Is Google Analytics 4 GDPR-compliant?

Google Analytics is a powerful tool for understanding website performance, user behavior, and traffic patterns. However, its compliance with the General Data Protection Regulation (GDPR) has been a subject of concern and controversy, particularly in the European Union (EU). The data protection authorities of several European Union (EU) countries have weighed in on privacy compliance issues with Google Analytics, with similar complaints that focus on its insufficient protections and data transfer practices.

In this article, we’ll examine the timeline of EU-US data transfers and the law, the relationship between Google Analytics and data privacy, and whether Google’s popular service is — or can be — GDPR-compliant.

One of the key compliance issues with Google Analytics is its storage of user data, including EU residents’ personal information, on US-based servers. Because Google is a US-owned company, the data it collects is subject to US surveillance laws, potentially creating conflicts with EU privacy rights.

At the time of the EU countries’ rulings, there was no privacy adequacy agreement in place. The July 2020 Schrems II ruling invalidated the EU-US Privacy Shield that enabled data transfers between the EU and the US, on the basis that the US did not provide adequate protection for data.

As a result, from mid-2020 to September 2021, data transfers from the EU to the US could not be made based on the Privacy Shield or pre-approved model data contract clauses known as Standard Contractual Clauses (SCCs).

New SCCs were released in September 2021, which were viewed as a somewhat adequate safeguard if there were additional measures like encryption or anonymization, to make data inaccessible by US authorities.

The Schrems II ruling sparked a series of legal issues and decisions by European Data Protection Authorities (DPAs) across Austria, France, Italy, and other countries, declaring the use of Google Analytics as noncompliant with the GDPR.

On Jan 12, 2022, Austrian DPA Datenschutzbehörde (DSB) ruled Google Analytics violated the Schrems II ruling. Even though the company tried to anonymize IP addresses, the effort was deemed inadequate because anonymization likely occurred only after the data reached US servers. Encryption was also deemed insufficient, as US authorities could legally access the encryption keys.

In February 2022, the Commission Nationale de l’Informatique et des Libertés (CNIL) found that the use of Google Analytics was not compliant with Article 44 of the GDPR, as users’ personal data was being transferred to a country without adequate data privacy protection. In June 2022, the CNIL issued updated guidance (in French) regarding the use of Google Analytics, giving organizations a month to update their usage of the service or risk regulatory enforcement.

In June 2022, Garante ruled that the transfer of data to the US via Google Analytics violated the GDPR. They emphasized that even shortened IP addresses are considered personal data and thus need proper legal bases and protections, and Google’s measures did not provide a sufficient level of protection for personal data collection.

In January 2022, the Dutch data protection authority AP announced investigations into two complaints against Google Analytics. These complaints echo similar issues raised in Austria, France, and Italy.

Despite Brexit, the UK continues to maintain data protection laws similar to the EU’s GDPR. In January 2022, following the Austrian ruling, the UK data protection authority removed Google Analytics from its website.

In January 2022, Datatilsynet stated it would align with Austria’s decision against Google Analytics and publicly advised Norwegian companies to seek alternatives to the service.

In September 2022, Datatilsynet stated that lawful use of Google Analytics “requires the implementation of supplementary measures in addition to the settings provided by Google.” It further stated that companies should stop using Google Analytics if they were unable to implement these additional measures.

On July 3rd 2023, IMY ordered four companies to stop using Google Analytics on the grounds that these companies’ additional security measures were insufficient for protecting personal data. It also stated that this decision should provide guidance for other companies using the service.

A week before the Austrian ruling, the European Data Protection Supervisor (EDPS) sanctioned the European Parliament for using Google Analytics on its COVID testing sites due to insufficient data protections. This is viewed as one of the earliest post-Schrems II rulings and set the tone for additional legal complaints.

On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, which covers data transfers among the EU, European Economic Area (EEA) and the US in compliance with the GDPR.

This new framework addresses some concerns raised by Schrems II, introducing new conditions for data collection and restricting how US agencies can gather intelligence.

However, the new framework has received some criticism from experts and stakeholders. Some privacy watchdogs, including the European Data Protection Board (EDPB), have pointed out striking similarities between the new and the previous agreements, raising doubts about its efficacy in protecting EU residents’ data.

There are also concerns with the Civil Liberties Protection Officer (CLPO) and Data Protection Review Court (DPRC), the redressal mechanisms under the Framework:

• The complainant will have to make a complaint to an EU Data Protection Authority and therefore won’t be heard by these authorities directly.
• The CLPO and DPRC are not required to inform the complainant whether or not their data was subject to US signals intelligence activities.
• The DPRC is not a court at all but a “partly independent executive body”.

Privacy rights activists have declared their intent to file challenges against the Framework. Meanwhile, French Member of the European Parliament, Philippe Latombe, took legal action in September 2023 by filing two lawsuits in the EU Court of Justice to overturn the Data Privacy Framework.

The Data Privacy Framework is facing legal challenges, but it is in effect today and data transfers between the EU and US are considered valid if they comply with its requirements.

That the various EU rulings that Google Analytics — which is used on tens of millions of websites — could be grounds for noncompliance penalties have understandably been of concern to many website operators in the EU. But these rulings were made before two key developments in July 2023:

• the adoption of the EU-U.S. Data Privacy Framework
• Universal Analytics — the third iteration of Google Analytics — stopped collecting new data, and Google Analytics 4 became Google’s primary analytics platform

Google Analytics 4 introduces several new features and privacy controls, including cookieless measurement and conversion modeling, which Google claims make it more privacy-friendly.

However, the question remains: is Google Analytics 4 GDPR-compliant?

Google Analytics 4 has several significant changes compared to Universal Analytics. The new version adopts an event-based measurement model, contrasting the session-based data model of Universal Analytics. This shift enables Google Analytics 4 to capture more granular user interactions, better capturing the customer journey across devices and platforms. Website owners can turn this off to stop it from collecting data such as city or latitude or longitude, among others. Website owners also have the option to delete user data upon request.

Another notable feature is that Google Analytics 4 does not log or store IP addresses from EU-based users. According to Google, this is part of Google Analytics 4’s EU-focused data and privacy measures. This potentially addresses one of the key privacy concerns raised by the Data Protection Authorities, which found that anonymizing IP addresses was not an adequate level of protection.

The EU-U.S. Data Privacy Framework alone doesn’t make Google Analytics 4 GDPR-compliant. The framework can make data transfers to the US compliant, if they are with a certified US company, but the onus is on website owners to ensure that the data was collected in compliance with the legal requirements of the GDPR in the first place.

All Google Analytics cookies should be set up and controlled so they only activate after users have granted explicit consent. Users should also have granular control so that they can choose to allow cookies for one purpose while rejecting cookies for another.

A consent management platform (CMP) like Usercentrics can enable blocking of the activation of services until user consent has been obtained. Google Analytics couldn’t transfer user data because it would never have collected it.

Google Consent Mode allows websites to dynamically adjust the behavior of Google tags based on the user’s consent choices regarding cookies. This feature ensures that measurement tools, such as Google Analytics, are only used for specific purposes if the user has given their consent, even though the tags are loaded onto the webpage before the cookie consent banner appears. By implementing Google Consent Mode, websites can modify the behavior of Google tags after the user allows or rejects cookies so that it doesn’t collect data without consent.

Website operators must provide clear, transparent data processing information for users on the website. This information is included in the privacy policy. Information related specifically to cookies should be provided in the cookie policy, with details of the Google Analytics cookies and other tracking technologies that are used on the site, including the data collected by these cookies, provider, duration and purpose. The cookie policy is often a separate document, but can be a section within the broader privacy policy.

The GDPR requires user consent to be informed, which is what the privacy policy is intended to enable. To help craft a GDPR-compliant privacy policy, extensive information on the requirements can be found in Articles 12, 13 and 14 GDPR.

A data processing agreement (DPA) is a legally binding contract and a crucial component of GDPR compliance. The DPA covers important aspects such as confidentiality, security measures and compliance, data subjects’ rights, and the security of processing. It helps to ensure that both parties understand their responsibilities and take appropriate measures to protect personal data. Google has laid down step-by-step instructions on how to accept its DPA.

The implementation of the Digital Markets Act (DMA) is likely to have an impact on Google Analytics 4, affecting its functions, data collection practices, and privacy policies. Website owners who use the platform are encouraged to take the following steps to prepare:

• Audit your privacy policy, cookies policy and data practices.
• Conduct a data privacy audit to check compliance with GDPR, and take any corrective steps if necessary.
• Install a ​​ CMP that enables GDPR compliance to obtain valid user consent per the regulation’s requirements.
• Seek advice from qualified legal counsel and/or a privacy expert, like a Data Protection Officer, on measures required specific to your business.

Learn more about DMA compliance.

Taking steps to meet the conditions of Article 7 GDPR for valid user consent, website operators must obtain explicit end-user consent for all Google Analytics cookies set by the website. Consent must be obtained before these cookies are activated and in operation. Using Usercentrics’ DPS Scanner helps identify and communicate to users all cookies and tracking services in use on websites to ensure full consent coverage options.

Many organizations use Google Analytics on their websites because it provides extensive data and powerful tools to help lower bounce rates, visualize data, optimize web rankings, learn about and segment visitors, and more. It also integrates well with other Google tools.

Google Analytics helps companies pursue growth and revenue goals, so understandably, businesses are caught between not wanting to give that up, but also not wanting to risk GDPR violation penalties or the ire of their users over lax privacy or data protection.

Day to day, it is up to website operators to keep up with current regulations and privacy requirements, and do what is necessary to achieve and maintain privacy compliance to protect users. Aside from legal necessity, taking these steps also helps build trust and long-term relationships with users.

The Usercentrics team closely monitors regulatory changes and legal rulings, makes updates to our services and posts recommendations and guidance as appropriate. However, website operators should always get relevant legal advice from qualified counsel regarding data privacy, particularly in jurisdictions relevant to them. This includes circumstances where there could be data transfers outside of the EU to countries without adequacy agreements for data privacy protection.

As the regulatory landscape and privacy compliance requirements for companies are complex and ever-changing, we’re here to help.

Book a demo and see how the Usercentrics CMP can help with your company’s data privacy goals.

Or contact one of our experts today. We’re happy to answer all your questions.