Earlier this morning (April 22nd, 2022) Google published a support article describing the privacy changes being rolled out to Google Analytics 4. Checking GA4, I already see these features available, and so they are ready for use.
The support article centers around four primary concepts for how they wish to address the concerns of the various EU privacy authorities and move closer to being in alignment with Europe’s General Data Protection Regulation after some adverse rulings in Austria and France earlier this year.
IP Address Logging
Google has stated that unlike Universal Analytics (which is being phased out), GA4 does not log IP Addresses. In the European Union, when analytics collects measurement data, all IP Lookups (which populate the City, Continent, County, Region & Subcontinent fields) are done on EU-based servers before they forward traffic (presumably to the United States) for processing.
Data Processing Location
To enhance the privacy of EU based users, GA4 will receive and process data from EU users through domains and servers based in the EU. This applies regardless of where the property is based, if the user (as defined from a IP Address Geo Lookup) is identified to be in the EU, then that data is received and processed in the EU.
Notably, this has some changes which may required if you leverage Content Security Policies, you’ll need to make sure their permissive and allow connections to :
- *.google-analytics.com
- *.analytics.google.com
Google Signals Data
Google Signals will be able to be disabled on a per region basis, if disabled any historical data is kept, but no additional data is collected from that point forward.
Warnings
Google Signals modeling is a key feature of Google Analytics 4, and disabling it has the following effects:
- Loss of Cross-Platform reporting
- Loss of Remarketing Lists based on Analytics Data
- Loss of Advertising Reporting Features
- Loss of Demographics and Interests reports
- Remarketing is disabled for affected regions
- Cross-Device and Engaged-view conversions modeling volume is significantly reduced
- Downstream conversion modeling and reporting in linked Google Ads accounts is reduced.
Essentially, all the conversion data modeling in Google Analytics 4 is impacted to varying degrees for properties which disable Google Signals. This will impact for example the conversions modeling which occurs due to browser efforts like Intelligent Tracking Prevention, App Tracking Transparency and the use of consent mode for unconsented user.
Location and Device Data
Property owners also get the ability to limit device and location data on a per region basis. Disabling this collection removes the following items from reporting:
- City
- Latitude (of city)
- Longitude (of city)
- Browser minor version
- Browser User-Agent string
- Device brand
- Device model
- Device name
- Operating system minor version
- Platform minor version
- Screen resolution
Historical data is not affected, this is a forward only change.
What does this mean for compliance?
Ultimately, it’s a good first step. I am skeptical however that this would have changed the outcome of the decisions for either France or Austria as it does nothing to combat the use of client id and other personal data from being sent to the U.S.A. for processing by Google.
This means even if all the above features are enabled, you would still need consent, and a international data transfer would take place, and that it would contain personal data, so the General Data Protection Regulation would still apply.
Google is still holding out hope that the EU and the U.S.A. will reach an agreement over international data transfers, which per recent reporting would late this year, if this year at all. This leaves brands operating in the EU in a state legal limbo as it remains unclear if a Data Protection Authority would determine that a GA instance is compliant with GDPR if these features were used. Personally, I am skeptical that they would, but time will tell.
Notably, one thing not often talked about is that this is a lot of additional hoops to jump through for data collection in the EU, primarily because of the fact it is ultimately sent to the U.S.A. for storage (note that storage specifically wasn’t called out above in the EU processing section). I have to wonder if all the additional effort (which could, in theory, be avoided with a EU based provider) is worth it, given the loss of data collected across all the various reports. It certainly hurts GA4’s value proposition while at the same time raising legal risk, because even if used – some of the above has to be manually enabled, which puts the risk on the brand using the platform, rather than Google itself.