An Overview of GA4’s New Privacy Features (And Their Impact On Testing)

Dionysia Kontotasiou
By
March 7, 2023 ·

It’s shaping up to be a rocky road for Google users this year, with Google Optimize sunsetting and GA4 replacing Universal Analytics. And let’s be real, it’s no surprise that more and more testers are jumping ship to alternative tools.

But, before you follow suit and kiss GA4 goodbye, let me tell you it isn’t all bad, at least as far as user privacy is concerned. GA4 is taking privacy to the next level, supporting Google’s ‘Privacy by Design’ initiative.

So if you’re a privacy conscious die hard Google user and planning to stick to GA4 to analyze your A/B tests, then this post is for you!

Read on as we’re taking a deep dive into what GA4 offers when it comes to privacy features.

Can Google Analytics Be Trusted When It Comes To Privacy?

It was a big year for user privacy in 2022. The Austrian DPA ruled that the use of GA on an Austrian website violated GDPR. Soon after, the CNIL in France, the Swedish, Italian, Belgian, Danish, Norwegian, and Dutch DPAs took a similar stance on the legitimacy of the platform. Data transfers from EU users to the US, as well as inadequate security measures for such transfers, were at the heart of all these concerns.

This sowed confusion among businesses operating in the European Union about whether GA was still legal and how to reduce compliance risks. Our support team has received our fair share of questions about it in the past year. And since GA4 was introduced, we’ve been receiving lots of questions about GA4 and its implications.

What Does ‘Privacy by Design’ Mean?

For Google Analytics 4 (GA4), Google has added further privacy controls and implemented data privacy by design approach, making sure that user privacy is prioritized and data is collected ethically.

Let’s look at how each of GA4’s new privacy features supports this new approach.

IP Anonymization

IP anonymization, also known as IP masking, is the process of passing a visitor’s IP address to Google Analytics servers by removing or masking the last octet of the IPv4 address. Here’s an illustration:

Earlier versions of Google Analytics required you to configure your tracking script and was opt-in only.

Until Universal Analytics, GA recorded IP addresses for every hit you sent to Google’s services (think every time your page loaded). Your tags generated Google Analytics hits with an associated IP address.

Not very GDPR/CCPA/ePrivacy friendly, right?

It’s important to note, however, that Google trims IP addresses before they appear in analytics reports. So you cannot access IPs through the reporting interface.

You might wonder why IPs were a privacy issue with Universal Analytics since you couldn’t see them.

Because Google could.

That’s why GA4 introduced IP anonymization.

Now let’s dive into the building blocks of GA to understand the IP anonymization feature better.

Google gathers IP addresses throughout the collection phase. The JavaScript in your Google Analytics tracking code detects the addresses. The IPs that visit your website can be anonymized at the point of this collection phase.

And this can be achieved by including a function in your tracking code that instructs Google not to track IP information on your site:

ga('set', 'anonymizeIp', true); 

OR

gtag('config', '<GA_MEASUREMENT_ID>', { 'anonymize_ip': true });

After IP addresses are collected, they go through a configuration phase. Here is where you can implement IP filters, such as excluding your internal IP addresses from reports.

Google then uploads data to a reporting database during the processing phase, stripping IP addresses. At this point, any IP information that hasn’t previously been anonymized or filtered is scrubbed.

You can see the information provided by each user’s Internet service provider (ISP) in your reporting, but not their IP addresses.

You cannot view IP addresses in your Google Analytics reports because Google collects them, but does not disclose them.

Still, this method isn’t very privacy-compliant. This is the main reason GA4 comes with default IP anonymization at the collection stage.

Does this impact Convert experiences and deployments?

No. Convert does not store IPs by default, so even if you integrate with GA4 you will remain compliant.

Server Location

The Schrems II ruling prohibits transatlantic transfers of personal data if businesses cannot guarantee the security of the data.

Since GA stores user data, including information about EU residents, on US-based cloud servers, it is subject to this ruling.

Google Analytics data is sent to the nearest server center, but may be kept in a country with inadequate privacy protections for EU citizens. This lack of transparency is problematic for EU-based businesses that use GA.

As a technological corporation with U.S. headquarters, Google is also subject to U.S. laws governing monitoring, such as the Cloud Act. Under this law, even if the requested data is stored outside of the United States, Google must provide it upon request.

This is essentially incompatible with EU legislation because the GDPR stipulates that no third party may access a user’s data without that user’s authorization.

GA4’s new capabilities for collecting data (and anonymizing it) on European servers greatly ease these concerns. When a user visits a page, Google detects the approximate location and adds that location or market to the page.

As a result of this localized IP address, data cannot leave the country and, therefore, cannot be provided to the US. As a result of these new national regulations, data collection can be tailored to comply with EU law.

Does this impact Convert experiences and deployments?

No. Convert assesses what data is being transferred outside the EU and on what basis by conducting a Data Mapping exercise. We look for data transfers

  1. To organizations that participate in the Privacy Shield,
  2. That rely on Standard Contractual Clauses (SCCs),
  3. That rely on Binding Corporate Rules and involve data transfers to the US.

Data Retention

Another privacy feature that comes with GA4 is their new Data Retention Policy. Why is this so important?

Because the GDPR stipulates that personal data may only be processed for as long as necessary to carry out the purpose for which it was obtained. This requirement should be taken into consideration when determining how long to keep GA4 data.

Here is a summary of what is currently available with UA and what options will be available with GA4:

Universal AnalyticsGA4 propertiesGA4 properties under Analytics 360
No limit (but UA will stop processing new hits on 1 July 2023)Limit: up to 14 monthsLimit: up to 50 months
Options: 14, 26 (default), 38 or 50 months, or “do not automatically expire”Options: 2 (default) or 14 monthsOptions: 2 (default), 14, 26, 38 or 50 months
Source

And here’s where to find these options in GA4:

Data Retention GA4

The data retention setting in GA4 does not affect the default reports in the Reports Workspace (for example, Traffic acquisition, Pages, or E-commerce purchases).

These reports are built using pre-calculated tables. Since daily users, sessions, and events are supported by aggregated tables, you won’t lose access to these common reports. In addition, you’ll still be able to access that data since your property was created.

GA4 These reports are built using pre-calculated tables

However, sampling comes into play and data retention settings might have a greater influence when you use features like segments or secondary dimensions in Universal Analytics or when you create custom reports, tables, or visualizations.

All Exploration reports will be affected by the new data retention policy since unaggregated data will no longer be available.

GA4 All Exploration reports will be affected by the new data retention policy

Does this impact Convert experiences and deployments?

Having short retention periods effectively forces your Convert-GA4 configuration to keep data for a shorter period of time, helping you comply with data privacy regulations.

You always have the option to store the data for longer in tools like BigQuery if a 14-month data retention period is too short for the types of long-term comparison analyses you conduct.

No Personally Identifiable Information (PII)

There aren’t any major changes here, but we thought it is important to reiterate that GA4 does not permit the acquisition of Personally Identifiable Information (PII) and will flag data for deletion if it finds any in your GA4 property.

Unintentionally collected PII may enter the GA4 process in a variety of ways. Examples include situations when users enter PII in search boxes and/or form fields on your website, emails are included as URL parameters as a result of website functionality, and PII is included in JavaScript error messaging as a result of integration problems.

Whatever the case, gathering and keeping this data in GA4 is still illegal.

Collecting PII in GA4 is also against Google’s Terms of Service. In order to prevent sending PII to GA, Google offers some tips. Plenty of articles online explain how to locate and modify PII before GA4 receives it.

Whatever approach you choose, ensure that no PII is transferred to GA4. Any GA property found to be storing PII may be erased by Google!

Does this impact Convert experiences and deployments?

No. PII data isn’t used or stored in Convert.

Location and Device Data

Location data and device data are two distinct categories of data that you can activate or suppress in GA4 on a per-country basis.

Location data and device data are two distinct categories of data that you can activate or suppress in GA4

Location data can tell us where a user is physically located. The operating system, device model, device brand, and browser are usually included in device data, along with the type of device.

Google collects location data based on IP addresses, while device information is monitored using ‌a User-Agent Header, a string used to identify device information.

Does this impact Convert experiences and deployments?

No, if you use the default Convert settings. However, if audiences with personal or segmentation data are used, disabling their collection can lower compliance risks associated with the collection of multiple data points that, when combined, can identify users.

if audiences with personal or segmentation data are used, disabling their collection can lower compliance risks associated with the collection of multiple data points

Data Processing Agreement (DPA)

Depending on where your business is located and where your users are located, your legal team might ask you to sign a data processing agreement with Google. For more information on this subject, refer to this section of the Google Analytics support documentation.

You can find the GA DPA under your account settings. Uncheck the checkboxes to prevent data exchange with other Google Products and unauthorized users from seeing your dashboard.

GA4 Data Processing Agreement (DPA)

Does this impact Convert experiences and deployments?

No. You can sign an independent DPA with Convert.

Cookies and User Consent

Consent requirements are not eliminated by Privacy by Design. GDPR, CCPA, and ePrivacy obligations remain in effect.

To ensure compliance with cookies, let’s examine how Analytics uses them.

Those unfamiliar with Google Analytics may wonder how the platform distinguishes between two different visits. A client ID is assigned to a browser-device pair when a user visits your website for the first time. In addition to distinguishing website users, it is also used to link their on-site behaviors, not just during a single website visit, but also during several visits.

The cookie “__ga” contains the GA Client ID.

Client ID is used in the same manner by both Universal Analytics and GA4.

However, within the GA4 Property Settings → Reporting identity setup, you may also find Client ID used as a synonym for “Device ID”.

GA4 Reporting identity setup

Yes, GA4 still uses cookies.

First-party cookies are used (with machine learning to generate even-based insights), so all privacy laws still apply.

If you thought that using GA4 exempted you from displaying a cookie consent banner, think again!

  1. ePrivacy Directive: Generally, European nations require express authorization before placing or accessing analytics cookies. The GA4 tags should not fire unless a user has specifically consented to tracking because the default cookies will be set whenever the GA4 tags run. As a result, no data will be collected from users who do not consent, and those who do consent until they indicate their consent in writing.
  2. GDPR: Depending on how you use the data, the Device ID can qualify as “personal data”. In isolation, it cannot identify people, but it can if it is combined with more information about the users from other sources. This is especially true if you use GA4 audiences for targeting and have them connected to other ad platforms.
  3. CCPA: Users who reside in California are given additional rights under the CCPA regarding their “personal information”. The CCPA defines personal information as any piece of information that can be used to identify an individual or household. In GA4, the client ID is sent with each hit. Because of this, GA4 will always be covered by the CCPA.

When using GA4, a cookie consent banner should specify what tracking the user is opting in/out of and provide clear options for opting in or out.

Convert cookie consent banner

How can you set up cookie consent functionality on your website?

Option 1: Google Consent Mode

This article describes Google Consent Mode in detail.

Essentially, when you start a new GA4 implementation, you can configure your GA4 tags in Consent Mode from the beginning, ensuring appropriate tracking according to user preferences.

you can configure your GA4 tags in Consent Mode from the beginning
Consent Type Description
ad_storage Enables storage (such as cookies) related to advertising
analytics_storage Enables storage (such as cookies) related to analytics e.g. visit duration
functionality_storage Enables storage that supports the functionality of the website or app e.g. language settings
personalization_storage Enables storage related to personalization e.g. video recommendations
security_storage Enables storage related to security such as authentication functionality, fraud prevention, and other user protection

Option 2: GTM Custom Consent Triggers

You can build triggers to manage when GA4 tags fire using Google Tag Manager (GTM).

There are various types of triggers that can be used, depending on your consent management platform. Your CMP consent actions should contain the name of the custom event trigger that you created in GTM.

GTM Custom Consent Triggers

Option 3: Custom JavaScript with Consent Actions

GitHub has plenty of options to get inspired by. Check out this example of a cookie consent plugin for cross-browser use.

Does this impact Convert experiences and deployments?

No. It will not allow the GA4 tag to be applied when any of the techniques above are used and no consent has been obtained from the user (or when the user has opted out).

As GA4 tags don’t fire, these users won’t appear in your GA reporting.

NOTE: If this kind of consent method is implemented, we often observe a 40%–60% decrease in the number of users tracked between Convert and GA4.

User Rights

A number of laws, such as the CCPA and GDPR, protect users’ rights to access and erase their personal data. In the past year, GA has added tools to make this possible.

User Access

The GA UI and BigQuery both provide access to GA4 event information.

Access Event Information via the UI

GA4 User Explorer tool adds a crucial privacy compliance feature: the ability to access user-specific data.

You can use the User Explorer report in GA4 to retrieve event data for any given user identifier via the UI. With this functionality, you can export event-level data for a specific user ID. In most cases, this user identification is either the Device ID or the User ID.

You can use the User Explorer report in GA4 to retrieve event data for any given user identifier via the UI

Access Event Information via BigQuery

Another new GA4 feature is that you can integrate your GA4 Properties with BigQuery to make full exports of all event data associated with all of your users in a single queryable repository.

Using this method, you can access and manipulate data more quickly and programmatically.

Does this impact Convert experiences and deployments?

No.

User Data Deletion

The same way you can access event information via the UI and BigQuery above, you can also delete it via the UI or an API or the Data Deletion Requests feature.

User Explorer Report

You can delete a user from the User Explorer report by selecting the user ID and clicking Delete user:

You can delete a user from the User Explorer report by selecting the user ID and clicking Delete user

All user-related information will be removed from the report within 24 hours and from GA’s systems within 63 days.

All user-related information will be removed from the report within 24 hours and from GA's systems within 63 days

User Deletion API

Using the User Deletion API, a GA4 Property owner can programmatically request GA to remove all information associated with a certain user ID.

Suppose you want to delete data associated with this user ID:

Using the User Deletion API, a GA4 Property owner can programmatically request GA to remove all information associated with a certain user ID

Using the User Deletion API, you can remove all data for the user using an HTTP request with the following request body:

{
  "kind": "analytics#userDeletionRequest",
  "id": {
    "type": "USER_ID",
    "userId": "xxxx"
  },
  "propertyId": "xxxxxxx",
}

Data Deletion Requests Admin Feature

If you are collecting any kind of PII, typically as a parameter across some or all events, you can use the data deletion request mechanism, which is available here:

GA4 Data Deletion Requests Admin Feature

In GA4, you can delete parameter data associated with events and/or people using five distinct deletion methods:

In GA4, you can delete parameter data associated with events and/or people using five distinct deletion methods

Does this impact Convert experiences and deployments?

No.

Privacy Policy

Both Google and privacy regulations require that you provide a privacy policy on your website if you use GA.

Data Sharing Between Google Products

The use of GA4 data with other Google ecosystem products, such as Google Signals and Ad Personalization, should be handled with caution due to privacy concerns. Research the privacy laws that are applicable to your business before opting in to Ad Personalization or Signals.

Make sure your privacy policy specifies if you intend to share GA4 data with other Google products.

Does this impact Convert experiences and deployments?

No.

Do GA4’s New Privacy Features Live Up To Their Promise?

GA4’s new privacy features are a much-needed improvement in the world of data collection and analysis. With the “privacy by design” strategy, GA4 offers several ways to enhance data collection while also addressing privacy concerns. The new features offer greater transparency and control for users, as well as a more secure environment for collecting and storing data.

At Convert, we are here to help you ensure that your testing data collection is both accurate and compliant with all privacy regulations. Whether you need assistance with GA4 configurations or have questions about privacy, we are here to help.

Mobile reading? Scan this QR code and take this blog with you, wherever you go.
Originally published March 07, 2023 - Updated May 26, 2023
Written By
Dionysia Kontotasiou
Dionysia Kontotasiou
Dionysia Kontotasiou
Convert's Head of Integration and Privacy, helping customers with technical queries.
Edited By
Carmen Apostu
Carmen Apostu
Carmen Apostu
Head of Content at Convert

Start Your 15-Day Free Trial Right Now.
No Credit Card Required

You can always change your preferences later.
You're Almost Done.
I manage a marketing team
I manage a tech team
I research and/or hypothesize experiments
I code & QA experiments
Convert is committed to protecting your privacy.

Important. Please Read.

  • Check your inbox for the password to Convert’s trial account.
  • Log in using the link provided in that email.

This sign up flow is built for maximum security. You’re worth it!