How privacy-friendly is Google Analytics 4 (GA4) really?

by Katrin Nebermann

Google Analytics has been de facto banned by the supervisory authorities in the EU since December 2021. In response, Google has announced several data protection improvements for the new Google Analytics 4, which are to be implemented by the end of May 2022. The adjustments are explained by Google under “EU-focused data and privacy“. In summary, this results in the following data protection-relevant changes:

• GA4 processes all data from end devices within the EU on servers in the EU.
• GA4 processes IP addresses for geo-localization, but no longer stores IP addresses.
• GA4 allows you to deactivate Google Signals to prevent the link to Google accounts.
• GA4 enables the configuration of the granularity of recorded geodata and device data (e.g. the screen resolution requiring consent).

Although these measures are a step in the right direction, they are completely useless for lifting the EU ban and the general obligation to obtain consent. On closer inspection, this is clear and unmistakable for various reasons:

1. ban on EU-US data transfer

According to the Patriot Act, the Foreign Intelligence Surveillance Act (FISA) and the Clarifying Lawful Overseas Use of Data Act (Cloud Act), US authorities have access to absolutely all data from US companies. Even if they are stored in the EU. Therefore, the storage location in the EU does not solve the actual problem of ensuring compliance with fundamental rights for EU citizens as required by the EU GDPR.

2. consent obligation according to TTDSG: Cookies & Co.

GA4 still uses cookies by default and actively reads data from the end devices.

The consent mode “analytics_storage” with the value “denied” can be used to prevent cookies from being set, but conversion tracking will then not take place. In addition, the evaluation of the screen resolution must be deactivated, which is also assessed as access to the end device requiring consent. However, it is uncertain whether this will prevent the data from being recorded. Therefore, even with the corresponding consent mode, access to users’ end devices requiring consent cannot be ruled out.

A simple use of GA4 without cookies and thus freedom of consent is still a dream of the future.

3. consent obligation according to EU GDPR

In order to be able to justify the use of web analysis without consent on the basis of overriding legitimate interest (EU GDPR Art. 6 para. 1 lit. f) as part of a balancing of interests, at least the following conditions must be met:

• Conclusion of an AV contract with full instruction and control rights of the client
• Shortening or anonymization of the IP address before the actual processing
• Exclusion of the possibility of user identification
• Limitation of recognition to a maximum of 24 hours
• No use of the data for the processor’s own purposes
• No linking with data from other customers
• No disclosure of data to third parties

In their information on the use of Google Analytics, the supervisory authorities take a clear position with regard to order processing, among other things. Here it says:

“In the opinion of the data protection supervisory authorities, processing in connection with Google Analytics is not order processing pursuant to Art. 28 GDPR.”

For this reason alone, the balancing of interests when using GA4 must always be in favor of the data subject and therefore requires consent.

4. google signals

The automatic anonymization of the IP address – unfortunately only after geo-localization – should not obscure the fact that GA4 may only collect data after consent has been given. This is because online identifiers and device data are still transmitted unencrypted. It is completely unclear at what level the deactivation of Google Signals will take effect and whether this will actually prevent the link to Google accounts and cross-site profiling.

In addition to the data protection issues, the considerable impairment of the functionality of GA4 due to the deactivation of Google Signals must not be ignored.

The deactivation of Google Signals means:

• No remarketing lists based on analytics data
• No advertising report functions
• No data on demographics and interests
• Only limited conversion modeling and reporting in Google Ads

Conclusion

Ultimately, the new measures are a step in the right direction from a data protection perspective. However, it is more than questionable whether the innovations are sufficient to lift the ban on their use in the EU. According to experts, this could only take place at the end of this year at the earliest if the EU and the USA have adopted the new agreement on data transfers by then. And no final draft has yet been drawn up.

Furthermore, even if all of the above functions are activated, consent is still required to process data with GA4. The deactivation of Google Signals not only means a loss of data, but also a loss of value of the remaining data, as many reporting functions are no longer available. At the same time, a considerable legal risk remains, as it is unclear at what level the deactivations take effect. In terms of the EU GDPR, all processing is decisive and not just reporting.

Companies should therefore carefully consider whether it is worth switching from Universal Analytics to GA4 and whether it would be better to switch to an EU solution that is not dependent on EU-US agreements or user consent.

You can download the whole paper here.

---

This document does not constitute legal advice and cannot replace individual legal advice. We work closely with lawyers specializing in data protection and are happy to establish direct contact for individual consultations.