Is Google Analytics 4 GDPR compliant?

Image of Iron Brands

Published on Oct 14, 2022 and edited on Dec 20, 2023 by Iron Brands

  1. Is Google Analytics 4 GDPR compliant?
  2. What is Google Analytics 4?
  3. When will Google Analytics replace Universal Analytics?
  4. What is new in Google Analytics 4?
  5. Why was Universal Analytics illegal?
  6. Did Google Analytics 4 fix the issues with data transfers?
  7. Is Google Analytics 4 more privacy-friendly?
  8. How do I delete my Google Analytics account?
  9. Conclusions
Logo of MichelinMichelin chose Simple AnalyticsJoin them

Is Google Analytics 4 GDPR compliant?

Google Analytics has come under fire from European authorities for non-compliance with the GDPR rules on data transfers in the past. Google promises that the latest version of its analytics tool is more privacy-focused. But is Google Analytics 4 any more privacy-friendly than its predecessor, and does it solve its long-standing legal issues?

Let’s dive in!

What is Google Analytics 4?

Google Analytics 4 is the latest version of Google Analytics. Google rolled out GA4 in 2020 and progressively started sunsetting Universal Analytics- the older and widespread version of the tool.

When will Google Analytics replace Universal Analytics?

It is already happening. As of December 2024, the free version of Universal Analytics is no longer available.

The timeline is a little more lenient for Universal Analytics 360- the paid version. Universal Analytics 360 is progressively being phased out and features will progressively become unavailable as Google cuts support. The service will be phased out entirely by July 2024.

What is new in Google Analytics 4?

Google Analytics 4 differs in many ways from Universal Analytics. The new version ditches third-party cookies and revolves around first party cookies issued by Google itself. It also employs an event-based model: it tracks specific user actions such as clicking a link or viewing a page, and links them to a single user through their Client ID- a unique identifier found in Google Analytics’ cookies.

The switch from UA's session-based model to GA4's event-based model has important consequences. In order to power its new model, Google Analytics 4 collects different metrics from its predecessor, which makes the new tool difficult to learn even for users familiar with Universal Analytics. And because the old metrics do not fit within the new model, most data collected through Universal Analytics cannot be imported into Google Analytics 4.

There are many other differences between Ultimate Analytics and Google Analytics 4: for instance, the new version features enhanced cross-device tracking compared to its predecessor and handles IP addresses in a different way.

Why was Universal Analytics illegal?

The legal issues with data transfers under the GDPR are complex and lengthy to explain. If you have time to kill, we covered them extensively here.

In a nutshell, the Schrems II ruling of the EU Court of Justice made US data transfers tricky. Companies transferring data to the US are required to implement supplementary measures in order to protect personal data from State surveillance.

This is difficult for many US-based services and practically impossible for Google Analytics. This led privacy watchdogs from several European countries to take a stance against Google Analytics and ban companies from using it.

So, Google Analytics’ issues with data transfers are not about legal technicalities. The Internet has a very real problem with privacy and surveillance, and Google Analytics only makes it worse.

The list of decisions against Google Analytics is ever expanding. Right now there are such decisions for Austria, France, Italy, Sweden, and Finland- and the Danish privacy authority essentially embraced the same positions in a press release. The French and Italian decisions are especially important because those countries are key European markets and have well-respected privacy authorities that often set influential precedents at a European level.

Right now the long data transfers saga has come to a halt due to the new data transfer framework between the EU and the US. But this new framework is likely to be invalidated by the Court of Justice. This already happened for two other such frameworks- and we don't really think the EU and the US managed to fix the problems with the other ones.

Long story short, sooner or later we will get a Schrems III decision and be back at square one.

Did Google Analytics 4 fix the issues with data transfers?

Google claims that Google Analytics 4 is more privacy-friendly than its predecessor, and its user base hopes that Google’s legal issues with data transfers are now solved. However, the new version does not fix the crucial legal issues at play. Here’s why.

Google Analytics 4 ditched third-party cookies in favor of first-party cookies. First-party cookies are somewhat less invasive than third-party cookies, but in Google Analytics’ case, they still collect personal data because they contain a unique number called Client ID. The same goes for other unique identifiers used by Google Analytics 4 such as User-IDs. So, the move towards first-party cookies does not really help Google make its data transfers GDPR-compliant.

Data linkage is another important factor- and one that some authorities did consider in their decisions against Google Analytics.

Like Universal Analytics, Google Analytics 4 collects enormous amounts of data that may not be personal data in and of themselves under the GDPR but become personal data if Google puts them together. Which it does, because it is its entire business model.

Crucially, Google also collects personal data from users who are logged into their Google account. This data can be easily linked by Google with other data gathered by Google Analytics to identify a user.

Transferring personal data to the US is the problem at hand. Google Analytics 4 does not fix this. At he end of the day, Google Analytics 4 setup still transfers personal data to the US.

Is GA4 GDPR compliant

Is Google Analytics 4 more privacy-friendly?

So far, we have taken a look at Google Analytics 4’s compliance with the GDPR. But what are its general privacy implications?

Let’s start with the good notes. Google Analytics 4 is more privacy-friendly than its predecessor in the way it handles IP addresses since they are neither logged nor stored. For comparison, Universal Analytics always stored IP addresses and only offered an optional (and ridiculously ineffective) anonymization protocol. Google Analytics 4 also stores user data for a shorter time.

On the other hand, Google Analytics’s new User-ID system encourages invasive cross-platform tracking practices. It is essentially a two-step system where the website itself collects certain data to identify a user cross-platform. Based on this data, the website generates a unique ID and provides it to Google. Google then generates a User-ID for each unique ID provided and tracks it across devices.

website visitor tracking

With GA4 websites have an incentive to track users and use every trick in the online surveillance book to provide GA with a unique ID. They are increasingly locking content behind a registration process in order to tie individual accounts to a unique ID. In the worst cases, they resort to device fingerprinting and use algorithms to estimate the probability that two devices belong to the same user (probabilistic tracking).

Bottom line, Google 4 encourages far worse practices than the third-parry cookies it ditched.

It is worth noting that generating a unique ID is entirely the customer’s responsibility under GA’s Terms of Service, and Google will not be responsible for any violation. So, Google created a service that encourages highly invasive tracking while offloading the dirty work- and the compliance risks that come with it- to its customers.

How do I delete my Google Analytics account?

If you opt to put privacy first, it’s easy to delete your Google Analytics account. We have a more detailed explanation on how to do this, but in a nutshell:

  • log into your Google Analytics account
  • enter the Admin section via the icon at the bottom left of your screen
  • go to property settings
  • select the property for your website and move it to trash
  • remove the code for your website
  • optionally: delete your Google Analytics account afterwards. You can do this from the account section of your account.

Please note: you may want to save your Google Analytics data before you delete your account, because Simple Analytics and some other web analytics tools allow you to import your historic data.

Conclusions

While there is no case law on Google Analytics 4 yet, the use of Google Analytics 4 does not appear to be GDPR compliant based on existing case law and Google’s own documentation.

Not only does Google Analytics 4 not operate within the law, but we also believe it’s a very privacy-invasive model of analytics that encourages websites to track their users.

At Simple Analytics, we believe that you don’t need to track website visitors or collect personal data. We provide the insights you need without invading the privacy of your visitors and being 100% GDPR compliant.

We believe in creating an independent web that is friendly to website visitors. If this resonates with you, feel free to give us a try.

GA4 is complex. Try Simple Analytics

GA4 is like sitting in an airplane cockpit without a pilot license

Start 14-day trial