The GA4 features that are bad for privacy
Google Analytics 4 (GA4) brings numerous benefits to businesses, especially in terms of data analysis and consumer insights. While GA4 is powerful, it is essential to understand what the privacy implications are for certain features of Google Analytics. Utilizing GA4's privacy settings wisely can not only help you stay compliant but also fortify your data strategy.
Data sharing settings
In Google Analytics there are multiple ways you can share data with Google. Under “Account settings” there is a section called “Data Sharing Settings”. Here you can choose to share data with Google for the following purposes:
- Google products & services
- Modeling contributions & business insights
- Technical support
- Account specialists
Of these sharing mechanisms you should be particularly careful with sharing data for the “Google products & services” purpose. This option shares all your Google Analytics data with Google under new terms, so called controller-controller terms. This means that data shared under these terms becomes Google's data. Read the section “Potential problems with sharing Google Analytics data with Google” below to understand more. Some features are only available if you share data with Google. For example, enhanced demographics and interests reporting from Google Signals is only available if you also enable data sharing with Google. If that is not useful to you, you should not share data with Google.
Google Signals
Google Analytics will associate the data it collects from your site and/or apps with Google information from signed-in Google account users. This means that Google knows that person X did action Y on your site and/or apps. The benefit you get from this is insights into how your users interact with your content across multiple devices. This feature also enables more advanced advertising features such as Remarketing Audiences based on cross-device behavior and demographics.
Google Ads linking
Linking your Google Analytics property to Google Ads makes it easier to work and succeed with Google Ads. You can easily import Audiences and conversions from Google Analytics to Google Ads. And the data sharing goes both ways, so data in Google Analytics also gets enriched with data from Google Ads. This is practical because it makes analyzing ther results from your Google Ads campaigns easier.
Potential problems with sharing Google Analytics data with Google
Google makes it very easy to share data to Google and link with other Google products. For you as a marketer or business owner, it also has many benefits. But it also comes with a cost. You pay with your data. Because most product linking and data sharing shares data with Google under new data protection terms: the controller-controller terms.
Your data becomes Google's data
In practice this means that you are giving Google all your data for Google to own. Once you give it away it means that Google “will individually determine the purposes and means of its processing of Controller Personal Data” (as stated in the terms), i.e. Google can do whatever they want with the data. This obviously impacts the privacy of your visitors, because you are giving Google data on what they did on your website.
Is using Google Analytics synonymous with data sharing with Google?
“But what’s new, I’m already sharing data with Google because I’m using Google Analytics”, you might think. No you are not sharing data with Google when you use Google Analytics. When you use Google Analytics you are using a service where Google is your processor, and you as the website/app owner are the controller. This means that you own the data, and Google is just processing it for you. Google cannot use this data for anything other than the service of Google Analytics. Google cannot use this data for its own purposes, for example for its advertising business. This is explained and defined in the data protection terms of Google Analytics.
But when you share data or link with other products, the data is shared with Google under new data protection terms. These terms are very different and state that once you share the data Google becomes controller of the data and you cannot control in any way how Google can use this data.
What if I still want to share data with Google?
If you decide to activate linking or sharing you are required to inform visitors about the data sharing and how visitors can opt out of Google personalized ads. And you are also required to get a consent from the visitor for this sharing. But getting consent is not necessarily enough. An important part of GDPR is the principle of “data minimisation”. It means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. If the purpose of linking Google Analytics with Google Ads is to run advertising and conversion optimization, that is fine because you got consent from your users. But you don't need to share all your Google Analytics data to achieve that. The legal risk here increases with the amount of data you collect in Google Analytics.
Don't help your competitors campaigns
Sharing your GA4 data with Google gives them free rein to use your data for various purposes, including advertising. Given that Google's primary revenue source is advertising, there's a significant likelihood that your data may be used to fine-tune advertising campaigns for your competitors. For instance, if you run an online fashion store, Google could potentially use the data to help competing stores target audiences more effectively, thereby undermining your market position.
Other GDPR challenges with Google Analytics 4
Data Minimization
One of the GDPR principles is that only the data which is strictly necessary for the intended purpose should be collected. Given the myriad of data that GA4 can collect, ensuring that you're only gathering what you need for your specific use-case becomes a significant challenge.
Linking other Google services
In this article we have only covered linking with Google Ads, because that's probably the most commonly used service. We haven't looked in detail at the other services that also can be linked to a Google Analytics 4 property, but list them here with some comments on the services we have experience from:
- Google AdSense links
- Ad Manager links
- BigQuery links: Data will be shared under a new agreement, but this will be the data processing agreement relating to the connected BigQuery instance. This means it's a controller to processor agreement so you are not sharing data with anyone (assuming you are the owner of the BigQuery instance and related Google Cloud Platform account).
- Display & Video 360 links
- Floodlight links
- Merchant Center links
- Google Play links
- Search Ads 360 links
- Search Console links: This has potential risk in our view, simply because its unclear if data is shared with Google and if so what the data processing terms are.