Enhance Your Data Privacy Strategy With Google Analytics 4 (GA4)

August 26, 2021Alex Molineux

The only constant in the digital space is change, and we’re certainly seeing a number of bigger changes in the industry right now. Privacy policies across browsers, countries, and states are getting stricter in regard to user data and one of the oldest and biggest tools, Google Analytics, has a younger sibling clamoring for your attention: Google Analytics 4 (GA4). If you use Google Analytics and haven’t started to dual tag your sites with GA4 tags, you should start sooner rather than later to ensure GA4 starts building a healthy foundation of data for future use. This new GA4 implementation effort also gives you the perfect opportunity to pause and take stock of your Google Analytics data privacy strategy and compliance.

If you use Google Analytics and haven’t started to dual tag your sites with GA4 tags, you should start sooner rather than later to ensure GA4 starts building a healthy foundation of data for future use. Click & Tweet!

Google Analytics 4…Do I Really Need It?

Before talking about data privacy laws, I want to touch on Google Analytics 4. There may be some hesitancy out there about taking the time to implement GA4 when there is currently no sunsetting date for Google Universal Analytics on the horizon. However, we strongly recommend you start dual tagging your sites so they send data to Universal Analytics and GA4. Google’s development efforts are now clearly focused on GA4, and you should start getting familiar with the tool and how its reporting interface and data model differs from Universal Analytics.

Google has an impressive roadmap of feature updates lined up, but for now, by all means, keep using Universal Analytics for your primary reporting and insights analysis. You’re going to want Google Analytics 4 to start collecting data to build that base of data to allow you to run historic comparisons in the future. We recommend you have at least enough data in GA4 to run year-over-year comparisons before starting to use GA4 as your primary reporting tool.

GA4’s user and event-based data model is also a big departure from Universal. Universal’s session-based data model feels pretty early 2000s at this point. Companies and brands get more value from understanding user interactions over time and across devices and Google Analytics 4’s data model supports that approach. Ironically, new data privacy laws are making user tracking harder and I’ve seen some commentators talk about a return of session and visit focused analytics and advertising, but that’s likely a topic for another day.

Google has specifically referred to the “data privacy by design” approach they’ve used in building out GA4. In practice, this means Google Analytics 4 has some updated features that allow for easier compliance with common data privacy laws. As you build out your fresh GA4 implementation, it’s the perfect opportunity to take stock of your current data privacy strategy, compliance, and how best to utilize the features of Google Analytics 4 to ensure you remain compliant in the future.

The Current State of Data Privacy

Broadly speaking, we can break data privacy out into two categories: country/state regulations and company/browser policies.

When we think about country/state regulations, we’re looking at General Data Protection Regulation, California Consumer Privacy Act, Virginia Consumer Data Protection Act, and the recent regulation coming out of Colorado, the Colorado Privacy Act. The exact details differ between the policies, but effectively they require that you give users the ability to opt-out of tracking via analytics tools, such as Universal Analytics and GA4. Or in the case of GDPR, you must ensure users proactively opt-in to tracking. Users must also be given the ability to request data you’ve captured from them previously be deleted.

When considering company- and browser-specific privacy regulations, the main player has, so far, been Apple. Apple’s Intelligent Tracking Prevention releases have limited the lifespan of cookies commonly used by analytics tools, and their iOS 15 updates grant users even greater abilities to limit app and website tracking. Some of these updates, and Google Chrome’s recently delayed removal of 3rd party cookies, primarily impact advertising technology rather than tools such as GA4, but they’re useful to keep in mind as you consider your Google Analytics data privacy strategy.

GA4 and Compliance With National and State Privacy Regulations

Below we consider features and functionality you should keep in mind when configuring GA4 in a privacy-compliant manner.

Anonymizing IP

By default, GA4 anonymizes IP addresses of all users. This setting cannot be adjusted. This is a privacy-friendly update compared to Universal Analytics that tracked IP addresses by default, violating GDPR rules which considered an IP address to be personally identifiable information (PII).

Server Location

Like Universal, Google Analytics 4 doesn’t give you the option to control where data is stored. Most GA4 servers are located in the U.S. so if you’re in the European Union and looking for GDPR compliance you should ensure, as part of your data privacy strategy, that your privacy policy notes that international data transfers will be happening.

Cookie Banner

This one is relatively straightforward. Similar to Universal Analytics, GA4 captures data about users as they interact with your website or app and many privacy policies, GDPR being the main one, require users to opt-in to this data collection. Your cookie banner should clearly state what tracking the user is opting in/out of and provide clear options to opt in or out to gather users’ consent.

Consent Mode

Announced late in 2020 and still officially in “beta,” the Consent Mode feature provided in Google Tag Manager allows you to configure your Google tags (Analytics and Ads) to respect users’ consent choices. Starting a new Google Analytics 4 implementation offers you the opportunity to configure your GA4 tags from the start using Consent Mode to ensure your tracking responds accurately to users’ opt-in/out decisions.

Data Storage

In Universal Analytics you were able to configure data retention to a series of timeframes from 14 months minimum to a “do not automatically expire” maximum. GA4 simplifies this with only two aggressive options: two months or 14 months. These limited retention timeframes in effect force your GA4 setup to retain data for less time, pushing you toward compliance with GDPR and other data privacy policy laws focused on ensuring you only retain user data for as long as you are making use of it. If a 14-month data retention period is too limited for the types of long-term comparison analysis you run, you can always save the data for longer in tools such as BigQuery.

User Data Deletion

Similar to Universal Analytics’ User Explorer report, GA4 provides a User Explorer template you can load within the Exploration section of the tool. This report allows you to segment your users and delete individual user data if needed. This is an important feature as granting users the right to request their data be deleted is a common feature of the majority of privacy regulations being released. By default, these User Explorer reports only identify users by GA Client ID. Your ability to accurately track and delete user data will be enhanced if you’re able to configure the User ID dimension within GA4, utilizing a persistent identifier. This is one of the ironies of the ongoing privacy push. For us to be able to accurately delete a user’s data upon their request, we need to accurately track that user in the first place! As with Universal Analytics, the User Deletion API is available for programmatic data deletion of user data in Google Analytics 4.

Data Sharing Between Google Products

Google provides a number of options for you to share GA4 data with other tools in the Google ecosystem, specifically Google Signals and Ad Personalization. From a privacy perspective, we recommend you tread carefully here. If you are considering opting in to either Signals or Ad Personalization, you must consider which privacy regulations your company must adhere to. For example, if you comply with GDPR, then Signals and Ad Personalization support ad profile building and therefore require an explicit opt-in from users. In any case, if you’re looking to share GA4 data with other Google products, then you should ensure your privacy policy documents this.

Personally Identifiable Information (PII)

No big changes here, but we felt it worthwhile mentioning again that GA4 doesn’t allow the capture of PII and will flag data for deletion if it identifies any PII in your GA4 property. These data deletions involve deleting all data in your GA4 property within the timeframe the PII was captured — definitely not something you want to happen to your analytics data! If you plan to utilize the User ID dimension, then as part of your larger data privacy strategy, ensure an anonymous identifier is used.

Managing Intelligent Tracking Prevention

Apple and WebKit have led the way in terms of browser privacy features with their Intelligent Tracking Prevention (ITP) updates. ITP 2.2 and 2.3 dramatically limiting the lifespan of cookies set via JavaScript, potentially impacting your analytics data, A/B tests, and personalization campaigns.

By default the GA4 Client ID cookie will be set client-side via JavaScript, exposing it to ITP restrictions and a reduced lifespan. As you configure Google Analytics 4 from scratch it would be worthwhile loading the Client ID cookie server-side with a two-year lifespan, thereby avoiding ITP restrictions. If you take this recommended approach, you’ll need to make sure your code also sets the cookie_update field setting to false, to ensure GA4 doesn’t also try to update the cookie via JavaScript that will open the cookie up to ITP restrictions again.

Ensure GA4 Respects Data Privacy

By focusing on a proactively compliant Google Analytics 4 implementation now, you’ll set yourself up for success in the future. You’ll build trust with your user base, showing that you care about their data and how it’s handled while also reducing the risk of any enforced data deletions, data inaccuracy, and fines. It may seem like both GA4 and truly engaging with privacy compliance can wait, but given Google’s focus on GA4 and the constantly shifting privacy landscape, we recommend you come to grips with both GA4 and other related privacy regulations now so you don’t find yourself behind or at risk of breaching privacy rules in the coming years. We expect that privacy regulations are only going to increase and likely become more restrictive in the future, so now is the time to ensure that the foundations of your Google Analytics data privacy strategy are in place. If you have any questions about Google Analytics 4 or privacy compliance, let us know, we’d be happy to help!

By focusing on a proactively compliant GA4 implementation now, you’ll set yourself up for success in the future. Click & Tweet!

About the Author

Alex Molineux

Alex is Associate Manager of Optimization at Blast Analytics. He leverages his expertise in analytics strategy, implementation and optimization to help clients translate data into actionable insights, and is an expert in a wide variety of analytics and testing tools with a focus on Google Analytics, Google Tag Manager, Tealium IQ & AudienceStream, Optimizely and Google Optimize. Whether you’re looking to build out an analytics strategy to gather insights into your core business questions or you are looking to run an effective A/B testing or personalization campaign, he is able to use his expertise to guide and support you.

Connect with Alex on LinkedIn. Alex Molineux has written 12 posts on the Blast Digital Customer Experience and Analytics Blog.