google Analytics EU
Home Resources Articles Is Google Analytics 4 GDPR-compliant?

Is Google Analytics 4 GDPR-compliant?

We explain the recent European legal rulings about Google Analytics and GDPR compliance, what Google is doing about it, and how companies can protect data.
by Usercentrics
Nov 9, 2023
google Analytics EU
Table of contents
Show more Show less
Book a demo
Learn how our consent management solution can improve privacy and user experience for your users.
Get your free data privacy audit now!

Google Analytics is a powerful tool for understanding website performance, user behavior, and traffic patterns. However, its compliance with the General Data Protection Regulation (GDPR) has been a subject of concern and controversy, particularly in the European Union (EU). The data protection authorities of several European Union (EU) countries have weighed in on privacy compliance issues with Google Analytics, with similar complaints that focus on its insufficient protections and data transfer practices.

 

In this article, we’ll examine the timeline of EU-US data transfers and the law, the relationship between Google Analytics and data privacy, and whether Google’s popular service is — or can be — GDPR-compliant.

Google Analytics and data transfers between the EU and US

One of the key compliance issues with Google Analytics is its storage of user data, including EU residents’ personal information, on US-based servers. Because Google is a US-owned company, the data it collects is subject to US surveillance laws, potentially creating conflicts with EU privacy rights.
 
At the time of the EU countries’ rulings, there was no privacy adequacy agreement in place. The July 2020 Schrems II ruling invalidated the EU-US Privacy Shield that enabled data transfers between the EU and the US, on the basis that the US did not provide adequate protection for data.
 
As a result, from mid-2020 to September 2021, data transfers from the EU to the US could not be made based on the Privacy Shield or pre-approved model data contract clauses known as Standard Contractual Clauses (SCCs).
 
New SCCs were released in September 2021, which were viewed as a somewhat adequate safeguard if there were additional measures like encryption or anonymization, to make data inaccessible by US authorities.

A wave of rulings against Google Analytics after the Privacy Shield

 
The Schrems II ruling sparked a series of legal issues and decisions by European Data Protection Authorities (DPAs) across Austria, France, Italy, and other countries, declaring the use of Google Analytics as noncompliant with the GDPR.

Austria

On Jan 12, 2022, Austrian DPA Datenschutzbehörde (DSB) ruled Google Analytics violated the Schrems II ruling. Even though the company tried to anonymize IP addresses, the effort was deemed inadequate because anonymization likely occurred only after the data reached US servers. Encryption was also deemed insufficient, as US authorities could legally access the encryption keys.

France

In February 2022, the Commission Nationale de l’Informatique et des Libertés (CNIL) found that the use of Google Analytics was not compliant with Article 44 of the GDPR, as users’ personal data was being transferred to a country without adequate data privacy protection. In June 2022, the CNIL issued updated guidance (in French) regarding the use of Google Analytics, giving organizations a month to update their usage of the service or risk regulatory enforcement.

Italy

In June 2022, Garante ruled that the transfer of data to the US via Google Analytics violated the GDPR. They emphasized that even shortened IP addresses are considered personal data and thus need proper legal bases and protections, and Google’s measures did not provide a sufficient level of protection for personal data collection.

Netherlands

In January 2022, the Dutch data protection authority AP announced investigations into two complaints against Google Analytics. These complaints echo similar issues raised in Austria, France, and Italy.

United Kingdom

Despite Brexit, the UK continues to maintain data protection laws similar to the EU’s GDPR. In January 2022, following the Austrian ruling, the UK data protection authority removed Google Analytics from its website.

Norway

In January 2022, Datatilsynet stated it would align with Austria’s decision against Google Analytics and publicly advised Norwegian companies to seek alternatives to the service.

Denmark

In September 2022, Datatilsynet stated that lawful use of Google Analytics “requires the implementation of supplementary measures in addition to the settings provided by Google.” It further stated that companies should stop using Google Analytics if they were unable to implement these additional measures.

Sweden

On July 3rd 2023, IMY ordered four companies to stop using Google Analytics on the grounds that these companies’ additional security measures were insufficient for protecting personal data. It also stated that this decision should provide guidance for other companies using the service.

European Parliament

A week before the Austrian ruling, the European Data Protection Supervisor (EDPS) sanctioned the European Parliament for using Google Analytics on its COVID testing sites due to insufficient data protections. This is viewed as one of the earliest post-Schrems II rulings and set the tone for additional legal complaints.

The EU-U.S. Data Privacy Framework: A game changer?

On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, which covers data transfers among the EU, European Economic Area (EEA) and the US in compliance with the GDPR.
 
This new framework addresses some concerns raised by Schrems II, introducing new conditions for data collection and restricting how US agencies can gather intelligence.
 
However, the new framework has received some criticism from experts and stakeholders. Some privacy watchdogs, including the European Data Protection Board (EDPB), have pointed out striking similarities between the new and the previous agreements, raising doubts about its efficacy in protecting EU residents’ data.
 
There are also concerns with the Civil Liberties Protection Officer (CLPO) and Data Protection Review Court (DPRC), the redressal mechanisms under the Framework:

  • The complainant will have to make a complaint to an EU Data Protection Authority and therefore won’t be heard by these authorities directly.
  • The CLPO and DPRC are not required to inform the complainant whether or not their data was subject to US signals intelligence activities.
  • The DPRC is not a court at all but a “partly independent executive body”.

Privacy rights activists have declared their intent to file challenges against the Framework. Meanwhile, French Member of the European Parliament, Philippe Latombe, took legal action in September 2023 by filing two lawsuits in the EU Court of Justice to overturn the Data Privacy Framework.

Does the EU-U.S. Data Privacy Framework make Google Analytics GDPR-compliant?

The Data Privacy Framework is facing legal challenges, but it is in effect today and data transfers between the EU and US are considered valid if they comply with its requirements.
 
That the various EU rulings that Google Analytics — which is used on tens of millions of websites — could be grounds for noncompliance penalties have understandably been of concern to many website operators in the EU. But these rulings were made before two key developments in July 2023:

  • the adoption of the EU-U.S. Data Privacy Framework
  • Universal Analytics — the third iteration of Google Analytics — stopped collecting new data, and Google Analytics 4 became Google’s primary analytics platform

Google Analytics 4 introduces several new features and privacy controls, including cookieless measurement and conversion modeling, which Google claims make it more privacy-friendly.
 
However, the question remains: is Google Analytics 4 GDPR-compliant?
 
Google Analytics 4 has several significant changes compared to Universal Analytics. The new version adopts an event-based measurement model, contrasting the session-based data model of Universal Analytics. This shift enables Google Analytics 4 to capture more granular user interactions, better capturing the customer journey across devices and platforms. Website owners can turn this off to stop it from collecting data such as city or latitude or longitude, among others. Website owners also have the option to delete user data upon request.
 
Another notable feature is that Google Analytics 4 does not log or store IP addresses from EU-based users. According to Google, this is part of Google Analytics 4’s EU-focused data and privacy measures. This potentially addresses one of the key privacy concerns raised by the Data Protection Authorities, which found that anonymizing IP addresses was not an adequate level of protection.
 
The EU-U.S. Data Privacy Framework alone doesn’t make Google Analytics 4 GDPR-compliant. The framework can make data transfers to the US compliant, if they are with a certified US company, but the onus is on website owners to ensure that the data was collected in compliance with the legal requirements of the GDPR in the first place.

Recommendations for companies to become GDPR-compliant with Google Analytics 4

 

 
All Google Analytics cookies should be set up and controlled so they only activate after users have granted explicit consent. Users should also have granular control so that they can choose to allow cookies for one purpose while rejecting cookies for another.
 
A consent management platform (CMP) like Usercentrics can enable blocking of the activation of services until user consent has been obtained. Google Analytics couldn’t transfer user data because it would never have collected it.

 
Google Consent Mode allows websites to dynamically adjust the behavior of Google tags based on the user’s consent choices regarding cookies. This feature ensures that measurement tools, such as Google Analytics, are only used for specific purposes if the user has given their consent, even though the tags are loaded onto the webpage before the cookie consent banner appears. By implementing Google Consent Mode, websites can modify the behavior of Google tags after the user allows or rejects cookies so that it doesn’t collect data without consent.

 
Website operators must provide clear, transparent data processing information for users on the website. This information is included in the privacy policy. Information related specifically to cookies should be provided in the cookie policy, with details of the Google Analytics cookies and other tracking technologies that are used on the site, including the data collected by these cookies, provider, duration and purpose. The cookie policy is often a separate document, but can be a section within the broader privacy policy.
 
The GDPR requires user consent to be informed, which is what the privacy policy is intended to enable. To help craft a GDPR-compliant privacy policy, extensive information on the requirements can be found in Articles 12, 13 and 14 GDPR.

4. Enter into a Data Processing Agreement with Google

 
A data processing agreement (DPA) is a legally binding contract and a crucial component of GDPR compliance. The DPA covers important aspects such as confidentiality, security measures and compliance, data subjects’ rights, and the security of processing. It helps to ensure that both parties understand their responsibilities and take appropriate measures to protect personal data. Google has laid down step-by-step instructions on how to accept its DPA.

The impact of the Digital Markets Act on Google Analytics 4

The implementation of the Digital Markets Act (DMA) is likely to have an impact on Google Analytics 4, affecting its functions, data collection practices, and privacy policies. Website owners who use the platform are encouraged to take the following steps to prepare:

  • Audit your privacy policy, cookies policy and data practices.
  • Conduct a data privacy audit to check compliance with GDPR, and take any corrective steps if necessary.
  • Install a ​​ CMP that enables GDPR compliance to obtain valid user consent per the regulation’s requirements.
  • Seek advice from qualified legal counsel and/or a privacy expert, like a Data Protection Officer, on measures required specific to your business.

Learn more about DMA compliance.

How to use Google Analytics 4 and achieve GDPR compliance with Usercentrics CMP

Taking steps to meet the conditions of Article 7 GDPR for valid user consent, website operators must obtain explicit end-user consent for all Google Analytics cookies set by the website. Consent must be obtained before these cookies are activated and in operation. Using Usercentrics’ DPS Scanner helps identify and communicate to users all cookies and tracking services in use on websites to ensure full consent coverage options.

Conclusion and next steps with Google Analytics

Many organizations use Google Analytics on their websites because it provides extensive data and powerful tools to help lower bounce rates, visualize data, optimize web rankings, learn about and segment visitors, and more. It also integrates well with other Google tools.
 
Google Analytics helps companies pursue growth and revenue goals, so understandably, businesses are caught between not wanting to give that up, but also not wanting to risk GDPR violation penalties or the ire of their users over lax privacy or data protection.
 
Day to day, it is up to website operators to keep up with current regulations and privacy requirements, and do what is necessary to achieve and maintain privacy compliance to protect users. Aside from legal necessity, taking these steps also helps build trust and long-term relationships with users.
 
The Usercentrics team closely monitors regulatory changes and legal rulings, makes updates to our services and posts recommendations and guidance as appropriate. However, website operators should always get relevant legal advice from qualified counsel regarding data privacy, particularly in jurisdictions relevant to them. This includes circumstances where there could be data transfers outside of the EU to countries without adequacy agreements for data privacy protection.
 
As the regulatory landscape and privacy compliance requirements for companies are complex and ever-changing, we’re here to help.
 
Book a demo and see how the Usercentrics CMP can help with your company’s data privacy goals.
 
Or contact one of our experts today. We’re happy to answer all your questions.

FAQs

Is Google Analytics 4 GDPR-compliant?

Google Analytics 4 has introduced new features and privacy controls that are a step towards GDPR compliance. However, GDPR compliance is a multi-step process, and it is the responsibility of website owners to ensure that the data that Google Analytics 4 collects has been done in compliance with the GDPR.

How can I make Google Analytics 4 GDPR-compliant?

You can make collection of data by Google Analytics 4 GDPR-compliant by taking several steps, including:

  • obtaining explicit user consent or opt-in cookie consent banners
  • using Google Consent Mode
  • having a detailed privacy and cookie policy
  • entering into a Data Processing Agreement with Google
  • consulting with legal counsel and/or a privacy expert
Do I need a privacy policy for Google Analytics?

Yes, if you use Google Analytics, you must include information in the privacy policy on your website that discloses the use of cookies and details how data is collected, processed and shared.

Is Google Analytics 4 illegal in the EU?

Google Analytics has been deemed noncompliant by several data protection authorities in the EU. However, these rulings were made before the adequacy decision in the EU-U.S. Data Privacy Framework and the adoption of Google Analytics 4 as the primary analytics platform, so recommendations may have changed. Although there are criticisms of this framework and legal challenges, there are currently no rulings deeming it illegal in light of these developments.

Does Google Analytics collect personal data?

Yes, Google Analytics does collect personal data. Some examples include IP addresses, Unique User Identifiers, browser and device information, geolocation data, and interactions with the website (such as page views, clicks, and conversions). These data points are used to analyze website traffic and user behavior, providing insights for website owners to improve their online presence.

Does Google Analytics 4 share the same GDPR compliance issues as Universal Analytics?

Google Analytics 4 has made changes compared to Universal Analytics that address some of the GDPR compliance issues. Website owners can disable data collection on granular details like city, latitude, and longitude, and they can delete user data on request. Additionally, GA4 does not log or store IP addresses of EU-based users, which addresses a key privacy concern raised by data protection authorities. However, website owners still need to ensure compliance with the GDPR by obtaining explicit consent and implementing privacy measures.

Can server-side tracking make Google Analytics more privacy-friendly?

Server side tracking allows for the removal or anonymization of personally identifiable information (PII) before it reaches Google’s servers. This approach can improve data accuracy by circumventing client-side blockers, and it offers a way to better align with data protection regulations like the GDPR. By routing data through your own server first, you gain more control over what eventually gets sent to Google Analytics.

How does Google Analytics tracking apply to the GDPR?

Google Analytics 4 uses cookies and collects user data like location, device, and behavior, which falls under the purview of the GDPR when dealing with EU citizens. Under the GDPR, companies using Google Analytics must gain explicit user consent for data collection and must provide a clear explanation of what the data will be used for. Non-compliance can result in significant fines and legal repercussions.

How do you allow a user to delete their data from Google Analytics 4?

Users can request website owners to delete their data from Google Analytics. Website owners can follow the steps outlined here to delete a user’s data from Google Analytics 4.

What is the Digital Markets Act (DMA)?

The Digital Markets Act is a regulation that applies to large tech companies operating in the European Union and/or European Economic Area. It aims to improve fairness, innovation, and foster competition. It requires increased transparency, data sharing, and platform interoperability. It also increases user choice and data privacy.

Six companies have been designated as gatekeepers, with specific obligations under the law: Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft. Third-party companies that use the gatekeepers’ platforms and services will likely be required to meet certain compliance requirements, too, to be able to retain access to the gatekeepers’ digital ecosystem for business operations.

What is the scope of the Digital Markets Act?

The Digital Markets Act largely focuses on fostering fairer, more transparent, and more competitive digital markets, in addition to enhancing consumers’ data privacy. The primary goal is to enable smaller third-party businesses relying on the gatekeepers’ core platform services to grow and innovate by better competing with the big tech companies, and to prevent the gatekeepers from using their power and reach to stifle the operations and growth of smaller companies.

What are core platform services (CPS)?

The European Commission identified 22 core platform services owned and operated by the gatekeepers and that are integral to digital business operations. Selection criteria included number of monthly active users, revenues, and other considerations. The CPS include online search engines, operating systems, web browsers, voice assistants, online social networks, video sharing platforms, and more. To date 22 core platform services (CPS) have been identified under the DMA:

  • 6 intermediary platforms (Amazon Marketplace, Google Maps, Google Play, Google Shopping, iOS App Store, Meta Marketplace)
  • 4 social networks (Facebook, Instagram, LinkedIn, TikTok)
  • 3 online advertising services (Amazon, Google, and Meta)
  • 3 most popular operating systems (Google Android, iOS, Windows PC OS)
  • 2 large communication services (Facebook Messenger and WhatsApp)
  • 2 web browsers (Chrome and Safari)
  • 1 search engine (Google)
  • 1 video sharing platform (YouTube)
What are the regulatory obligations of the Digital Markets Act?

The main obligations of the Digital Markets Act on gatekeepers are to:

  • eliminate unfair or anti-competitive practices
  • provide access to data gathered or generated on their platforms
  • ensure interoperability
  • prevent favoring their own or specific partners’ functionality or services

Related Articles

California Privacy Rights Act (CPRA) and the future of privacy law

California Privacy Rights Act (CPRA) enforcement is starting: what you need to know

The California Privacy Rights Act (CPRA) has been in effect since January 1, 2023. CPRA enforcement was delayed due...

DMA Marketer

Implementing consent for Google ads personalization: A comprehensive guide to the Google Ads compliance alert

Google Ads’ notification to "implement consent for ads personalization" isn't just a policy change.