Google Analytics 4: New clothes, but legally nothing changes?

Key Facts

Google will discontinue support for Universal Analytics on July 1, 2023 and introduce Google Analytics 4 (GA4).
GA4 raises similar data protection issues to Universal Analytics, particularly with regard to the GDPR and user consent.
Data protection authorities in Austria, France and Italy have already taken action against the use of Universal Analytics without consent.
Companies must ensure a lawful basis for processing personal data under the GDPR.
Data transfer to third countries requires special attention in order to comply with GDPR regulations.
Alternatives to GA4, such as Matomo, should be carefully considered in order to meet data protection challenges.
Companies must update data protection guidelines and provide transparent information about the use of GA4.

The introduction of Google Analytics 4 and data protection challenges

Content Hide

1. The introduction of Google Analytics 4 and data protection challenges

2. Data protection requirements and GA4

3. Third-country transfers and alternatives to Google Analytics 4

3.1. Author: Marian Härtel

Google recently announced that as of July 1, 2023, it will only operate Google Analytics 4 (GA4), discontinuing support for the previous version, Universal Analytics. Although the announcement was expected, it represents a significant step in the evolution of Google Analytics. The new GA4 was initially touted as more user-friendly and DSGVO-compliant. However, a closer look reveals similar legal problems to the previous version.

Data protection requirements and GA4

GA4, the new version of Google Analytics that will go live on July 1, 2023, raises several privacy issues. As with its predecessor, Universal Analytics, GA4 uses cookies. This raises concerns about compliance with the General Data Protection Regulation (GDPR), particularly with regard to the need for users to consent to the setting of cookies.

Data protection authorities in several European countries, including Austria, France, and Italy, have already taken action to stop companies from using the previous version, Universal Analytics, without users’ explicit consent. It is likely that similar concerns, and possibly regulatory action, will arise regarding GA4.

Another problem under data protection law is the processing of personal data. Companies using GA4 must ensure that they have a lawful basis for processing personal data, as required by the GDPR. This could include obtaining explicit consent from users.

In addition, companies using GA4 are required to ensure that data transfers to third countries are in compliance with the GDPR regulations. This is particularly relevant because Google Analytics often processes data in data centers outside the European Union.

Given these privacy challenges, it is critical for organizations using or planning to use GA4 to be aware of the legal requirements and take appropriate steps to ensure compliance with privacy laws. This includes companies updating their privacy policies and providing transparent information about the use of GA4 and the processing of personal data.

Third-country transfers and alternatives to Google Analytics 4

Beyond the use of cookies, companies using GA4 face the additional challenge of transferring data to countries that may not have the same data protection standards as the European Union. The possibility of data transfer to a third country that is considered insecure adds complexity to the decision to use GA4. Data protection authorities may raise concerns due to the uncertainties associated with transferring data to countries without sufficient data protection standards, especially if there is no valid adequacy decision justifying such transfers.

Given this layered nature of privacy concerns, companies must carefully consider which analytics tools to use. Alternatives such as Matomo, which is based within the European Union, could be considered as more secure options. However, some companies may prefer to use GA4, but must consider the potential business risk of a dispute with data protection authorities.

It is critical that companies, regardless of their choice, carefully consider all data protection requirements and, where appropriate, obtain users’ consent for the processing of their data.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: Privacy