Is Google Analytics 4 illegal? No, it isn't – and here's why

There has been a long-standing uncertainty about the legality of Google Analytics, but the issue was resolved this July by the European Commission: Google Analytics 4 is fundamentally legal in the EU. But how did we get here, and more importantly; how to ensure that you also use the tool in compliance with the law?

The use of Google Analytics has long sparked discussion in Finland, both by the Data Protection Ombudsman and the markets. The root of the problem has been the storage of data outside the EU, which has caused grey hairs regarding user privacy.

In July of this year, the European Commission announced that the new, improved EU-US Data Privacy Framework is sufficient to protect the rights of EU citizens.

Is Google Analytics itself then fully GDPR compliant, and is it safe to use?

As a product, Google Analytics 4 is fundamentally GDPR compliant. However, Google Universal Analytics is not, which is partly why its use was phased out.

What’s important to remember is that using a tool that’s compliant with GDPR does not guarantee that the data collection is automatically legal. Even with Matomo, PiwikPro, or any other tool, it is possible to collect data in violation of GDPR. The most important thing is to take care of the legality of your own operations and that whatever tool is in use, it is used taking care of user privacy.

It is essential to ensure that you do not act contrary to the data protection legislation. The transfer of personal data discussed in this article is just one part of complying with data protection laws.

Therefore, keep in mind the key rule when collecting and managing data: identifiable personal data must not be sent to Google Analytics. This includes names, email addresses, phone numbers, IP addresses, CRM IDs, etc.

So, how do you ensure that identifiable information does not get transferred to Google Analytics?

1. Clarify internal data collection policy

Clarify within the organization what data is collected, why, and how it is managed securely.

Initially, it is advisable to take a holistic view: e.g. what CRM system and other tools you are using. It is important to have a list of the tools in use: what data is fed into them, which of this data is classified as personal data, and how long the data is stored. It is also good to review the company’s data collection policy in terms of digital channels: at least from the website and hosting side.

Once the basics are in order, it is easier to plan the analytics setup.

2. Modify URL parameters that may contain personal data

It’s possible to retrospectively check if personal data is found among the data gathered in the analytics. Tools can be used to search for possible personal data among URL parameters, and if found, they can be removed or modified to be unidentifiable. Google Analytics 4 itself has a built-in Data redaction functionality, which allows defining event- or URL-level modifications for this purpose.

3. Anonymize collected personal data

Common possible places where a site user’s individual personal data may appear:

• In URLs, e.g., URL parameters during form submission or logging in
  • example.fi/loggedin?firstname=jaska&lastname=jokunen
  • Solution: The parameters should be removed by developers or at least made unidentifiable.
• In the event data, such as order details, the orderer’s email might appear
  • example: email:jaska.jokunen@example.fi
  • Solution: Such information should not be sent to Google Analytics or other analytics tools. Some marketing platforms like Google Ads, Meta (Facebook), or Pinterest may want a hashed, i.e., encrypted version of an identifier like an email address.

4. IP-address anonymization

Google Analytics 4 offers more control over anonymization than its predecessor, Universal Analytics. Google Analytics 4 automatically anonymizes IP addresses, and this anonymization occurs within the EU area before the data is transferred anywhere outside of it.

5. Server-side tag management

Server-side tagging helps control the amount of data sent to analytics and advertising systems. If the transfer of users’ IP addresses or other data is a concern, this transfer of data can be blocked with server-side tagging.

It also supports the anonymization or pseudonymization of tracking data on the server before they are stored and sent to, for example, Google Analytics.

The code is executed on the server (server), improving website loading time.

When code is run in the user’s browser (client-side), the control is much smaller in terms of what data is taken to analytics or advertising systems.

6. Ensuring cookie management functionality

Although cookies are not directly related to the agreement between the EU and the USA, it is good to go through their functions, as personal data may be transferred outside the EU to these cookie service providers, especially in the case of third-party cookies. It’s advisable to read Traficom’s guide on cookies carefully.

Ensure the following regarding cookies:

• Before setting cookies (or the like), ask the user for voluntary and clear consent. The exception, of course, are cookies necessary for the operation of the site, such as remembering login. Note that cookies related to analytics do not fall into the necessary or mandatory cookies category.
• Ensure that you can subsequently demonstrate that you have received the consent from the user. Usually, this requires that the site visitor submits a cookie consent ID.

In summary

Whether you are a public or private operator, with the new EU-US Data Privacy Framework data transfer arrangement, you no longer have to worry about whether the transfer of personal data to the United States as part of Google Analytics 4 is illegal. The DPF ensures the legality of data transfer, although organizations must remember to take care of other obligations under data protection legislation when handling personal data.

No matter what analytics tool you have in use, you need to know, for example, what personal data it stores and for how long, and to what parties data may be transferred. The processing of personal data must also be disclosed to registered individuals, for example, in a privacy policy visible on the website.

If you are concerned about the current state of your site’s analytics or data protection, send us a message – let’s sort things out together!

Experts:

Panu Ervamaa, CTO, Hion
Niko Karppinen, Web Analytics Lead, Hion
Ville Vainio, Partner and Lawyer, Applex: As the head of Applex’s Technology & Data Protection practice, Ville assists domestic and international clients from SMEs to listed companies, particularly in data protection and technology law. Ville is a certified data protection expert (CIPP/E).