General Data Protection Regulation and Google Analytics 4 | Blog | MKG Marketing
Larry G • January 23, 2023 • 4 minutes to readDisclaimer
General Data Protection Regulation (GDPR EU) is a complex and comprehensive component of EU privacy law and of human rights law. This document is a summary of as official as possible sources for the guidance of companies looking at Google Analytics 4 and how it complies with GDPR.
This point of view is updated to the best of our knowledge, but should not be treated as legally binding or official.
Is Google Analytics 4 GDPR Compliant?
No. Google Analytics 4 is not fully compliant with GDPR. There are more safeguards in place and ways to control data/anonymize data in GA4 than any other version of Google Analytics, but Google has never declared GA4 GDPR compliant.
What is Google’s Official Stance?
As of October 2022, no official statement has been made. Links to several articles hosted and written by Google can be accessed below. This helps give insight into the wording and phrasing from Google on their progress on safeguarding data and giving their users tools to help comply with GDPR and other regulations like it. Helping advertisers comply with the GDPR & AADC Privacy controls in Google Analytics Safeguarding your data Data Processing Terms Data retention [GA4] Collect granular location and device data IP Anonymization (or IP masking) in Universal Analytics (Defined: In Google Analytics 4, IP anonymization is not necessary since IP addresses are not logged or stored)
What Web Analytics Platforms are Compliant with GDPR?
Because of this lack of clear transparency, companies have created Web analytics tools that declare compliance with GDPR. A list of those tools and platforms are below. Matomo Hotjar CYTRIO
What Settings Can Be Updated in Google Analytics 4 to More Closely Comply with GDPR Guidelines?
The article Privacy controls in Google Analytics has a more comprehensive list that covers both Web and apps, but the most important for the Web:
For Google Analytics 4 properties (non-Analytics 360 version), retention of user-level data, including conversions, can be set to a maximum of 14 months. For all other event data, you can choose the length of retention of either 2 months or 14 months
Where is this setting found? Admin → Data Settings → Data Retention
Recommendation: Set to 2 months
This will have a significant impact on historical reporting. For example, in the ‘Explore’ section of Google Analytics 4, custom reports will only be able to go back 2 months. This will severely hamper the ability to make data-informed decisions as they come up over time.
Collect Granular Location and Device Data
You have the option to enable/disable the collection of granular location and device data on a per-region basis.
Where is this setting found? Admin → Data Settings → Data Collection
Recommendation: Disable for specific countries that GDPR protects.
This does affect overall reporting, and will cause numbers to appear lower than their actuality. Data is still aggregated, but reporting that uses location and device data will not include data from specified locations.
Google signals for Google Analytics 4 properties
Google Signals enables cross-device tracking. The data is aggregated and no data for individual users is ever exposed.
Where is this setting found? Admin → Data Settings → Data Collection
Recommendation: To be 100% safe, disable, unless a comprehensive cookie management solution is in place.
If you need to delete data from the Analytics servers for any reason, then you can use a data-deletion request to issue a request for its removal.
Where is this setting found? Admin → Data Deletion Requests
Recommendation: To be used on an ad-hoc basis
What’s the Status and Outlook Surrounding GDPR Compliance for Google Analytics 4?
Google continues to make strides in terms of protecting data and giving analytics owners the ability to update rules relating to location of those who have their data collected, the duration of how long that data is stored, and aggregation and anonymization. There is not one toggle or one way to be fully compliant with GDPR, however. Google has announced a feature called Consent Mode on websites and mobile apps, which allows for full integration with Consent Management Platforms (CMP) or custom implementation for obtaining visitor consent, such as a cookie consent banner.
Best Practices
Regardless of using Google Analytics 4 or not, some common-sense best practices include:
- Migrate to Google Analytics 4 as soon as possible in order to make updates to settings that are recommended to better comply with data privacy and protection regulations.
- Ensure your privacy policy is up to date on the settings and rules you have enabled in Google Analytics regarding the collection and use of website visitor behavior. If countries with GDPR regulation in place are not an essential part of the company’s business, consider blocking or excluding the collection of data from visitors from any particular country.
- Use a cookie management tool to give website visitors the option to decline or accept cookies. If cookie-tracking is declined by a visitor, then data will seem smaller than what it actually is - but more regulation is requiring the management of this aspect of data collection over time.
Change History
- 10/24/22 - Clarification added to some recommendations
- 10/19/22 - Creation of this document
