How privacy friendly is Google Analytics 4 (GA4) truly?

/ Privacy

Google Analytics has been de facto prohibited by the EU supervisory authorities since December 2021. In response to this, Google has announced several data protection improvements for the new Google Analytics 4 (GA4), which are to be implemented by the end of May 2022. The adjustments are described by Google under the point “EU-focused data and privacy“. In summary, the following privacy-related changes have been announced:

GA4 will process all data from end devices within the EU on servers in the EU.
GA4 processes IP addresses for geo-location, but no longer stores IP addresses.
GA4 allows the deactivation of Google Signals to prevent linking with Google accounts.
GA4 allows the configuration of the granularity of collected geo and device data (e.g. screen resolution requiring consent).

These measures are a step in the right direction, but completely useless, to lift the EU ban and the general obligation of consent. Both are clear and unambiguous on closer inspection for different reasons:

1. Ban EU-US Data Transfer.

According to the Patriot Act, Foreign Intelligence Surveillance Act (FISA) and Clarifying Lawful Overseas Use of Data Act (Cloud Act), US authorities have access to absolutely all data of US companies. Even if it is stored in the EU. Therefore, the location of storage in the EU does not solve the actual problem that the EU Data Protection Regulation is guaranteed for EU citizens.

2. Obligation of Consent under TTDSG: Cookies & Co.

GA4 still uses cookies by default and actively reads data from the end devices.

The consent mode “analytics_storage” with the value “denied” can be used to prevent the setting of cookies, but then no conversion tracking takes place. In addition, the evaluation of the screen resolution must be deactivated which is also considered as an access to the end device with an obligation of consent. However, it is uncertain whether this already prevents the recording. Therefore, even with the corresponding Consent Mode, the access to the user’s end device – that requires consent – cannot be excluded.

A simple use of GA4 completely without cookies and thus without consent is still a long way off.

3. Obligation of Consent according to EU-GDPR

In order to ensure that the use of web analytics without consent can be justified by legitimate interest (EU-GDPR Art. 6 Para.1 lit.f) at least the following conditions must be met:

Conclusion of an Data Processing Agreement with full directive and control rights of the client
Shortening or anonymisation of the IP address before any actual processing.
Exclusion of the possibility of identifying usersn
Limitation of recognition to a maximum of 24 hours
No use of data for own purposes by the processor
No linking with data of other customers
No disclosure of data to third parties

In their Guidance on the use of Google Analytics, the supervisory authorities clearly state their position with regard to commissioned processing. Here it states:

In the view of the data protection supervisory authorities, processing in connection with Google Analytics is not processing on behalf of third parties pursuant to Art. 28 GDPR.”
(Translated by the author)

This means that when GA4 is used, the interests must always be weighed in favour of the

data subjects and therefore requires consent.

4. DEACTIVATION OF GOOGLE SIGNALS

The automatic anonymisation of the IP address – only after geo-localisation! – should not obscure the fact that GA4 is only allowed to collect data after consent. Because online identifiers and device data are still transmitted unencrypted. It is completely unclear at which level the deactivation of Google Signals takes effect and whether the linking with Google accounts and the creation of profiles across websites will be prevented.

In addition to the data protection issues, the considerable impairment of the functionality of GA4 through the deactivation of Google Signals should not be ignored.

Disabling Google Signals means:

No remarketing lists possible based on analytics data.
No advertising reporting featuresKeine Werbeberichtsfunktionen
No demographic and interest data
Only limited conversion modelling and reporting in Google Ads

CONCLUSION

Ultimately, the new measures are a step in the right direction from a data protection point of view. However, it is more than questionable whether the innovations are sufficient to lift the ban in the EU. And according to experts this could only happen at the end of this year at the earliest, if the new agreement on data transfers between the EU and the USA is in place. But so far, no final draft has been worked out.

Furthermore, despite the above functions, consent is still required to process data with GA4. Deactivation of Google Signals is not only accompanied by the loss of data, but also results in a loss of value of the remaining data, as many reporting functions are lost. At the same time, a considerable legal risk remains, as it is unclear at what level the deactivations take effect. Because in the sense of the EU-GDPR, all processing is decisive, not just the reporting.

Companies should therefore carefully consider whether it is worth switching from Universal Analytics to GA4 or whether it would be better to switch to an EU solution that is is neither dependent on EU-US agreements nor on user consent.

You can download the whole paper here.

This document does not constitute legal advice and cannot replace individual legal advice. We work closely with lawyers specialised in data protection and are happy to arrange direct contact for individual advice.

Scroll to Top