The introduction of Google Analytics 4 and data protection challenges

Google recently announced that as of July 1, 2023, it will only operate Google Analytics 4 (GA4), discontinuing support for the previous version, Universal Analytics. Although the announcement was expected, it represents a significant step in the evolution of Google Analytics. The new GA4 was initially touted as more user-friendly and DSGVO-compliant. However, a closer look reveals similar legal problems to the previous version.

Data protection requirements and GA4

GA4, the new version of Google Analytics that will go live on July 1, 2023, raises several privacy issues. As with its predecessor, Universal Analytics, GA4 uses cookies. This raises concerns about compliance with the General Data Protection Regulation (GDPR), particularly with regard to the need for users to consent to the setting of cookies.

Data protection authorities in several European countries, including Austria, France, and Italy, have already taken action to stop companies from using the previous version, Universal Analytics, without users’ explicit consent. It is likely that similar concerns, and possibly regulatory action, will arise regarding GA4.

Another problem under data protection law is the processing of personal data. Companies using GA4 must ensure that they have a lawful basis for processing personal data, as required by the GDPR. This could include obtaining explicit consent from users.

In addition, companies using GA4 are required to ensure that data transfers to third countries are in compliance with the GDPR regulations. This is particularly relevant because Google Analytics often processes data in data centers outside the European Union.

Given these privacy challenges, it is critical for organizations using or planning to use GA4 to be aware of the legal requirements and take appropriate steps to ensure compliance with privacy laws. This includes companies updating their privacy policies and providing transparent information about the use of GA4 and the processing of personal data.

Third-country transfers and alternatives to Google Analytics 4

Beyond the use of cookies, companies using GA4 face the additional challenge of transferring data to countries that may not have the same data protection standards as the European Union. The possibility of data transfer to a third country that is considered insecure adds complexity to the decision to use GA4. Data protection authorities may raise concerns due to the uncertainties associated with transferring data to countries without sufficient data protection standards, especially if there is no valid adequacy decision justifying such transfers.

Given this layered nature of privacy concerns, companies must carefully consider which analytics tools to use. Alternatives such as Matomo, which is based within the European Union, could be considered as more secure options. However, some companies may prefer to use GA4, but must consider the potential business risk of a dispute with data protection authorities.

It is critical that companies, regardless of their choice, carefully consider all data protection requirements and, where appropriate, obtain users’ consent for the processing of their data.