Did you know...
Talk about the GDPR (General Data Protection Regulation) begin in 2018. The GDPR is the general regulation on data protection that dictates how businesses and organizations handle the personal data of European citizens and allows for greater control over such processing. Public administrations, organizations with more than 250 employees, and businesses that handle sensitive personal data must appoint a data protection officer (or DPO) to ensure compliance with the GDPR throughout the organization.
The GDPR defines personal data as "any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
In a nutshell, personal data refers to all information that allows identifying an individual.
Until 2020, data transfer through US servers was regulated by the Privacy Shield. The European Court of Justice then annulled it because it no longer met the new data protection requirements. An agreement was reached on the new EU-US Data Privacy Framework (DPF) through negotiations between the European Commission and the US Department of Commerce.
Recently, Biden has signed the new "
Executive Order" which aims to extend protections for European citizens regarding the intelligence activities of US government agencies. The EU Commission has published the first draft
adequacy decision on data transfers to the US, indicating the adequacy level based on European standards. In this document United States ensures the protection of personal data transferred from the EU to the US. You can find a detailed analysis in this
article.
As a result of these regulations and issues related to data protection, Google Analytics 4 has implemented new measures to uphold user privacy.
What does Google Analytics 4 do for users’ data management?
- It anonymizes IP addresses. During data collection, Google Analytics 4 doesn’t record or store IPs. For greater security, it anonymizes IPs of European users on servers located in the EU. Google Analytics 4 enables anonymization as a default setting that can’t be turned off!
- It doesn’t collect Personal Identification Information (PII). According to Google this is a breach of the Terms of Service, so it deletes all users’ data if detected.
- It limits user data storage to 2 or 14 months for the free version. Google Analytics 360 version (paid) allows to set unlimited data storage.
- It doesn’t allow users to choose where to store their data. It processes them on multiple servers located worldwide and it suggests adopting all the regulations of the EU country where the website resides.
From July 1st 2023 it is necessary to switch to Google Analytics 4.
Time is ticking, and it's necessary to get in compliance before July 1st, 2023. Not only to be compliant but also because Google Analytics has updated and enhanced its resources:
- Better cross-device tracking: It is more accurate in the setting of users navigation across multiple devices (e.g., desktop and mobile) when users are logged into a Google account.
- Better cross-app monitoring: It gathers data from websites, apps and interactions occurring within them when they are intrinsically interdependent.
- Data tracking is more flexible and powerful because it is based on "events and parameters", compared to the Universal Google Analytics model based on "sessions and page views
- More accurate and comprehensive monitoring of user interactions.
- Direct integrations with media platforms, such as tracking actions on YouTube videos.
- Development of “Machine learning”: this allows automatic insights and mid-term predictive capabilities.
- Data flows from various sources (e.g., web, Android, iOS) in a single property. These flows, known as data streams, replace the views found in UA.
- A minimalistic interface that simplifies the tool's use.
- Focus on user engagement: The engaged session metric indicates the percentage of sessions lasting more than 10 seconds, those that generated one or more conversion events, or those that had at least two-page views.
- Focus on user privacy through a new data collection methodology using Signals
Can we use Google Analytics 4?
The Italian Privacy Guarantor hasn’t made any decisions regarding the compliance of Google Analytics 4 with the GDPR up to now. However, some legal consultants suggest that you take into consideration alternative tools (e.g., Matomo).
According to some European states, untill today Google Analytics 4 doesn’t sufficiently protect EU citizens and residents’ data from US surveillance laws.
It is still necessary to obtain prior consent from users who visit your website. You are obliged to inform the visitor about the scope and purposes of such processing, using clear and accessible language. This information has to be always accessible in a privacy statement (Privacy Policy and/or Cookie Policy) that indicates the international data transfer, specifying to which countries they are transmitted. We advise you to update the statement periodically. Users should be able to change or withdraw their consent easily.
If you want to use Google Ads e Google Signals, we recommend asking users for additional consent to share their data through other Google services. Of course, all these indications should be in the Privacy Policy of your website, you need a support of a legal consultant to draft this document.
We still suggest switching to Google Analytics 4 before July 1st to continue analyzing data with an updated version of the tool. In the meantime, we are waiting to see how the situation evolves to not be caught off guard.