The General Data Protection Regulation (GDPR) has been a hot topic among marketers lately. With Google Analytics 4, Google has already taken a big step in the right direction in the field of privacy and compliance, but even now there are a number of things that you should pay close attention to. In this blog you’ll learn how you can use Google Analytics 4 and comply with the GDPR at the same time.
Two important developments within GA4 with regard to privacy:
- Google Analytics 4 does not log or store individual IP addresses. However, they do use IP addresses to link a city name, continent, country, region and subcontinent to a user.
- Google Analytics 4 collects all data from devices in the EU (based on the IP address) via European domains and servers, after which the data is shared with other servers for processing.
In this blog I will help you to better comply with the GDPR through the following four steps:
- Check data sharing settings
- Set up data settings properly
- Check User ID function
- Correct notification on the website
Of course I cannot give you legal advice and it is important that you find out for yourself whether you fully comply with the privacy laws and regulations that apply to you.
Step 1: Configure Data Sharing settings
Go to Account Settings and make sure all checkboxes under ‘Data sharing settings’ are empty (not checked).
If not already done so, also accept the data processing terms on the account settings page. In principle, you should already do this when creating a new account:
Step 2: Configure Data Collection settings
In step 2 I explain how to properly set the Data Collection options for your GA4 property.
2.1. Google signals
Turn on Data collection by Google signals only when you really need this feature. You can activate it under Admin > Data Settings > Data Collection.
When you activate Google signals, it does not mean that you can just enable this for all visitors. Based on a visitor’s preferences, you can disable this function using ‘allow_google_signals’.
You can do this as follows:
- In Google Tag Manager you can read which cookie preferences have been accepted (if you don’t use a cookie plugin and have no idea how cookie preferences are stored, ask your developer).
- Based on these preferences, you should create a variable with a value of true or false for allow_google_signals.
- In the configuration tag you can then send the allow_google_signals parameter with the value of the created variable.
You must inform visitors about the use of Google signals and may not activate them until visitors have specified their preferences and agreed to them.
When you disable Google signals for certain regions, Google will keep the historical data in accordance with the set retention period, but will no longer collect new data.
2.2. Ad personalization signals
Turn on Advanced settings to allow ad personalization only when you really need this feature. You can activate it under Admin > Data Settings > Data Collection. You can manage your preferences per country.
When you activate ad personalization signals, this does not mean that you can just enable this for all visitors. Based on a visitor’s preferences, you can disable this feature using ‘allow_ad_personalization_signals’.
You can turn off / turn on ad personalization signals as follows (same way as the allow_google_signals):
- In Google Tag Manager you can read which cookie preferences have been accepted (if you don’t use a cookie plugin and have no idea how cookie preferences are stored, ask your developer).
- Based on these preferences, you should create a variable with a value of true or false for allow_ad_personalization_signals.
- In the configuration tag you can then send the allow_ad_personalization_signals parameter with the value of the created variable.
2.3. Collection of granular location and device data
If you disable this feature, Google Analytics will not collect this data:
- City
- Latitude (of city)
- Longitude (of city)
- Browser minor version
- Browser User-Agent string
- Device brand
- Device model
- Device name
- Operating system minor version
- Platform minor version
- Screen resolution
2.4. User Data Collection Acknowledgement
It is important to agree to this. You hereby agree to the following:
“I acknowledge that I have the necessary privacy disclosures and rights from my end users for the collection and processing of their data, including the association of such data with the visitation information Google Analytics collects from my site and/or app property.”
Step 3: Check the User ID function
You may not just enable the User ID function without permission. Therefore, check whether it is on and disable it if necessary, or ensure that this function is only enabled when a visitor agrees to analytical cookies.
Step 4: Correct notification on the website
Google Analytics 4 places first-party cookies to identify unique visitors and sessions. For this they use the following cookies:
| Cookie name | Default expiration time | Description |
| _ga | 2 years | Used to distinguish users. |
| _gid | 24 hours | Used to distinguish users. |
| _ga_<container-id> | 2 years | Used to persist session state. |
| _gac_gb_<container-id> | 90 days | Contains campaign related information. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out. |
Because every website is different and the privacy and cookie statements are about more than just Google Analytics, in this step I will only discuss at a global level what needs to be done to comply with the GDPR. If you want to have this legally in order, please contact someone who can also give you real legal advice about this.
4.1. Inform visitors about the use of Google Analytics.
When you use Google Analytics, it is necessary to inform visitors about this. Update your privacy and/or cookie policy and indicate, among other things, which data you collect, how this data is collected, how long the data is kept and what you collect the data for.
Also inform visitors about any product links you have set up. For example, about the link between Google Analytics and Google Ads.
For more information on the policy requirements for advertising features in Google Analytics, see Google’s official documentation on this here: https://support.google.com/analytics/answer/2700409?hl=nl&ref_topic=9303474
4.2. Ask visitors for permission to use Google Analytics.
If you don’t have the permission of your visitor you may not just load Google Analytics without taking measures to do so. If you only use the basics and disable all extra advertising functions and signals, only a mention is sufficient (provided you do not place any other cookies that require consent).
Want to enable more features? Then make sure that you ask permission from visitors by means of a cookie bar. It is important here that you give visitors the option to refuse and change the cookies and to accept or not accept specific cookies. An opt-in method must be used, not an opt-out method.
If you do not yet have permission, you can already load the ‘stripped down version’ of Google Analytics 4. In any case, it is important to inform visitors well about this.
