Privacy Features in Google Analytics 4 Properties

September 29, 2021 | Sean Power
Blog image for Privacy Features in Google Analytics 4 Properties

During a recent Google Tag Manager training, an attendee asked whether there were any "gotchas" to watch for in Google Analytics 4 (GA4) from a privacy perspective. Bounteous has been getting this question from many people as well: Google says that GA4 takes a privacy-centric approach; what does that really mean?

To begin, all of the privacy features available in Universal Analytics (UA) are also available in GA4, so the upgrade should be regarded as nothing but a step forward for respecting user privacy.

Google knows that a privacy-first analytics platform that puts the control in the hands of the user is mission-critical to them, and has therefore upgraded and introduced other net-new functionality that empowers the user to take charge of their data, aligning with privacy-first industry updates like ITP2 (Safari), ETP (Firefox), iOS14 (Apple), CCPA (California), GDPR (EU), and Google Chrome's privacy updates. When organizations put users in charge of their data, they build trust with their audience. GA4’s user privacy features can help you give control to users over how their data is used.

This article walks you through GA4's user privacy features.

Google Signals Puts Control of User Data in the Hands of the User

Google Signals provides data from websites and apps that Google associates with users who have signed in to their Google accounts and have turned on Ads Personalization, consenting to the data collection and usage.

Using Google Signals data alongside Google Analytics data represents a win from a user privacy perspective: users who do not want their Google Signals data used can turn off Ads Personalization by going to adssettings.google.com and toggling Ad Personalization off.

settings for Google Ad Personalization showing where you can toggle the setting to off

 

This is also a win for companies—when Google Signals is enabled, data from users who are signed in to their Google accounts and have turned on ad personalization will be used by additional Google Analytics features:

  • Cross-platform Reporting: Connect data about devices and activities from different sessions to get an in-depth understanding of user behavior from multiple browsers and multiple devices.
  • Remarketing with Google Analytics: Create remarketing audiences and share those audiences with linked advertising accounts.
  • Advertising Reporting Features: Collect information about your users from the Google advertising cookies when they are present, along with the information that Google Analytics normally collects.
  • Demographics and Interests: Collect additional information about demographics and interests from Device Advertising IDs and from users who are signed in to their Google accounts and who have turned on Ads Personalization.

Data from Google Signals, anonymous to everyone except Google, is not used or shared for any purpose other than to provide the Google Analytics features described above unless you enable Data Sharing settings or opt-in to link Google Analytics with other Google products.

Google Signals data collection can be disabled at the country level, too. These settings will impact remarketing and conversion modeling, but provide additional control over how your property is configured to respect user privacy and pertinent regulations.

EU-Focused Data Privacy Controls Help to Ensure Data Privacy in Europe

Data protection authorities in some countries in Europe have shone a spotlight on Google Analytics. In response, Google has enhanced and expanded on its data control features, including a number of EU-specific privacy features in Google Analytics 4. 

For example, GA4 properties do not log IP addresses. Sensitive data collected from EU servers is dropped before being logged via EU domains and servers; IP addresses, including anonymized IP addresses, are discarded without logging them.

When GA4 collects data, IP geo lookup is done on EU-based servers before forwarding traffic. Any EU data, as determined by IP geo lookup, is received and processed in the EU regardless of where a property is based. It is recommended that you update your Content Security Policy (CSP) to allow the following domains used by GA4:

*.google-analytics.com

*.analytics.google.com

Note that EU-based data collection policies apply to data collected via the Firebase SDK and calls to app-measurement.com.

Consent Mode Makes It Easier to Respect Users' Expressed Privacy and Cookie Preferences

Consent Mode puts the user in control of their data by allowing website and mobile app owners to adjust how Google tags behave based on the user's expressed consent.

This represents another win for user privacy: when a cookie banner pops up, the user can control which cookies to enable. Google tags can then be configured to respect those preferences using Consent Mode.

The Consent Mode integration with Google Tag Manager makes Consent Mode even more useful for respecting user privacy. In addition to adjusting the behavior of Google tags, Consent Mode can be used for non-Google tags managed in Google Tag Manager, as well. The integration works with popular consent management tools like Cookiebot, OneTrust, and others.

Platform Upgrades Provide Deeper Anonymization of User Data by Default

IP addresses are used by Google Analytics to derive geographic dimensions and populate geolocation reports using a field called Anonymize IP.

When Anonymize IP is enabled, an IP address, such as 12.345.67.890, is masked at the point of collection before any processing or storage. It is passed to Google Analytics as 12.345.67.0. In other words, the last octet is dropped, making it impossible to connect the IP address with a specific user.

In UA properties, by default Anonymize IP was disabled and a company had to enable it manually. In GA4 properties, it is enabled by default and there is no way for a company to disable it.

This represents a win for user privacy with only a small tradeoff for companies: the City dimension is slightly less accurate and a visitor in one town might appear to Google Analytics as coming from the next town over. If city-level data is important to your business, consider collecting first-party data through another method whereby a user has knowingly and voluntarily shared that information with you, such as via a lead generation form submission. Businesses that rely on city-level data could mitigate this tradeoff by ensuring that Google My Business profiles are up to date.

Google Analytics 4 Enforces Stricter Data Retention Policies

Data retention period refers to how long unaggregated data is kept by Google Analytics. It applies to user- and event-level data associated with cookies, User ID, and advertising features such as device identifiers.

In UA, you could choose intervals ranging between 14 months and "do not automatically expire."

In GA4, you can choose to retain data for either 2 months or 14 months. 2 months or 14 months. GA4 360 properties get additional options to retain data for 26, 38, or 50 months.

When data reaches the end of the retention period, it is deleted automatically monthly. You do not lose the aggregated tables that support the standard reports—you will continue to be able to access those insights—but the unaggregated data will no longer be available.

If you think about this change through a lens of use case parity, shorter retention periods are not actually a big sacrifice. The aggregated reports are important for benchmarking your current performance against past performance. From a prediction and activation perspective, data from the most recent months, which are kept unaggregated, is most useful. We can accomplish the same use cases while doing more to respect user data privacy.

These stricter retention settings impact how far back you can go in the Explorations reports, which use the unaggregated data to generate custom reports on the fly; but all of your standard reports will still work for as far back as the creation date of your property.

In other words, you will still be able to run standard reports with timeframes that exceed 14 months—you would just be doing so in a more privacy-centric way while sacrificing some functionality for custom reports in the Explorations reports.

Privacy Features in Universal Analytics Properties Are Also Available in Google Analytics 4

When we talk about privacy features in Google Analytics, it can be helpful to think about them in terms of respecting privacy at the account-, property-, and user-level.

Account Privacy Features

Any settings that you configure at the account level apply to both your UA and GA4 properties.

For example, you can choose whether to share information with Google for benchmarking, for technical support, and for getting help from account specialists.

The Account Settings are also where you would accept the Data Processing Amendment.

(If you have a business established in the territory of a member state of the European Economic Area, Switzerland, or the United Kingdom or you are otherwise subject to the territorial scope of the General Data Protection Regulation (GDPR) or if you are a business subject to the California Consumer Privacy Act, and if you have entered into a direct customer contract or the Google Analytics 360 Terms of Use with Google to use Google Analytics, then you are eligible to accept the Google Ads Data Processing Terms. When you accept the Data Processing Amendment, the amendment applies to all properties in the account, including GA4 properties.)

Property Privacy Features

GA4 offers the same property-level privacy features as what was available in Universal Analytics, meaning that you can control how data is used by each property in your Google Analytics account. In addition to the data retention settings noted above, property-level privacy features give you more granular control over how you collect data.

Enable Google Signals Data Collection

With Google Signals activated, Google Analytics will associate the data it collects from your website and mobile apps with information from accounts of signed-in users who have allowed Ads Personalization. We’ve already remarked on how Google Signals puts control of user data in the hands of the user.

If your privacy policy requires even more stringency, you can choose to leave Google Signals turned off. Doing so means that even if a user is signed in to a Google account and has opted into ads personalization, your website and apps will not use any of that data.

Advanced Settings to Allow for Ads Personalization

When ads personalization is allowed at the property level, by default it will be allowed in 306 out of 306 regions.

You can control this permission on a region-by-region basis. By "region" in this instance, Google generally refers to setting country-level permissions; for the United States, you also can toggle ad personalization settings by state.

Put another way, GA4 offers the features you need to remain compliant with privacy and cookie legislation on a region-by-region basis.

Data Deletion Requests

To protect user privacy, Google's policies prohibit Personally Identifiable Information (PII) to be sent to their systems.

If PII is found by Google, they will generate a Data Deletion Request to allow you to review the PII that was found and make changes to your property, or to object if you believe the request was invalid.

If PII is found by you, you can also create a Data Deletion Request to rectify any incidents.

Furthermore, the GA4 Admin API's integration with the User Deletion API will allow you to delete data for only a particular user based on the Client ID, App Instance ID, or User ID. 

User Privacy Features

Even if you have enabled advertising features through your property settings, there may be cases where you need to disable them programmatically based on the user's expressed privacy preferences.

There are two fields in particular that provide this degree of control to the user: allow_google_signals and allow_ad_personalization_signals.

These fields can be set to either true or false. Your property settings determine their default values, however, you can also configure this value to dynamically override your property settings in order to respect user privacy preferences.

For example, suppose your website features a cookie consent banner. A user might consent to your use of their data for performance purposes, such as improving the user experience of your website, but they might not consent to your use of their data for targeting purposes.

In that instance, you would continue to trigger your Google Analytics tags to collect data since the user has opted into setting performance cookies, and you would dynamically set allow_google_signals and allow_ad_personalization_signals fields false based on the user's expressed non-consent to targeting cookies.

When you combine these features with a cookie consent management tool like Cookiebot, OneTrust, and others, you put users in control of how their data is collected and used.

Final Thoughts: Developing Modern Strategies for Data Privacy

Consumers are increasingly demanding more respect for their privacy.

While this article provides an overview of the settings available in GA4, it does not provide direction on how to configure them.

Your strategy—business strategy, sales strategy, marketing strategy, technology strategy, and data strategy—dictates your GA4 configuration choices.

If you need help thinking about your data strategy, or if you do not yet have a data strategy, read our article on strategies for data privacy, in which we take you through defining your organization's stance on data privacy, evaluating your digital footprint, enabling consent management through technology, and ensuring compliance.