To learn more about using Google Tag Manager, check out our previous post on GTM. Therefore, if your website is based in the EU or targets EU residents, you must take additional measures to adapt your data privacy strategy to fit the data transfer requirements of the GDPR. Even if accepted, the new framework(s) may once again be invalidated by local data regulators as has already happened in the past. The specific result depends on the strength of the clustering algorithm that FLoC uses and the type of audience being reached.. Learn more about it within our privacy Policy page. The world of digital marketing is always changing but it really feels like we're entering a new era with things like cookieless Google Analytics, iOS 14, and ever-increasing concerns about privacy. If you want to stay up to date with everything that is happening, feel free to subscribe below. In GA4 you only have two options: This move is arguably more GDPR friendly because you will be able to apply the data minimisation principle with ease. Practically speaking, this means GA4 is equipped with several updated privacy features and functionality which are intended to help users comply more easily with most data privacy laws. That obviously has a lot of value for marketing but also potential for abuse which leads us to an age-old question. However, if a 14-month data retention period is too short for the types of processing activities your business undertakes, you can always store the data for an extended period using a data warehouse like BigQuery. Not just because you're unable to track users across different websites but also because you can't track them between devices. You'll be able to instantly access and download your new Privacy Policy. The most recent of these has been regarding the unlawful transfer of personal data across EU-U.S. borders through the use of Google Analytics. Simply put, some EU countries require websites to obtain explicit consent from users through cookie notice banners before placing analytics cookies on their devices, while others are more lenient with this requirement. SCCs are a set of contracts signed by both the data exporter and data importer which include standard clauses set by the EU or UK data protection authorities. In March 2018, a group of publishers admonished Google for not providing them with enough tools for GDPR compliance: [Y]ou refuse to provide publishers with any specific information about how you will collect, share and use the data. In practice, it's possible that none of your GA4 data (or Device IDs) will be considered personal data under the GDPR if you do the following: However, if you modify GA4 properties by cross-linking data with Google Signals or activating the ad personalization feature, then it is likely that the Device ID will be classified as personal data under the GDPR. For one, the US isnt eager to modify its surveillance laws and is mostly willing to make them proportional to those in place in the EU. That said, the ICO states that it is unlikely that formal action will be taken against violators for implementing low-risk cookies (e.g., first-party cookies) without obtaining consent. Though Google addressed some of the issues, they missed others. This was problematic from a GDPR perspective, because an IP address is considered as an item of personally identifiable data. Changes like Apple's iOS14 confirm that the future is likely cookieless and folks need to get on board. Credit: Photo by Myriam Jessier on Unsplash. Well use your data to provide you with free preview access to our online courses. Subscribe to our newsletter to receive regular information about Matomo. So what do you think? Another prominent feature provided by GA4 is the stringent data storage duration specified in its terms. As a user travels throughout the internet, their browser (more specifically Chrome) will use the FLoC algorithm to assign them to an interest cohort along with many other users who have a similar history. Importantly, your website's Privacy Policy must also prominently disclose that international data transfers will be occurring. Article 14. f of the GDPR explicitly states: The controller (the company) that intends to carry out a transfer of personal data to a recipient (Analytics solution) in a third country or an international organisation must provide its users with information on the place of processing and storage of its data. We won't go into much detail about this privacy feature in this article, but for an in-depth understanding of how consent mode works, check out our article, Google Consent Mode. But it's very difficult to figure out where to draw the line with cookies. Now that we've covered the privacy features embedded in GA4, let's answer some common questions about Google Analytics and the GDPR. After the invalidation of the Privacy Shield framework in 2020, Google is yet to regulate EU-US data protection. This is a direct breach of GDPR. In a world where users are increasingly expecting better protection and control over their data, GA4 offers a variety of privacy controls (among other features) to meet these expectations and comply with common privacy laws, particularly the GDPR. GA4 was primarily developed to replace and improve the privacy controls of Google's previous analytics product, Universal Analytics. Though Google made some progress, Google Analytics 4 still has many limitations and isnt GDPR compliant. Google Analytics 4 (GA4) is Google's latest analytics property and attempt at providing a more privacy-friendly experience for users. In the previous GA you could choose a data retention period up-to 64 months. If you want to minimise your risk of non-compliance, you should consider suspending your use of Google Analytics and seeking a more privacy friendly alternative with data stored within the UK or EU. In 2018, the EU adopted the General Data Protection Regulation (GDPR) a set of privacy and data security laws, covering all member states. And that's where things can get a little dicey. As such, a Device ID can (in certain instances) constitute personal data under the GDPR. In any case, keep in mind that exceptions for consent regarding Google Analytics cookies will only apply if you only use GA4 in an anonymized version and do not share data with other Google platforms or activate the ad personalization feature. In fact, this is already happening. Just follow these steps: Enter the email address where you'd like the Privacy Policy delivered and click "Generate.". To help users remain compliant with modern privacy laws, Google doesn't allow users to collect personally identifiable information (PII) in GA4. This setup used to require you to edit your tagging code. Most privacy laws (like the GDPR, for example) give consumers the right to request that their data be deleted from a website's server, and with GA4, this has been made easier. they can trace their origins all the way back to 1994, Google Analytics 4 relies on first-party cookies, Apple's iOS14 confirm that the future is likely cookieless. Were also getting a taste of Googles privacy-centric by design approach to web analytics. Note that this will make historical comparisons more difficult, however it is still possible to export data to a data warehouse like BigQuery, or for more simple analysis to export to Google Sheets. Registered Office Address: 71-75 Shelton Street, London, United Kingdom, WC2H 9JQ To put things in context, take the cookie consent requirement of Germany and the United Kingdom for example. Cookies can save all kinds of different information, depending on what the website wants to track. The ability to delete an individual users data. No credit card required. Moreover, your website's Privacy Policy must prominently disclose that user data may be shared with other Google products. Although we go to great lengths to deliver accurate and useful content. You can simply visit your account settings and then sign the documents. Swedish, Dutch and Norwegian authorities also claim its in breach of GDPR. Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Remember, you should also disclose your use of international data transfers within your privacy policy. Were in the midst of a measurement evolution, and global ecosystem changes are challenging marketers to be forward thinking and privacy focused, Philip McDonnell Director, Product Management at Google. Google Analytics in particular was under a heavy cease-fire. Essentially, you can either choose to retain data for 2 months or 14 months, depending on your processing activities. In practice this will likely be Standard Contractual Clauses (SCCs). For example, the interest-based cohorts are defined by Google and not the advertiser. Since the regulations involving cookies are still evolving, it can be tricky thinking about how to best collect your user data. You can unsubscribe at any time from it. You can help Analytics out by using a script in a tag management system. Improved cross-device tracking: using Google signals to help piece together user journeys across multiple devices. Do I Need a Cookie Consent/Notice Banner if I Use Google Analytics 4 (GA4)? You can unsubscribe at any time from it. With GA4, this means you may need to enter into a data processing agreement with Google, making sure to keep a copy of the signed agreement. No, but despite its flaws, it's still a good start as we enter a cookieless world. Switching to Google Analytics 4 gives marketers & site managers a wide range benefits: Many of these benefits are possible because of the more powerful tracking capabilities of Google Analytics latest tracking code. Notably, this feature is a deliberate attempt to help users comply with the GDPR's storage limitation principle, which states that data must only be kept for as long as it is absolutely necessary for the purpose(s) agreed upon during its collection. Thinking of switching to the new Google Analytics 4? More specifically, it is considered a violation of Google's Terms of Service to capture PII in GA4, and Google may delete all the data in any GA4 property where PII is found. Keep in mind that the GDPR defines personal data as any information that can be used to identify a natural person. From an EU privacy perspective, this is considered the most impactful feature in GA4 to promote data privacy and help users comply with the GDPR. So when you setup your account, youll be asked to review choices relating to sharing data with Googles tech support teams, account managers and other products. That means you have to fit your product or service into Google's pre-made buckets so you're immediately losing a lot of specificity- but it doesn't end there. After 2020, GDPR litigation against Google followed. They call this blended data and in the Google blog they explain: Because the technology landscape continues to evolve, the new Analytics is designed to adapt to a future with or without cookies or identifiers. Below well highlight some of the key areas where changes to GA4 will have an impact on how you apply GDPR and E-Privacy regulations (PECR). They added a more visible consent mechanism for online tracking and provided extra compliance tips for users to follow. Now that we have a basic understanding of Google Analytics 4 and why it was developed, let's go over the main privacy features and functionality it provides. The ruling puts thousands of digital companies at risk of non-compliance. Googles updated user explorer tool brings a much needed feature for GDPR compliance. This data sharing would require opt-in consent under PECR (e-privacy). But in July 2020, The EU Court of Justice ruled that this framework doesnt provide adequate data protection to digitally transmitted data against US surveillance laws. The relationship between Google and EU regulators got more heated after the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield a leeway Google used for EU-US data transfers. FLoC stands for Federated Learning of Cohorts and it's a work in progress but it's a big part of the cookieless future. In contrast with Universal Analytics, GA4 offers just two rigid options from which users may select. Cookies arent inherently bad, and in a lot of ways, theyre quite useful. The invalidation of the Privacy Shield framework put Google in a tough position. There are so many changes that come along with Google Analytics 4. 21 day free trial. But in practice, this wasnt always the case. Google has run into several issues regarding privacy, cookie consent requirements differ from country to country. Thats ample time to get compliant, especially for an organisation as big and innovative as Google. When cookies track users across multiple domains, they're called third-party cookies. Google wants you to share your data with them. GA4 came with a set of new privacy-focused features for ticking GDPR boxes such as: Google Analytics also updated its data processing terms and made changes to its privacy policy. This greatly reduces the usefulness of this tool. With this approach, Google simulates user data rather than using third-party cookies. This is necessary because such data may be used to build advertising profiles to track users. Recent decisions by supervisory authorities in Austria, Italy & France have ruled that data transfers to Google Analytics should stop. Importantly, GA4 will build upon the foundation set by Universal Analytics and will adopt a "data privacy by design" approach to address recent privacy challenges, among other developments. According to the cookie guide released by the UK Information Commissioner's Office (ICO), websites must obtain consent from users through cookie notice banners before placing analytics cookies on a user's device. This article is not a substitute for professional legal advice. Please be aware that advice from us cannot be considered a substitute for professional legal advice, nor do they create an attorney-client relationship. Over time, they can learn a lot about you and piece together your personal data. To keep things simple you can opt out of data sharing. The matter is far from being settled and contentious issues remain as we discussed on Twitter (come say hi!). This concept can also be applied to cookie consent requirements when implementing GA4 properties, but ultimately, the deciding factor regarding cookie consent for GA4 boils down to country-specific cookie laws. European regulators have scrutinised Google since GDPR came into effect in 2018. No. Tip: If you are setting a up a new Google Analytics account, it is currently possible to create both an old UA Google Analytics view and a new Google Analytics 4 property. Finally, FLoC puts a lot of the power into Google's hands. This post summarises the main milestones in this story and explains the consequences for Google Analytics users. A cookie is a file that stores a small piece of data about a user and they can trace their origins all the way back to 1994 when they were first used to make shopping carts on e-commerce websites possible. They can help create a personalized experience for you and make things easier. By launching the default out-of-the-box implementation of GA4, standard tracking cookies are placed on your users' devices. Until 2020, such cross-border data transfers were considered legal thanks to the Privacy Shield framework. Start your 21-day free trial (no credit card required) to see how fully GDPR-compliant website analytics works! Its not clear whether Google will be updating this reporting tool in the future to provide more information about user events in the user explorer report out of the box, so Id advise you to consider whether this important to you before making the switch. While the company took steps to prepare for GDPR provisions, it didnt fully comply with important regulations around user data storage, transfer and security. First-party cookies are generally considered more acceptable and these are what help keep your password stored or your cart contents active- they're also what allows Google Analytics 4 to track data. To get a better grasp of whether you need to comply with the GDPR outside of Google Analytics, check out our article, Do I Need to Comply With the GDPR? While a Device ID cannot identify a natural person on its own, it can potentially identify an individual when combined with user data from other sources. The newsletter service uses MadMimi. New privacy controls in Google Analytics 4 do not resolve the underlying issue unregulated, non-consensual EU-US data transfer. The Dutch Data Protection Authority and Norwegian Data Protection Authority also found Google Analytics guilty of a GDPR breach and seek to limit Google Analytics usage. Improved custom reporting: giving you more power to create more in-depth reports about how users are interacting with your digital properties. But Google Analytics (like many other products) had no a mechanism for: And these factors made Google Analytics in direct breach of GDPR a territory, where they remain as of 2022. In such a case, your website may well fall under the GDPR's scope. As before Google provides no choices regarding the location of the server that will be processing the data it collects from its website. We recommend you seek additional legal advice if you are uncertain about how to interpret each country's cookie laws. Google Skill Training and Digital Agency Mentorship. Google Analytics 4 makes dramatic changes to how long data can be stored for. Practically, however, EEA consumers data was still primarily transferred and processed in the US where most Google data centres are located. For more information please consult our, General Data Protection Regulation (GDPR), Google Analytics 4 still has many limitations. By leveraging machine learning and statistical modeling, GA4 can fill in data gaps as the world becomes less and less dependent on cookies. However in GA4 IP Anonymisation is enabled by default and cannot be switched off. As more and more websites cookie users, they can begin to paint a more detailed picture of who you are, what you like, and what you're likely to do. Simply put, if your GA4 implementation collects personal data from the EU, then the GDPR will apply, but if not, then you will likely not fall under the GDPR's scope. However, its just the beginning of a lengthy negotiation process. But what's all this about cookieless tracking in Google Analytics 4? Placing the full burden of obtaining new consent on the publisher is untenable without providing the publisher with the specific information needed to provide sufficient transparency or to obtain the requisite specific, granular and informed consent under the GDPR.. When you launch the standard out-of-the-box Google Analytics 4 properties, several relevant parameters are created, the most significant of which is the Device ID. Article 5 of the GDPR lays out seven main GDPR principles for personal data and privacy protection: Google claimed to have taken steps to make all of their products GDPR compliant ahead of the deadline. Since even hashed IP addresses are considered personal data under GDPR. This is considered yet another privacy-friendly upgrade from Universal Analytics which only allowed data to be erased within a fixed time range. It is, therefore, imperative for you (as a website owner or operator) to begin transitioning from Universal Analytics properties to GA4 if you haven't already done so. While these matters are getting hashed out, Google Analytics users, collecting data about EU citizens and/or residents, remain on slippery grounds. Better data accuracy: less reliance on data sampling than previous versions of Google Analytics, allow for a more complete and accurate picture of your users interactions with your website. By importing your Google Analytics data, you agree to granting Matomo access to your Google Analytics account so we can import your reporting data. It's unlikely that we'll have a good understanding of exactly what goes into these interest cohorts which not only reduces transparency, but by extension, further reduces precision. With that said, the regulations regarding cookie consent requirements differ from country to country, even within the EU. Join the 160,000+ subscribers who receive the Matomo Newsletter straight to their inbox every month, {"cookieName":"wBounce","isAggressive":false,"isSitewide":true,"hesitation":"500","openAnimation":false,"exitAnimation":false,"timer":"","sensitivity":"","cookieExpire":"60","cookieDomain":"","autoFire":"","isAnalyticsEnabled":false}, Your information will be used to create an account on our cloud service.