This article shares my experience working with Google Analytics 4 and Universal Analytics for the last 8 years and aims to show why Google Analytics 4 and GDPR fit together.
Although the information presented in this article will help you to understand why proper GA4 setup meets GDPR, it would be best if you didn’t use it as the standalone guide or as the primary source of information.
How Google made GA4 GDPR compliant?
First, Google is a company that spends millions or billions of dollars to make its products and meet all regulations. There are not so many companies worldwide that can spend so much money on all regulations aspects.
Therefore, when we heard that Universal Analytics or Google Analytics is not GDPR complaint because it stores data not in Europe but in the USA. Google reacted instantly and changed their data gathering procedure, and now Google Analytics 4 collects all data from EU-based devices on servers based in the EU.
Second, Google Analytics 4 was created to meet privacy regulation policies. This means that at the core of Google Analytics 4 is privacy. Therefore, Google has already made a few implementations that allow GA4 to be a GDPR complaint. Let’s look at each of them.
Personally Identifiable Information (PII)
If you were using Universal Analytics, you should be familiar with Personally Identifiable Information (PII). PII includes, but is not limited to, information such as email addresses, personal mobile numbers, and social security numbers.
To protect user privacy, Google policies mandate you not to send this information to Google Analytics. Google team can also delete your GA4 property if they find any PII in your account. Therefore, the proper GA4 setup is so necessary. If you set up GA4 right, you don’t send this PII to GA4.
It’s also worth mentioning that there is a situation when you don’t send such data, but your users put it into some places (search box) that GA4 can gather. In this case, you should enhance your GA4 setup or use Data Deletion requests (further in this article).
Google Analytics 4 anonymises IPs
Yes, it’s true. If Universal Analytics stored IP addresses and we needed to use Google Tag Manager to overcome it, Google Analytics 4 does not log or store individual IP addresses.
IP data is used to detect geo-location by deriving the following metadata from IP addresses: City (and the derived latitude, and longitude of the city), Continent, Country, Region, Subcontinent (and ID-based counterparts).
And using this data to detect geo-location doesn’t mean storing it. GA4 doesn’t store your visitors’ IP addresses.
Event Data Retention (2 and 14 months)
One of the GDPR rules is that you should store users’ information not more than you need it. It means you shouldn’t store personal data just for storing it but for purposes according to GDPR.
Apart from that, you should also store users’ data that is crucial to you. It would be best if you didn’t store everything. I also recommend you not to store everything because with less data, a better focus comes.
Thus, GA4 allows you to select data retention. There are two options 2 months and 14 months. When you create a GA4 property, it has 2 months by default. The data retention automatically resets whenever a user visits your website or product.
If you need more than this, you can store the data in BigQuery for unlimited time, but again, there are better approaches than unlimited time. Please always store the data for the time that makes sense.
US and EU Server Locations
As I mentioned above, Google Analytics 4 stores data collected from the EU on EU servers. The data collected from other regions are stored in those regions.
You can also select the server in BigQuery to decide where your website data will be stored.
Data Deletion Requests
Apart from all of that I mentioned above, there is a nice feature in Google Analytics 4. It’s called “data deletion requests”. You can request to delete almost any data you weren’t collected according to GDPR or other regulations. Here are the deletion types you can do.
|Delete all parameters on all events||This option deletes all registered and automatically collected parameters across all collected events.|
|Delete all registered parameters on selected events||This option deletes all registered parameters collected across a list of events you select in the next step.|
|Delete selected parameters on all events||This option deletes registered parameters that you select in the next step across all collected events.|
|Delete selected parameters on selected events||This option deletes registered parameters that you select in the next step across a list of events that you also select in the next step.|
|Delete selected user properties||This option deletes user properties that you select in the next step|
Though you can find here a type that deletes data assigned to the specific user_id (user), you can also do it in Google Analytics 4.
Delete Users in one click | User Explorer report
As I mentioned above, you can delete the entire user profile. Google didn’t add it to the data deletion requests because it didn’t require them to proceed with such requests manually.
You can delete the profile with one click in the User Explorer report. Once you click on the delete button, this user will stop displaying in the exploration reports within 24 hours and will be permanently deleted within the next 63 days.
So if you have users concerned about the data you store about them, you can delete their data by clicking one button. It’s so easy and so valuable.
GTM Consent Configuration
And last, many companies add Google Analytics 4 to their websites through Google Tag Manager. GTM has a specific consent configuration that allows you to control whether a user gave you access to record the data about them or not.
Many companies show cookies pop-up when you visit their websites for the first time, where you can select “essential cookies” or “all cookies”. If you implement GTM consent right, GA4 won’t collect data about users who didn’t consent.
It’s precisely what GDPR requires you to do.
To summarise, Google spends much effort making Google Analytics 4 GDPR-complaint. This article presents many features you can use to make your usage of GA4 as safe as possible.
If you have more questions about Google Analytics 4, please comment below.
Frequently Asked Questions
Yes, Google spends enormous effort to make Google Analytics 4 fully GDPR compliant, including storing your website users’ data in the EU.
Yes, Google Analytics 4 anonymizes IP addresses by default.
No, Google Analytics 4 doesn’t collect users’ IP addresses.