The introduction of Google Analytics 4 and data protection challenges
Google recently announced that as of July 1, 2023, it will only operate Google Analytics 4 (GA4), discontinuing support for the previous version, Universal Analytics. Although the announcement was expected, it represents a significant step in the evolution of Google Analytics. The new GA4 was initially touted as more user-friendly and DSGVO-compliant. However, a closer look reveals similar legal problems to the previous version.
Data protection requirements and GA4
Data protection authorities in several European countries, including Austria, France, and Italy, have already taken action to stop companies from using the previous version, Universal Analytics, without users’ explicit consent. It is likely that similar concerns, and possibly regulatory action, will arise regarding GA4.
Another problem under data protection law is the processing of personal data. Companies using GA4 must ensure that they have a lawful basis for processing personal data, as required by the GDPR. This could include obtaining explicit consent from users.
In addition, companies using GA4 are required to ensure that data transfers to third countries are in compliance with the GDPR regulations. This is particularly relevant because Google Analytics often processes data in data centers outside the European Union.
Given these privacy challenges, it is critical for organizations using or planning to use GA4 to be aware of the legal requirements and take appropriate steps to ensure compliance with privacy laws. This includes companies updating their privacy policies and providing transparent information about the use of GA4 and the processing of personal data.
Third-country transfers and alternatives to Google Analytics 4
Given this layered nature of privacy concerns, companies must carefully consider which analytics tools to use. Alternatives such as Matomo, which is based within the European Union, could be considered as more secure options. However, some companies may prefer to use GA4, but must consider the potential business risk of a dispute with data protection authorities.
It is critical that companies, regardless of their choice, carefully consider all data protection requirements and, where appropriate, obtain users’ consent for the processing of their data.