Google Analytics has recently come under fire from European authorities for non-compliance with the GDPR rules on data transfers. Google promises that the latest version of its analytics tool will be more privacy-focused. They will sunset Universal Analytics in favor of GA4 next year, and privacy has been the main driver of this change. But how "privacy-friendlier" will this version be?
Many companies look forward to Google Analytics 4 as a solution to the compliance puzzle. However, companies might be a little too optimistic. While there is no case law on GA4 yet, but it appears that GA4 suffers from the same legal issues as UA.
- What is new in Google Analytics 4?
- Will Google Analytics 4 solve Universal Analytics’s legal issues?
- Privacy is more than compliance
- How do I delete my Google Analytics data?
- Final Thougths
Let's dive in!
What is new in Google Analytics 4?
Universal Analytics was released in 2012 and is practically the default web analytics tool of the Internet by now. This will change soon: Google announced that they will phase out Universal Analytics by July 2023. So people and companies who still want to use Google Analytics will soon need to switch to Google Analytics 4.
The new version of Google’s tool was developed in 2020 and differs in many ways from Universal Analytics. Google Analytics 4 revolves around first party cookies issued by Google itself. It also employs an event-based model: it tracks specific user actions such as clicking a link or viewing a page, and links them to a single user. Universal Analytics instead revolves around third-party cookies and employs a session-based model that tracks user activity during a single visit to a website.
The switch from a session-based model to an event-based one is very important in practice. In order to power its new model, Google Analytics 4 collects different metrics from its predecessor, which can make the new tool difficult to learn for users familiar with Universal Analytics. And because the old metrics do not fit within the new model, most data collected through Universal Analytics cannot be imported into Google Analytics 4.
There are many other differences between Ultimate Analytics and Google Analytics 4: for instance, the new version features enhanced cross-device tracking compared to its predecessor and handles IP addresses in a different way.
Will Google Analytics 4 solve Universal Analytics’s legal issues?
Google claims that Google Analytics 4 will be more privacy-friendly than its predecessor, and their user base hopes that the new tool will solve Google’s legal issues with data transfers. However, the new version does not fix the crucial legal issues at play. Here’s why.
The core issues: personal data and supplementary measures
The legal issues with data transfers are complex and lengthy to explain. If you have time to kill, covered them extensively here.
In a nutshell, the Schrems II ruling of the EU Court of Justice invalidated a data transfer framework that allowed for easy data transfers to the US. European companies now need to rely on a mechanism called standard contractual clauses to transfer data overseas. In addition, they need to implement supplementary measures on top of these clauses to protect data from State surveillance.
Right after the Schrems II ruling, privacy NGO noyb filed 101 complaints before several European DPAs against websites using Google Analytics and Facebook Connect. The European Data Protection Board (the organization gathering all European DPAs) later formed a task force to coordinate the approach at a European level.
So far, this coordinated approach has led the Austrian, French, Italian, and Finnish data protection authorities to declare Google Analytics unlawful. Additionally, the Danish authority essentially said the same in a press release and the Norwegian authority provisionally ruled against Google Analytics in a still-pending case.
(And let's not forget that the legal issues at play are the same that cost Meta Ireland a €1.2 billion fine and an order to suspend data transfers for Facebook! We discussed this important case here)
The core of the complaints is the supplementary measures required by the Schrems II ruling. No effective measures to protect personal data from State surveillance are available for GA and any other cloud-based service that need to process data in the clear1. It follows that Google can only comply with the GDPR by not processing any personal data in the U.S. at all, and this is not the case. Also, not for Google Analytics 4.
Google Analytics 4 transfers personal data
Google advertised GA4 as a move toward a cookieless and privacy-friendly web analytics model, but their new analytics tool is not entirely cookieless. GA4 ditched third-party cookies but employs first-party cookies called Client ID. Much like the third-party cookies employed by Universal Analytics, Google Analytics 4's cookies include a unique identifier called Client-ID. For this reason, they are personal data under the GDPR2. So Google Analytics 4 still transfers personal data to the US.
GA4 also uses an identifier called User-ID. User IDs are not cookies, but a different tool GA uses to track users across devices. They are personal data because they allow individual users to be singled out3 among website traffic. The same goes for the unique ID4, a different parameter processed by Google Analytics to generate a User ID.
Data linkage is another crucial factor. GA4 processes many events and metrics that are not sensible data in and of itself but may be combined to single out a user. Crucially, Google also collects personal data from users who are logged into their Google account. These data can be linked with other data gathered by GA4 to easily make a user identifiable. As noted by European authorities in recent decisions, these data are also personal data.
Transferring personal data to the US is the problem at hand. Google Analytics 4 does not fix this. A Google Analytics 4 setup still transfers personal data to the US.
Privacy is more than compliance
So far, we have taken a look at GA4's compliance with the GDPR. But what about its general privacy implications?
Let's start with the good notes. GA4 is definitely more privacy-friendly in the way it handles IP addresses since they are neither logged nor stored. For comparison, UA always stores IP addresses and only offers an optional IP anonymization protocol (which European DPAs held to be ineffective). Ditching third-party cookies is also a step in the right direction.
On the other hand, the User-ID system encourages very invasive tracking practices. It is essentially a two-step system where the website itself collects certain data to identify a user cross-platform. Based on this data, the website generates a unique ID and provides it to Google. Google then generates a User ID for each unique ID provided and tracks the parameter across devices.
As soon as GA4 becomes the standard, websites will have an incentive to track users even more aggressively and will predictably look for any excuse to collect the data Google Analytics needs to track users across devices. They may start locking content behind a registration in order to collect credentials and generate a unique ID, in a similar fashion to how "cookie walls" essentially require data as payment for a "walled" article.
Compliance-wise, this can easily go wrong. We expect to see websites collecting login credentials with the user's consent without informing a user that the credentials will be used in order to track their behavior for analytics purposes, which is a violation of the GDPR5. Or they may inform the user but also force them to consent to being tracked in order to register - which is an instance of "bundled" consent and legally problematic6. Crucially, generating a unique ID is entirely the customer's responsibility under GA's Terms of Service, and Google will not be responsible for any violation.
Alternatively, websites might look for other "creative" ways to track their users. For example, they may employ probabilistic tracking - that is, gathering a bunch of data such as IP, device location, and browsing data and running it through algorithms to estimate the probability that two devices belong to the same user. It sounds invasive, and it is.
Bottom line: Google is creating a potential privacy nightmare and avoiding responsibility by outsourcing some of the tracking work to the customers.
How do I delete my Google Analytics data?
If you opt to put privacy first, you should delete your Google Analytics data. This is easy to do. Our blog includes a more detailed explanation on how to do this, but in a nutshell:
- log into your Google Analytics account
- enter the Admin section via the icon at the bottom left of your screen
- go to property settings
- select the property for your website and move it to trash
- remove the code for your website
- optionally: delete your Google Analytics account afterwards. You can do this from the account section of your account.
Please note: you may want to save a copy of your data before deleting them, because Simple Analytics and some other web analytics tools allow you to import historic data from Google Analytics.
Final Thougths
As we said, there is no case law on GA4's data transfers yet. We at Simple Analytics don't have a crystal ball, but based on existing case law and Google's own documentation, we have good reasons to believe that the use of Google Analytics 4 is not GDPR compliant.
Not only does Google Analytics 4 not operate within the law, but we also believe it's a very privacy-invasive model of analytics that encourages websites to track their users.
At Simple Analytics, we believe that you don't need to track website visitors or collect personal data. We provide the insights you need without invading the privacy of your visitors and being 100% GDPR compliant.
We believe in creating an independent web that is friendly to website visitors. If this resonates with you, feel free to give us a try.
- #1 Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, par. 94.
- #2 EDPB Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities, par. 29.
- #3 Recital 26 GDPR.
- #4 Using personally identifiable information (PII) as a unique ID is against GA Terms of Service. But the notion of personal data under the GDPR is wider than that of PII as understood by Google. This is pointed out by Google themselves.
- #5 Art. 13(1) GDPR. If consent is collected, the requirements that consent be informed and specific under Art. 4(11) is also violated.
- #6 Art. 7(4) GDPR doesn’t forbid bundled consent outright but describes it as problematic.