead to the conclusion that the processed data are not personal. Cookie identification numbers, for example, are in themselves personal data.

The Austrian DPA confirmed that the use of these identification numbers allows Google Analytics to “distinguish website visitors and also to obtain the information whether it is a new or a returning website visitor (…).”

Google may link the information that Google Analytics 4 collects on a particular pseudonym with other data submitted by other users of this platform or other Google services. And there are tons of them. This would allow Google to determine the identity of individual website/app users and their behavior on the same website or app, or possibly on other websites and apps.

Another important feature of GA4 is the much shorter storage time of the data. In the previous GA version, you could save the collected data for up to 64 months.

In GA4, you have only two options for storing personal data: 2 months or 14 months, depending on your analytical activities.

This feature helps users comply with the DSGVO’s principle of storage limitation, as the law states that data can only be kept for as long as it is absolutely necessary. However, if your organization needs to store data for longer than 14 months, it is possible to store data for a longer period of time by using a data warehouse such as Google’s BigQuery.

President Biden issued a new executive order, known as an Executive Order, to implement the EU-U.S. Data Privacy Framework as a successor initiative to the Privacy Shield Framework.

Following the announcement of a political agreement on March 25, 2022, the U.S. government has now released further details on how it intends to put mass surveillance by intelligence agencies on a legally sound footing. To that end, President Biden signed the immediately effective Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities.

This is to take into account the objections of the European Court of Justice (ECJ) in its Schrems II ruling of July 16, 2020 (C-311/18). The ECJ had annulled the previous Privacy Shield Framework because the extensive monitoring by U.S. intelligence agencies did not meet the minimum legal requirements. The new Executive Order is intended to incorporate these minimum legal standards, thereby enabling the EU Commission’s planned new adequacy decision for Privacy Shield-certified companies.

Currently, the use of all U.S. services certified under the DPF is legally protected. U.S. firms must complete a self-certification process in order to rely on the adequacy decision.

For companies with many EU users or customers, such as Meta, Google, Microsoft, AWS, you can assume that they have the certification in place.

Google Consent Mode is a privacy feature that allows you to change the behavior of Google tags on your website based on users’ consent settings. With a new GA4 consent implementation, you can instruct GA4 to track user behavior according to user consent settings.

The Consent Mode is therefore not a simple “cookie banner”, but must actually stop the data flows before the user’s consent.

Most data protection laws, including the GDPR, give consumers the right to request that their data be deleted. In response, GA4 provides the ability to delete an individual user’s data within a specified period of time.

This feature also helps users comply with the GDPR.

To comply with most privacy laws, including the GDPR, Google does not allow users to collect personally identifiable information (PII) in GA4. Collecting PII through GA4 is considered a violation of Google’s Terms of Service, and Google has the right to delete all of a user’s data if PII is found.

GDPR Article 4 defines personal data: “Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Personal data also includes:

Religious views
Ethnic origin and identities
Genetic data
Biometric data
Philosophical beliefs
Health data
Sexual orientations
Political views
Memberships

Google encourages sharing your data with other Google products, such as Google Signals or Google Ads, as it provides certain benefits and improves your company’s tracking results.

However, data sharing increases the risk of violating data protection laws, especially the General Data Protection Regulation, if not properly managed.

Under the General Data Protection Regulation, you must obtain explicit consent from website users to share their data with other Google products, such as Google Signals or Google Ads. Consent must be given BEFORE the data sharing becomes effective. In addition, your website’s privacy policy must clearly state that users’ private data may be shared with other Google products.

You can also choose not to share data to be on the safe side in terms of compliance with data protection laws.

So, after implementing all the features of GA4 related to user privacy, GA4 is GDPR compliant?

The simple answer is: No!

On October 14, 2020, Google released Google Analytics 4 (GA4), which will replace Universal Analytics and help its users comply with the requirements of the GDPR.

GA4 introduced a number of privacy features, including default IP anonymization, shorter data retention period, server location, consent mode, user personal data deletion, and personal data rules.

The main privacy improvement is the default IP anonymization feature, which means that Google Analytics no longer stores IP addresses.

However, implementing all of GA4’s privacy features from 2022 unfortunately does not necessarily make your website GDPR compliant at this time.

If you want to use Google Analytics 4, then you should take the following actions:

1. Use GA4 only with the default anonymization;
2. Do not share GA4 data with Google products, such as Google Signals or Google Ads;
3. Sign a data processing agreement with Google regarding limited data transfer;
4. Disable the personalization feature for advertising in GA4;
5. to use the anonymized data only for aggregated statistical reports;
6. obtain the express consent of end users to the use of Google Analytics cookies.