Google Analytics: GA4 vs Universal Analytics – What will change?
Will GA4 improve compliance?
For any users of Google Analytics, you will have started to see some messaging warning that the Universal Analytics tools will be retired in 2023 and that now is the time to migrate across to Google Analytics 4.
What is Google Analytics 4 (GA4)?
GA4 is a new property that helps analyse the performance of your website and app traffic and will replace Universal Google Analytics. It was first released in October 2020 although it’s only now that the campaign to migrate across has started in earnest.
Key components include:
- Event-based tracking: Universal Analytics is session-based, while GA4 is event–based. In other words, the ability to track events like button clicks, video plays, and more is built in with GA4, while this requires advanced setups in UA. This comes from the premise that page views aren’t the sole important metric.
- Cross-device tracking: UA was built around desktop web traffic, while GA4 gives businesses visibility into the customer journeys across all of their website and apps.
- Machine learning: GA4 uses machine learning technology to share insights and make predictions.
- Privacy-friendly: UA data relies heavily on cookies, GA 4 does not.
Crucially, on July 1, 2023, standard Universal Analytics properties (the previous version of Google analytics) will no longer process data. You’ll be able to see your Universal Analytics reports for a period of time after July 1, 2023. This means that to have a continuous history of activity, it makes sense to move across to the new GA4 platform sooner rather than later.
What privacy improvements have been made?
GA4 came with a set of new privacy-focused features for ticking GDPR boxes including:
- Data deletion mechanism. Users can now request to surgically extract certain data from the Analytics servers via a new interface.
- Shorter data retention period. You can now shorten the default retention period to 2 months (instead of 14 months) or add a custom limit.
- IP Anonymisation. GA4 doesn’t log or store IP addresses by default. They allocate an anonymous and unique user id to each record
- First-party data cookies. Google uses first-party cookies which means they’ll still be supported by browsers
- More data sampling. Google is doing more data sampling using AI to gain more granular analytics insights – this is more privacy friendly and uses models to investigate deeper insights
- Consent mode. The behaviour of Google tags is managed based on user consent choices.
- Collecting PII. Google does not allow the collection of PII in GA4 – this is considered a violation of Googles terms of service
- Data sharing with other Google Products. Any linking to Google advertising products requires explicit opt-in consent and a prominent section on the privacy notice
Is Google now compliant?
Possibly in limited circumstances. If Google anonymises the data by allocating a user id that is never referenced with any other data then we can argue the data is anonymous and therefore not subject to GDPR regulation.
In some instances, this may be the case if you are doing simple tracking and effectively treat your digital platforms as an ivory tower. In most instances, it is not!
If you are advertising and can then link the id to other data, there is the potential to identify individuals and therefore the information becomes personal data and subject to GDPR.
This means that all the usual user consent rules apply and opt-in consent is required to analyse activity.
The major difficulty for Google is that data is exported to the US where it is deemed, by the EU, that Google does not adequately protect EU personal data from US surveillance rules.
Previously, Google relied on the Privacy Shield framework to ensure that it remained compliant. Since that has been invalidated in 2020, Google has struggled to achieve compliance and has faced a number of fines.
In particular, Google Analytics does not have a way for:
· Ensuring data storage within the EU
· Choosing a preferred regional storage site
· Notifying users of the location of their data storage and any data transfers outside of the EU
Ideally, Privacy Shield 2.0 will be introduced soon! Talks have started but they’re unlikely to be swift! The US government has been talking about making its surveillance standards “proportional” to those in place in the EU. This may not be good enough for CJEU.
In the meantime, implement GA4 as it is more privacy-focused than Google Universal Analytics and hope that US and EU come to an agreement soon. There is a risk in using GA4 and you might want to consider using other solutions.