The introduction of Google Analytics 4 and data protection challenges
Google recently announced that from July 1, 2023, only Google Analytics 4 (GA4) will be operated, with support for the previous Universal Analytics version being discontinued. Although the announcement was expected, it represents a significant step in the evolution of Google Analytics. The new GA4 was initially touted as more user-friendly and DSGVO-compliant. On closer inspection, however, similar legal problems arise as with the previous version.
Data protection requirements and GA4
GA4, the new version of Google Analytics, which will go live on July 1, 2023, raises several data protection issues. As with its predecessor, Universal Analytics, GA4 uses cookies. This raises concerns about compliance with the General Data Protection Regulation (GDPR), particularly with regard to the need for users to consent to the setting of cookies. Data protection authorities in several European countries, including Austria, France, and Italy, have already taken action to stop companies from using the previous version, Universal Analytics, without users’ explicit consent. It is likely that similar concerns, and possibly regulatory action, will arise regarding GA4. Another problem under data protection law is the processing of personal data. Companies using GA4 must ensure that they have a lawful basis for processing personal data, as required by the GDPR. This could include obtaining explicit consent from users. In addition, companies using GA4 are required to ensure that data transfers to third countries are in compliance with the GDPR regulations. This is particularly relevant because Google Analytics often processes data in data centers outside the European Union. Given these privacy challenges, it is critical for organizations using or planning to use GA4 to be aware of the legal requirements and take appropriate steps to ensure compliance with privacy laws. This also includes companies updating their data protection guidelines and providing transparent information about the use of GA4 and the processing of personal data.
Third-country transfers and alternatives to Google Analytics 4
Beyond the use of cookies, companies using GA4 face the additional challenge of transferring data to countries that may not have the same data protection standards as the European Union. The possibility of data transfer to a third country that is considered insecure adds complexity to the decision to use GA4. Data protection authorities may raise concerns due to the uncertainties associated with transferring data to countries without sufficient data protection standards, especially if there is no valid adequacy decision justifying such transfers. Given this layered nature of privacy concerns, companies must carefully consider which analytics tools to use. Alternatives such as Matomo, which is based within the European Union, could be considered as more secure options. However, some companies may prefer to use GA4, but must consider the potential business risk of a dispute with data protection authorities. It is critical that companies, regardless of their choice, carefully consider all data protection requirements and, where appropriate, obtain users’ consent for the processing of their data.
