Back to Blog

Should you use Google Analytics 4 when Universal Analytics shuts down?

Published on: 2022-5-23 Should you use Google Analytics 4 when Universal Analytics shuts down?

With the end of Universal Analytics, is Google Analytics 4 your best choice?

Marketers today have unprecedented access to data. This data is mined, and analysed to create sophisticated customer models that separate companies who do it well from the rest of the pack.

By using an advanced web analytics package, marketers can make sense of the vast amounts of data gathered from customer interactions with the company’s online presence.

So which analytical tool are you using to track your website and measure your metrics? Have you ever thought about its data privacy and security features?

W3tech survey estimates that 85.9% of websites use Google Analytics for analysis. A further 53% of web owners track their visitors using Google analytics. So what do these figures tell us?

There’s no doubt that Google is one of the most popular analytical tools. Google Analytics provides the basic statistics and tools to track website performance and bounce rates. It also helps marketers analyze their conversion rates and marketing effectiveness. Besides, it helps marketers understand the behaviour pattern of their site users.

What makes it popular? Is it because it’s free? What about its data privacy and security? Is it trustworthy?

Times are changing. And regulations worldwide are increasingly challenging the use of analytical tools. The concern hasn’t been about how the analytical tools work. Instead, it’s the privacy practices of the companies offering these services.

Did you know that if your country is bound by GDPR, using Google analytics may now be illegal? Did you also know that you now need more measures to transfer data with Google?

According to the “Schrems II” ruling, any data transfer to the US under the Foreign Intelligence Surveillance Act (FISA) Section 702 violates the GDPR. The EU Court of Justice also annulled the ‘privacy shield’ agreement on data transfer. The court considered the deal insufficient.

So What Does This Mean?

That even the Standard Contractual Clause that Google relied on to transfer data is no longer enough. Being GDPR compliant now means that the company needs to add more supplementary measures to the SCC.

How Has This Ruling Affected The Use Of Google Analytics?

The demand for consumer privacy is increasingly piling pressure on Google to comply. Why? For the longest time, Google has faced criticism for its tracking and unlawful data collection of EU Internet users. There are also concerns about its exposure of EU citizens’ sensitive information to US intelligence.

The latest to find the use of Google Analytics to violate the GDPR is the French Privacy data watchdog (CNIL). The decision comes after a similar one by its Austrian counterpart on 13th January 2022.

The CNIL’s and Austrian decisions come after investigating 101 complaints filed by NOYB in August 2020. The complaints were against EU/EEA-based companies. These were companies that breached GDPR by using Google Analytics on their websites.

According to NOYB, Google is an electronic communication service provider under US law. Thus, it is subject to complying with US intelligence’s surveillance requests. Hence, any data on EU citizens that Google retrieved was bound to leak to the US agencies.

Sharing citizens’ data between Google and US intelligence violates article 44. Why? The transaction lacks standard contractual clauses that guarantee the protection of this data.

What Were The Privacy Issues Raised In These Complaints?

Let’s start with the first decision, the Austrian ruling of 13th January 2022. The complaint came from visitors to an Austrian Website that uses Google analytics. The issue at hand was an IP address anomaly. According to DSB, the website’s IP anonymization function had not been appropriately implemented.

The authorities believe Google may have retrieved the site’s visitors’ data because of the IP anomaly. They may have also shared these personal details with the US authorities.

The website operator said they had an SCC agreement with Google in their defence. So the transfer was GDPR compliant. They also implemented measures, including encryption, to ensure adequate data protection.

But, the DSB said that wasn’t enough to address the risk. The authorities’ argument was Google was still a US company. And they would still hand over the decryption key to the US surveillance upon request.

Nonetheless, the board found no wrongdoing on Google’s side. They Instead found the website guilty; the controller was responsible for its users’ data.

Even though Goole seemed exonerated, the DSB opened the door to discourse. A discussion that would affect various analytical tools transferring data outside the EEA.

The French authorities also found the transfer of personal data between Google and a French website unlawful.

How was the usage of Google Analytics unlawful?

The authorities said the data these websites collected was too sensitive. So even the ‘Privacy shield’ the Websites used in this transfer was insufficient, as per the ‘Schrems II’ ruling.

Google said it used measures like anonymization and Pseudonymization to protect data during the transfer. Yet the French data authorities still watered down the said measure. French authorities said the Unique Universal identifiers used did not meet article 4 (5) of GDPR Pseudonymization. Eventually, the authorities ordered the website to put in adequate supplementary measures.

Decisions are now flowing. And they’ll continue to roll out throughout the EU and even beyond.

There’s also no denying that Google is feeling the heat from the customer demands and the EU privacy bodies. The company has been under scrutiny since the implementation of the GDPR. Its questionable data privacy and security practices have been the centre of attention. On 16th March 2022, Google finally announced its phasing out of Universal Analytics. The company is replacing the UA with a more privacy-focused Google Analytics 4 GA4 on 1st July 2023.

The new analytical tool is the default for digital analytics measurements in Google. The move aims to show their EU consumers that they care about their data privacy and are GDPR compliant.

Is The New Generation The Ultimate Solution To Data Privacy And Security?

Only time will tell. Some of the upgraded security and privacy features in GA4 include:

  • IP Masking/Anonymization
  • Doesn’t Use Third-Party Cookies
  • Server Sidetracking

IP Masking/Anonymization

IP masking involves protecting your user’s privacy by hiding their identity. You replace their original IP address with one nobody can associate with or trackback to your users. IP anonymization must occur before the processing and data storage. GA4 property enables the IP address anonymization by default. This differs from the UA property, where IP anonymization was disabled by default. The GA4 properties also allow websites to request their user’s IP addresses masking. They can, after that, send the hits to Google Analytics.

Why is it important?

The GDPR considers IP addresses as Personally Identifiable Information. Therefore, websites are not to store their user IP address information. The goal is to make connecting an IP address with a specific user almost impossible.

GA4 Doesn’t Use Third-Party Cookies

Universal Analytics uses third-party cookies to track internet users’ online activities. This is a breach of GDPR. The regulation considers cookies ID personal data that individuals can use to identify you without your consent. Google Analytics uses the cookies without asking for users’ consent, something the regulation considers unlawful.

Google thus announced that it will stop its use of third-party cookies in its browser chrome in late 2023. The new GA4 property is GDPR cookie compliant as it won’t be relying on third-party cookies. Sandbox, which improves users’ privacy, is Google Analytics’ new cross-tracking technology.

There’s Also Server Sidetracking For The GA4

Google’s GA4 property also has a sidetracking server default for the new tool. The tracker allows you to send and receive data from your user’s browser to your Web server first. After that, you can transfer it to an additional data collection platform Google.

The new feature lets you decide where to store your data with many EU data centres. It, therefore, puts you in control as you determine what data to track. Besides, you can decide where to send your data to ensure your visitor’s data is better protected and secure.

How Is Google Analytics 4 EU Privacy-Focused?

Google is on the verge of ensuring that it gets in the EU citizens’ good books. Some of the EU privacy-focused measures it has implemented in GA4 include:

  • No log-in or storing of IP addresses collected from EU users before logging in data through the EU domains and servers.
  • It also disables the collection of Google signals data on a per-region basis.
  • Disables the collection of the granular location of devices data per–region.
  • It also collects the EU data from EU–based devices through domains and servers based in the EU. The website owners can forward this data to Google Analytics servers for processing.

Google has worked hard to assure the EU citizens of their data’s safety. However, is it enough to guarantee you some peace of mind? Why are users still sitting on the fence? Why are they reluctant to switch to GA4? One thing is clear; brands don’t feel ready for the change.

Nobody’s sure of what the future holds for Google. The only sure thing is that consumers still want personalization. Businesses must also collect relative metrics but with their consumer privacy in mind.

Don’t you think it’s time to think about more privacy-friendly alternative analytical tools? An EU-based analytical tool that’s GDPR compliant? One that will protect your user data, offer secure hosting, and guarantee to work in line with the GDPR?

Google Analytics 4 offers IP anonymization, etc. The mechanism aims to address GDPR and privacy regulations. We also understand that the EU processes and anonymizes its citizens’ data. However, based on the Schrems II ruling, this is questionable assurance.

Why? Google still owns servers processing data in the EU and is subject to US Surveillance laws. Additional rulings regarding GA4 by European Data Protection Authorities will probably follow.

Why not future-proof your solution? Skip GA4 adoption, and choose GDPR Compliant EU-based web analytics by Wide Angle Analytics.