Data privacy: staying legal ahead of Google Analytics 4

Transparency is always the best policy along with a fair exchange of data. Gavin Bowick, senior analyst, and Mike Fantis, managing partner at DAC Group unpack how that works in practice…

A huge number of websites worldwide rely on Google Analytics (GA) as a vital tool for the measurement and tracking of online performance. But decisions in France, Austria and Italy to ban the platform over a perceived lack of compliance with GDPR legislation puts many marketers in a difficult situation. The fact the UK looks set to diverge from aspects of the GDPR in the wake of the Data Reform Bill consultation looks set to further complicate matters.

Google is moving swiftly to ensure that its analytics suite remains viable and is taking steps to address the concerns raised with the release of Google Analytics 4, which becomes the default in July 2023. 

Until then, marketers working across European markets would be wise to take stock and (re)consider how they can do the right thing when it comes to data, in order to keep both customers and legislators on-side. 

Why marketers need to act now

There is a little under a year to prepare for Google Analytics 4 becoming the only supported version. GA4 anonymises IP addresses by default, while this doesn’t automatically ensure compliance, it begins to address one of the main problems that has caused legal issues in Europe.

This alone means that it’s in the best interests of the majority of organisations to migrate to GA4 as quickly as is feasible. Doing so will allow them to gather as much historical data as possible to work with by the time the GA3 is switched off, making the transition the smoothest it can realistically be. 

However, adopting GA4 does not mean job-done for marketers and there are a couple of key areas that need ongoing attention.

Understanding regional nuances on data privacy

One of the core challenges associated with data compliance is abiding by legislation that spans multiple regions – notably GDPR – whilst also being aware of differences at the national level. This issue is highlighted in Italian data protection authority Garante’s recent ruling against Google. GA was found to have sent information including device IP addresses and browser information to US-based data centres without providing additional security measures. The body deemed this did not meet EU standards. 

The Italian DPA effectively found the USA a country without an adequate level of data protection, due to a lack of federal-level data privacy law following the 'Schrems II' decision from the Court of Justice of the European Union from 2020. This verdict invalidated earlier principles that formed part of the “Privacy Shield” framework. 

So, what does this mean for Google Analytics users? Until Google introduces a system where data collected remains stored in its original locality and/or it sufficiently anonymises IP addresses to GDPR standards, website operators could theoretically be held responsible for the unlawful transfer of users’ data. 

GA4 has been developed to factor out concerns over IP address anonymity and Google is already taking steps in the right direction on the storage location for analytics data. There’s now a page in GA’s support section that references regional data collection and storing data at the nearest data centre to improve performance. 

It would seem logical that the next step would be for Google to make this a feature for data-transfer compliance. But until organisations have updated their storage set-ups, they should seek expert legal advice to ensure they remain data compliant across all of the regions that they operate in. 

The importance of transparency around customer data

Data privacy means different things to different stakeholders of course, and many consumers have their own expectations about how their personal information should be used and stored. This level of subjectivity makes it almost impossible to put blanket policies in place that will satisfy all of an organisation’s customers. 

However, transparency should always lie at the heart of a mutually beneficial data exchange and what the benefits are to users should be made crystal clear at opt-in. Companies need to communicate to customers how their data will be stored and used. But most importantly, it should be clear on what those opting in will receive in return. Modern consumers are increasingly data savvy, they know their data holds value – and many won’t part with it for nothing. 

Again, the specific incentive that would make one user feel comfortable enough to share their data may not work for another. As such, it makes sense to only ask for the information that will be most useful and allow you to optimise the customer experience in ways that are demonstrably useful. 

This can translate to a better customer experience through improved website design and interaction, being shown fewer irrelevant ads, or receiving content that is tailored to their specific interests and needs. There is a balance though, too much personalisation can overstep the mark and leave people feeling uncomfortable.

Ultimately, GA’s owner Alphabet is a company in possession of both the resources and incentive to address its data compliance issues, but this will take time. In the interim, it is sensible for GA users to liaise with legal teams and ensure they remain on the right side of the laws that govern each of the countries in which they operate.