Data is power. The more valuable data we’ve, the better we can analyze the future of our business. That’s why it’s important to gain valuable insights about your target audience in order to develop an effective strategy. Companies gather this information using a variety of tools and methods. Google offers companies the most powerful tools on the market to make this possible. But countries may have concerns about the privacy of their citizens. These, in turn, may lead to new discussions between policymakers and companies.
The GDPR is a European Union (EU) law that ensures fair and friendly handling of personal data by organizations and businesses. The law contains many rules for the collection, use, and storage of data. In addition, we all already know that Google Analytics 4 (GA4) will be replaced by Universal Analytics (UA) in 2023. The new features show that it’s not a new version of UA. Therefore, GA4 cares more about privacy and is based on machine learning and artificial intelligence. Users can now expect many innovations in terms of security and privacy.
A short summary of Schrems II
Maximilian Schrems, who’s used Facebook since 2008 and lives in Austria, made a complaint to the Irish Data Protection Commissioner (DPC) on June 25, 2013. He requested that personal data collected by Facebook Ireland not be shared with Facebook Inc. on the grounds that laws and practices in the United States don’t provide sufficient protection against the surveillance activities of public entities. The Commission rejected this request, citing the Safe Harbor Decision. Schrems subsequently appealed to the High Court.
The High Court also referred the matter to the Court of Justice of the European Union (CJEU ) for a preliminary ruling on the interpretation and validity of the Safe Harbour Decision. The Court of Justice also declared the Safe Harbour Decision invalid on October 6, 2015. Afterwards, the High Court annulled the decision rejecting Schrems’ complaint and returned it to the Commission.
During the investigation, Facebook Ireland disclosed that most of its data transfers to the US were based on the Standard Contractual Clause (SCC) decision. The commissioner then asked Schrems to reconsider his complaint. In response, Schrems explained that Facebook Inc. might be required under US law to share the personal data transferred with US government agencies such as the FBI and NSA. Therefore, he argued that the SCC decision cannot be a justification for the data transfer to the US because personal data is used in surveillance programs that violate the European Union’s Declaration of Fundamental Rights.
This time, the validity of the SCC decision raised a question mark in minds. The Commission appealed to the High Court to seek a preliminary ruling from the CECJ. The High Court then appealed to the CJEU on May 4, 2018. The CECJ announced in its decision of July 16, 2020, also called “Schrems II”, that it’ll repeal the Privacy Shield, which allows the transfer of data from the EU to the US. This means that the Privacy Shield is no longer the basis for the transfer of personal data from the EU to the US.
Any company outside the EU must take GDPR rules into account if it wants to transfer data out of the EU. The Schrems II Decision shows how the GDPR rules apply to companies that process the data of EU citizens. Thats is to say, all companies must properly store the data and transfer it securely.
Google Analytics and GDPR
Companies like Google can share users’ personal data with US authorities if necessary. This is a violation of the General Data Protection Regulation (GDPR). Accordingly, as the Schrems II ruling became a precedent, the Austrian Data Protection Authority (DPA) and the French Data Protection Authority (CNIL) have determined that Google Analytics is in violation of the GDPR. The European Data Protection Supervisor has sanctioned the EU Parliament for unauthorized data transfers between the EU and the US.
It’s been shown that processing of personal data may occur when cookies are used together with other elements, such as an IP address, to find identification numbers. When a US-based company sets a cookie on a website managed by an EU organization, this action is considered a transfer of personal data.
In this situation, companies like Google Analytics need to go beyond the SCCs if there’s an international data transfer between the EU and the US based on the SCCs.
Security methods other than SCCs must also be in place to secure the transfer of data to the US. Besides, elements such as IP addresses must be anonymized, and personal data mustn’t be transferred to the US so that no processing of personal data occurs.
After all of these decisions, Google said on February 4, 2022, “We’re committed to providing our customers with controls to determine what data is collected and how it’s used, so they can meet their unique business and compliance needs.”
Recommendations to get closer to compliance
Under these circumstances, there were some recommendations to improve compliance as the following:
- Companies can consider using other alternative tools by analyzing their situation.
- The companies can use the IP anonymization feature of Google Analytics.
- The companies can consider implementing other privacy controls. This is because Google also offers enhanced privacy controls.
- The companies can obtain users’ consent to use Google Analytics.
- The companies can obtain explicit consent for the transfer to the US.
EU companies must ensure that data transfers to the US via Google Analytics are secure by adding security requirements outside the SCC or maximizing anonymization and limiting personal data. Or they can use another alternative tool.
The EU Commission and the US agreed to reach a new data protection framework in March 2022. Predictions, data extrapolations, and estimates by anonymous users can lead to less data quality. This can lead to a lot of machine learning work.
Google Analytics 4 Privacy Updates
After all this, Google has announced that GA4 will replace Universal Analytics in 2023. Businesses have already begun transitioning their properties to GA4. It now offers more comprehensive privacy controls and also includes some privacy-related changes. It’s unclear whether these changes will influence the decisions of European regulators.
GA4 doesn’t log IP addresses
Google already offered the option to anonymize IP addresses, but will no longer log individual users’ IP addresses as part of GA4’s privacy updates. IP addresses will still be collected and used for the initial top-level location search, but this location metadata, not the IP address, will be stored for reporting purposes. These transactions will also take place on EU servers for users in the EU. This implies the IP address won’t ever be transferred and stored outside of Europe.
EU data is received and processed in the EU
Prior to this update, EU data was transferred to US servers and could be processed there. With this update, EU users’ data can only be processed in the EU.
Regional controls for Google Signals
Google Ads data is included in reports from GA via Google Signals. When Signals is enabled, a Google Ads cookie is activated. This allows the data of the user who’s logged into a Google service in a browser to be stored. With the latest GA4 upgrade, regional control is now possible, allowing Signals to be turned off for all visitors from a particular region. Of course, remarketing is no longer available in disabled regions. In this case, downstream conversion modeling and reporting in Google Ads accounts are affected. Sure, any business can enable Signals in the EU. Yes, enabling Google Signals in GA4 has significant business benefits, such as audience building, additional user analytics, and cross-device reporting. On the other hand, you need to carefully weigh the compliance risks against the business benefits.
Regional controls for the granular site and device data collection
With this update, some previously automatically collected locations and device parameters can be disabled. If you disable it in certain regions, you can’t gather these data: City, latitude, longitude, browser minor version, browser user agent, string, device brand, device model, device name, operating system minor version, platform minor version, and screen resolution.
Conclusion
The additional privacy controls are a significant improvement to mitigate the compliance risk associated with using GA3. Companies using the tool now have more privacy controls which allow them to make decisions to best comply with privacy principles. It’s important to have privacy and compliance teams review your use of GA4 and provide an assessment report. This document is essential in defending your business if you receive a complaint. Furthermore, it’s always a good idea to be prepared for alternative solutions. If you’re prepared in advance, the transition process will be less painful for your company.