Confused by Google Analytics’ identifiers? You are not the only one!
Google Analytics 4 uses a broad range of personal identifiers that look the same but work differently and perform different functions. It can get a little confusion, so let’s see what those identifiers are and what they are for.
- What are Google Analytics’ identifiers?
- What are identifiers for?
- Are there other identifiers in Google Analytics?
- Are identifiers personal data/personal information?
- Do I need consent for identifiers?
- Final Thoughts
What are Google Analytics’ identifiers?
- first-party cookies are one of the main tracking tools in Google Analytics 4. Each cookie contains a unique identifier called _ga cookie
- app-instance identifiers are generated by certain apps when they are installed. They identify a unique installation for the app
- advertising identifiers are tied to a specific device, typically a mobile phone
- User-IDs are a custom identifier that help a Google Analytics customer track users across devices.
- DoubleClick cookies are used by Google Analytics to understand whether a certain ad was displayed to the user.
What are identifiers for?
Let's dive in the identifiers Google Analytics 4 uses and whether they are bad for privacy.
First-party cookies are the main tracking tool in Google Analytics 4. Google Analytics can work without them but performs quite poorly.
Google Analytics’ first-party cookies are the same for each website, which means that Google can effectively track users around the web but websites cannot. Privacy-wise, first-party cookies are a step up from the highly invasive third-party cookies that powered Universal Analytics, but they are still not ideal.
App-instance identifiers mostly come from SDKs. SDKs are bundles of code from which apps are built.
App-instance identifiers are crucial for tracking mobile traffic through Google Analytics for apps and for Firebase. They also play an important role in cross-device tracking.
App-instance identifiers are a privacy nightmare since SDKs are often shady and may elude user control. But the iOS environment does better than Android in this regard because of tracking controls.
User-IDs are custom identifiers that Google Analytics users can link to a different identifier in order to track users cross-device. For instance, User-IDs can be linked to user credentials in order to track users of an app or website across different devices.
Privacy-wise, User-IDs are not problematic in and of themselves but encourage invasive tracking techniques such as device fingerprinting and probabilistic tracking.
Advertising identifiers are built-in trackers on devices. In practice, the most important are AAID and IDFA:
- Android’s Advertising ID (AAID) is found in Android devices such as Android phones and Chromebooks
- Apple’s Identifier for Advertisers (IDFA) are found in iPhones.
Advertising identifiers raise privacy issues, especially AAID. AAID trackers are set without user consent and the option to turn off tracking is buried deep in the device’s privacy option. This opt-out system is a glaring violation of the GDPR and the ePrivacy Directive of the EU, and we are quite surprised that regulators haven’t cracked down on AAID yet.
Apple is a little more privacy-friendly here because IDFA explicitly asks for opt-in consent since 2020.
Are there other identifiers in Google Analytics?
Yes, there are. But the ones we listed are the main identifiers and the ones marketers work with all the time.
For instance, Google Analytics uses IP addresses, which are also identifiers. But Google Analytics 4 only uses IPs for communication. Unlike Universal Analytics, Google Analytics 4 does not store IP addresses or use them for analytics. Bottom line, marketers can ignore them.
Are identifiers personal data/personal information?
There is no general answer because different laws have different definitions of personal data.
Under EU law, the situation is pretty clear: identifiers are always personal data. This is true by definition: any data that can identify or single out an individual, satisfies the GDPR’s definition of personal data.
Specifically, Google Analytics’ identifiers are considered to be pseudonymous data, which is a subtype of personal data and NOT to be confused with anonymous data. As a type of personal data, pseudonymous data are subject to all the rules and protections of the GDPR.
Do I need consent for identifiers?
It depends on the legal framework. You definitely need consent in the EU, but not every company is careful about compliance. For instance, many devs play fast and loose with trackers in their SDKs, and many websites write Google Analytics before consent is given by the users. Additionally, Google is breaching the law on a massive scale by not collecting opt-in consent for AAID.
We at Simple Analytics don’t like cookies at all, whether they are first-party of third party. We believe in an open Web that is user and privacy-friendly. This is why we developed a web analytics service that does not collect personal data, at all.
Simple Analytics is privacy-friendly, compliant out-of-the-box, and easy to set up and learn. New users get up to speed with no time thanks to its handy AI assistand and its clean, intuitive interface.
If this sounds good to you, feel free to give us a try!