Google Analytics 4 embraces an improved data privacy policy that primarily focuses on:
- Not logging IP addresses so individuals don’t get identified through report data.
- Dropping any sensitive data collected from EU users before logging that data via EU domains and servers to keep the privacy of EU users.
It also features an option to disable the collection of Google Signals data on a per-region basis, and derivation and storage of region and device dimensions.
Is Google Analytics 4 GDPR compliant?
GA4 is not fully GDPR-compliant for EU citizens and residents, even though it has updated privacy features like IP anonymization by default, shorter data storage times, the location of servers, a consent mode, and the ability for users to delete their personal data. Even within the EU, each country has different rules about privacy.
Here are the current facts about GDPR compliance of GA4 :
- By default, GA4 won't keep track of users' IP addresses.
- You can decide whether to keep data for 2 or 14 months.
- GA4 doesn't let users choose where their data will be stored. This means that you need to take extra steps to meet the requirements of the GDPR for data transfer if your website is based in the EU or has users from the EU.
So, if you want to give Google limited access to your data, you need to sign a data processing agreement with Google. Also, your website needs a Privacy Policy that explains how international data transfers work.
On 10 July 2023, the EU-US Data Privacy Framework , which was recently made public, may assist with the legal issues that arise when Google Analytics transfers data.
What Does EU-Focused Data Privacy Offer?
The new policy of not logging IP addresses provides a multi-layered privacy system for EU users. GA4 now performs a geo-location lookup on an IP address to monitor:
- City (and the derived latitude, and longitude of the city),
- Continent,
- Country,
- Region,
- Subcontinent (and ID-based counterparts).
All this data is collected and processed in the EU, executing a higher-level geo-location on EU-based servers before sending the data to the Google Analytics servers.
In addition, once you activate Google signals, you can enable or disable collection of those signals on a per-region basis.
If you opt not to, you may miss granular location and device data such as:
- Browser minor version
- Browser User-Agent string
- Device brand
- Device model
- Device name
- Operating system minor version
- Platform minor version
- Screen resolution