Is Google Analytics 4 GDPR compliant?

Q: Does Google Analytics use cookies?

Google Analytics uses first-party cookies , which are stored on users’ browsers when they visit websites. These are used for advertising tracking and analytics and are not essential for the website to function.

What is Google Analytics?

Google Analytics is Google’s popular and powerful traffic analytics tool that enables deep, real-time insights into how your website is being used, how much, and by whom.

Using Google Analytics is like having access to a live map of your website in real time, enabling you to see how your users are moving around. Where are they traveling to and from, and what are they doing while they’re on your domain? What catches their attention, and what makes them shy away?

Data like this provides valuable insights into how your domain is performing, e.g. for articles, ecommerce, etc., highlighting strong and weak spots so that you can optimize it on the fly, or with rich data and analysis over time.

Being able to see all of this data in context, presented neatly into graphs and statistics, can be an eye-opener for website operators.

How does Google Analytics work?

On a technical level, Google Analytics works through JavaScript tags that run in your website’s source code and is usually operated with Google Tag Manager. These tags, when executed by a user’s browser, collect data about users and their interactions on your site.

At the other end, these JavaScript tags running Google Analytics set tracking cookies on users’ browsers that collect personal data. These cookies are used to track individual behavior across pages of the site and over multiple sessions.

What is the difference between Google Analytics 4 and Universal Analytics?

Universal Analytics was Google’s primary analytics tool until July 2023, when it was deprecated in favor of Google Analytics 4, which was launched in October 2020. Google Analytics 4 introduced several key differences in its approach to data measurement and user privacy.

Google Analytics 4 uses an event-based measurement model to capture more granular user interactions, in contrast to Universal Analytics’ session-based data model.
Website owners can disable collection of granular location data, such as city, latitude and longitude, and collection of device data such as screen resolution and device brand, among others.
Website owners can delete user data on request.
By default, Google Analytics 4 does not log or store IP addresses from EU users.
Website owners can set how long data is retained by Google Analytics 4 prior to deletion.
Website owners can disable the collection of Google Signals data on a per-region basis, which includes data used for certain advertising features.

Since Universal Analytics no longer collects new data, this article will focus on Google Analytics 4.

Let’s go into a bit more detail on the EU’s GDPR, what implications it has for your website, and what kind of cookies Google Analytics uses.

The GDPR is a data privacy regulation that covers the European Union and European Economic Area. It protects all personal data of individuals residing in those regions. (It doesn’t matter if companies using GA4 and collecting data are not located in the EU.) The GDPR has strict requirements for how websites, companies, and organizations all around the world are allowed to collect and process such data, including through cookie consent.

The GDPR applies to any website, anywhere in the world, if it processes personal data from residents of the EU. It requires you to ask for and obtain the explicit consent from EU residents prior to any processing of their personal data.

The GDPR allows for six legal bases for data processing, of which consent is one. It’s among the most commonly used where consumers’ data and privacy are concerned.

Personal data under the GDPR is any kind of data that could identify an individual either directly or indirectly, alone or combined with other data points. Included in this definition are common online identifiers such as:

unique IDs
ClientIDs
IP addresses
search and browser history

Cookies serve a range of purposes, including functionality, performance, statistics and targeted advertisement. Some cookies are necessary for your website to work, and some are not, but are valuable for business operations. Some enhance user experience, some serve for monitoring and user profiling, and some do both. This is where Google Analytics and the GDPR overlap, because Google Analytics uses cookies to track your website’s users and their behavior.

Does Google Analytics 4 use cookies?

Google Analytics 4’s gtag.js JavaScript library uses first-party cookies to distinguish between users and unique sessions from users.

Only necessary or essential cookies are allowed to function on your website without user consent, because they are strictly necessary for the basic functions and user experience on your domain.

Google Analytics 4 sets the following cookies when in use on your website:

_ga (cookie used to distinguish individual users on your domain, expires after 2 years)
_ga <container-id> (used to persist session state, expires after 2 years)

Google Analytics 4 cookies are stored in your users’ browsers when they arrive on your website. This is how Google Analytics 4 can distinguish among and remember each individual user and present you with a detailed map of their journey to and from your domain, as well as their activities while there.

These cookies are used for tracking and analytics purposes rather than being essential for website functionality, so they do not fall into the “necessary cookies” category. If you use Google Analytics 4, it is suggested that you obtain explicit user consent prior to their activation to be compliant with the GDPR.

What are the categories of data that Google Analytics 4 collects?

Google Analytics 4’s data collection categories from cookies include:

User data, including information about the user’s device, browser, and operating system to understand your audience’s technical demographics
Session data, such as session duration, pages visited, and the sequence of pages viewed
Traffic source data, how users arrived at your site
Event data on specific actions or events triggered by users, such as page views, button clicks, product views, additions to cart, purchases, file downloads, and custom events defined by the site owner

Google Analytics 4 has some features that are part of Google’s EU-focused data and privacy approach. These include:

not storing or logging IP addresses of EU users
enabling data deletion
optional disabling of granular location data
optional setting of custom data retention periods
optional disabling of collection of Google Signals data for a specific region

However, GDPR compliance is complex, and Google Analytics 4 use on its own is neither compliant nor noncompliant with the GDPR. So how can you make sure your website’s use of Google Analytics 4 is GDPR compliant? And how do you balance Google Analytics 4, cookies, and end-user consent on your website to still get valuable statistics and insights without breaking European data protection laws, and the trust of your users?Let’s do a quick breakdown of Google Analytics 4 GDPR compliance on your website.

Steps for GDPR-compliant Google Analytics 4 data collection

Here’s a step-by-step guide on how to get valid GDPR consent for Google Analytics 4 and cookie use on your website.

You must ask for and obtain the explicit and informed consent from your users in order to use Google Analytics in compliance with the GDPR on your website.

Valid consent under the GDPR looks like this:

must be obtained before any activation of cookies or other trackers (apart from strictly necessary cookies)
consents must be granular, i.e. users must be able to consent to all data processing purposes (for the data collected via cookie use), some purposes, or none
must be freely given, so it is not valid to use pre-checked boxes or manipulative design elements to trick or force people into consenting
must be as easy to change or withdraw consent as it is to give it
must be securely stored as legal documentation and can be requested by data protection authorities or users via data access requests
must be renewed if the purposes for use or types of data collected change, or at a required interval (check regulations relevant to your company), often once per year, though some data protection guidelines recommend more frequent renewal, e.g. every 6 months

Using a GDPR-compliant cookie banner via Cookiebot consent management platform (CMP) enables you to obtain user consents that meet GDPR consent requirements.

Your privacy policy must provide detailed information about the data processing on your site, including the purposes for which you collect data, the kinds of data you collect, and who you share it with.

Your cookie policy can be a separate document, or it may be a part of your privacy policy. It must include detailed information about all cookies and other tracking technologies in use on your website, including Google Analytics 4 cookies, what purposes they serve, and how users can consent to or deny their use.

With Google Consent Mode, you can manage Google Analytics, cookies, and GDPR user consent all at once to secure privacy-compliant analytics and insights for your website. Google Consent Mode launched on September 3, 2020 and was updated in November 2023. It is a huge step in achieving a balance on your website between data privacy compliance and analytics insights. It’s designed to signal users’ consent preferences to Google tags and other services.

The “analytics_tag” tag setting enables Google Consent Mode to adjust the behavior of analytics cookies or statistics cookies so that they don’t fire unless the user gives explicit consent.

If users don’t give their consent to statistics cookies, Google Consent Mode makes sure that you still get aggregate and non-identifying insights into your website’s performance, such as:

timestamps
user agents
referrers
other basic measurements for modeling

Google Consent Mode helps enable compliance with the GDPR and requirements Google has levied on its customers, while also contributing to optimized analytics data, respecting both end-user privacy and your need for data and user insights to drive marketing operations.

Cookiebot CMP integrates with Google Consent Mode

Achieve GDPR compliance without sacrificing analytics accuracy or campaign performance

Try for free

Step 4: Enter into a Data Processing Agreement with Google

A Data Processing Agreement (DPA) is a legally binding contract required in some instances under the GDPR, that sets out the rights and obligations of the data controller — in this case, your company — and the data processor — in this case, Google — regarding the processing and protection of personal data.

The GDPR mandates that a DPA must include certain provisions, such as:

information about the data collected and processed
duration of processing
nature and purpose(s) of the processing
types of personal data and categories of data subjects
the obligations and rights of the data controller and data processor
requirements for security for the data and processing operations

The DPA can be a critical element in the GDPR framework, helping to ensure that when a data controller outsources data processing activities to a data processor, the latter handles personal data in compliance with the regulation. While processors do have responsibilities for security and compliant processing, ultimate responsibility for GDPR-compliant processing and data protection lies with the data controller.

You can follow these steps to accept Google’s DPA from your Google Analytics account.

Google Analytics 4 and GDPR-compliant advertising practices

Google Analytics is a statistics and marketing tool that digital advertisers often use to measure the effectiveness of their online advertising campaigns, segment audiences, track conversions and create remarketing campaigns.

There are also requirements from Google for advertisers, including those that use Google Analytics 4, that collect data from or serve ads to users in the EU and EEA in compliance with the GDPR.

The Interactive Advertising Bureau (IAB) Europe’s Transparency and Consent Framework (TCF) enables standardized user consent collection and management in accordance with GDPR requirements.

From January 2024, advertisers that want to serve ads to users in the EU, EEA, and the United Kingdom using Google’s advertising services are required to use a CMP that integrates with the IAB TCF v2.2.Cookiebot CMP integrates with the IAB TCF v2.2 and is a Google-certified CMP. Google has started requiring customers to use a certified CMP that integrates with Consent Mode and the TCF 2.2 to continue to access all functions of various services, including the personalization features of Google Ads.

Secure your ad revenue with the TCF v2.2 and Cookiebot CMP

Find out more

Google EU user consent policy

Google’s EU user consent policy applies to data collected from end users located in the EU, EEA and/or the UK, if the business collecting the data:

has an agreement with Google that includes the policy
uses Google products that incorporate the policy

Businesses using Google Analytics advertising features must comply with the EU user consent policy, which mandates explicit and informed user consent for collecting and using personal data, clear communication regarding the purposes of data processing, and providing options for users to grant or revoke consent.

Google Analytics 4 data transfers and the EU-U.S. Data Privacy Framework

One of the significant compliance issues with Universal Analytics involved the storage of EU residents’ personal data on servers based in the United States. This storage practice raised concerns regarding GDPR compliance, especially given the GDPR mandates that international data transfers must only occur to countries or entities that provide an adequate level of protection in line with EU standards.

The invalidation of the EU-US Privacy Shield framework by the European Court of Justice in July 2020 further complicated data transfers between the EU and the US. After the ruling, European Data Protection Authorities (DPAs) in Austria, France, Italy, the Netherlands, Norway, Denmark and Sweden declared that the use of Universal Analytics was noncompliant with the GDPR.

These decisions emphasized the need for additional safeguards when transferring personal data to the U.S., as the country’s surveillance laws were found to be incompatible with EU privacy rights.

Organizations using Universal Analytics had to reassess their data transfer and storage practices to achieve and maintain compliance with the GDPR, often involving the use of additional contractual safeguards, such as Standard Contractual Clauses (SCCs), or seeking alternative solutions that offered data storage within the EU.

In July 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework to govern data transfers between the EU, EEA, and U.S., enabling alignment with the GDPR.

There are formal challenges pending against the Framework, but it is in effect, and EU-US data transfers under Google Analytics 4 can be valid. Organizations using Google Analytics 4 should remain vigilant and seek legal advice to ensure ongoing compliance with the GDPR and any future changes in data protection regulations or adequacy decisions.

The Digital Markets Act and its impact on Google Analytics

The Digital Markets Act (DMA) introduced new rules for large digital platforms operating in the EU, which could influence how Google Analytics 4 operates, especially in terms of data handling and user privacy.

As a user of Google Analytics 4, you may need to adjust your approach to data handling to align with the regulation’s requirements. Here’s a straightforward plan to help you prepare:

Review your existing privacy policy and cookie policy essential to ensure these documents accurately reflect your data collection and processing activities.
Assess your current practices against GDPR requirements to identify any gaps or areas for improvement. This may include changing how you collect, store, or process data.
Implement a Google-certified consent management platform that enables you to obtain valid user consent for data collection and processing and can signal user consent information to Google.
Seek advice from a qualified legal professional or a privacy expert, such as a Data Protection Officer, who can provide tailored guidance on what the DMA means for your business.
Keep up to date with the latest information on DMA compliance and its implications for analytics tools like Google Analytics 4 so you can adapt more swiftly to regulatory changes, to ensure your analytics practices remain effective and compliant.

Learn more about the Digital Markets Act.

Cookiebot CMP: Your partner for Google Analytics GDPR Compliance

Cookiebot CMP is a cookie consent solution that streamlines the process of using Google Analytics in a GDPR-compliant manner by focusing on user consent and data transparency.

Cookiebot CMP enables you to obtain explicit user consent for all cookies and other tracking technologies in use on your website, including Google Analytics cookies.
Cookiebot CMP’s integration with Google Tag Manager and Google Consent Mode helps ensure that no Google Analytics (or other) tags are fired before obtaining explicit user consent.
The cookie checker tool can identify all cookies and trackers your website uses, making it easy for you to provide transparent information in your website’s cookie policy about the details of all Google Analytics cookies in operation, including their provider, technical details, duration and purpose.
Cookiebot CMP’s integration with the IAB TCF v2.2 meets Google’s standards for serving ads to users in the EU, EEA, and UK, so you can collect data and protect your advertising revenue.

Want to use Google Analytics cookies in GDPR compliance? Get started in 3 simple steps with Cookiebot CMP.

Start your free trial

FAQ

Is Google Analytics GDPR compliant?

Google Analytics on its own is not GDPR compliant or noncompliant. Rather, you must ensure you follow all the relevant GDPR requirements to use Google Analytics in a compliant manner. This includes obtaining explicit consent from end users before activating Google Analytics cookies, as well as describing all personal data processing in your website’s privacy policy. Using a consent management platform can help to automate the Google Analytics GDPR compliance process.

Does Google Analytics use cookies?

Google Analytics uses first-party cookies, which are stored on users’ browsers when they visit websites. These are used for advertising tracking and analytics and are not essential for the website to function.

Do I need cookie consent for Google Analytics?

If you have users from inside the European Union or European Economic Area, you need GDPR cookie consent from users for Google Analytics cookies and other tracking technologies on your website — no matter where in the world your company (and website) are located. Any processing of personal data from individuals inside the EU, with consent as the legal basis, requires their explicit consent before doing so.

How do I make Google Analytics GDPR compliant?

Using Google Analytics in GDPR compliance on your website is all about getting informed and explicit from your end users. Google Analytics cookies collect data classified under the EU’s GDPR as personal data, requiring end-user consent before the cookies can be activated and collect data. Use a consent management platform like Cookiebot CMP with Google Consent Mode to automate that part of the Google Analytics GDPR compliance process. You also need to create a detailed cookie policy that transparently outlines your Google Analytics cookie usage, and may need to enter into a Data Processing Agreement with Google.

Does Google Analytics collect personal data?

Yes, various data that Google Analytics cookies can collect from your end users via your website can directly or in combination with other data identify an individual. This includes unique user identifiers (like Client ID or User ID), device information, and location data. It also tracks interactions with websites, such as page views and events, which can be tied to an identifiable user through identifiers or combined data points. If this individual is located inside the EU, the GDPR protects their data privacy.

Does Google Analytics collect IP addresses?

Yes, Google Analytics 4 does collect IP addresses. However, for the purposes of the GDPR and Google Analytics compliance, it’s important to know that it includes IP anonymization by default and does not store or log IP addresses of EU users before logging any data. The user’s geolocation data can still be derived from the IP address, but the actual IP address is not logged or stored, which aligns with GDPR requirements for EU users. (With consent, storing this information would be compliant in the EU.) You can also disable the collection of this granular location data.

What cookies does Google Analytics use?

Google Analytics 4 uses first-party cookies. The _ga cookie distinguishes among users, and the _ga cookie is used to persist session state. Both cookies expire after 2 years. You need explicit consent from users inside the EU for Google Analytics cookies to be activated.

What is Google Analytics data?

Google Analytics can be used as a statistics tool on your website to measure performance and gain insights into how users interact with your website. Data that Google Analytics can offer about your website includes visitor measurements, performance insights of landing and subpages, number of times and time of day of previous visits to your website, and information about how users found your website.

Can Google Analytics work without cookies?

Yes, using Google Consent Mode can make your website run Google Analytics based on the consent state of your end users. If end users choose not to consent to cookies, Google Consent Mode enables Google Analytics to collect basic measurements without the use of cookies, respecting user privacy while at the same time enabling valuable insights into your website’s performance.

Do I need a privacy policy?

If you are processing personal data of EU residents, including via the use of Google Analytics 4, then yes, you need to fulfill GDPR requirements, which includes information for users about data processing activities. This is best done via a comprehensive privacy policy. This policy should detail, among other things, the use of Google Analytics, and any other services that collect user data, including how the data is collected, processed, and stored. The inclusion of a privacy policy also adheres to Google’s terms of service and informs users about their data rights and how they can exercise them.

What type of Google Analytics 4 data violates the GDPR?

Any data collected by Google Analytics 4 that could directly or indirectly identify an individual without their consent could potentially violate the GDPR. This includes IP addresses, unique identifiers, location data, and detailed browsing behavior if collected without clear, affirmative prior consent from EU users.

Are the GDPR compliance challenges for Google Analytics 4 the same as those for Universal Analytics?

Google Analytics 4 shares some of the same GDPR compliance issues as its predecessor, Universal Analytics. While Google Analytics 4 has introduced several privacy-focused improvements, such as default IP anonymization and enhanced data retention settings, it still processes personal data that may fall under the scope of the GDPR, and any use of Google Analytics 4 requires careful consideration of GDPR requirements. This includes obtaining explicit consent from EU users, ensuring legal data transfer mechanisms are in place, and providing clear information about data collection practices in a privacy policy. The key to GDPR compliance with Google Analytics 4 is how the data is collected, processed, and potentially transferred outside the EU.

What are the Google Analytics GDPR compliance features?

As part of its EU-focused data and privacy measures, Google Analytics 4 offers several features designed to help you align data processing with the GDPR’s requirements. By default, Google Analytics 4 anonymizes IP addresses for users in the EU. It enables you to choose data retention periods as short as 2 months, aligning with the GDPR’s data minimization and storage limitation principles. You have the option to delete user data in Google Analytics 4, complying with the GDPR’s right to erasure. You can disable the collection of Google Signals data, which includes data used for advertising features such as remarketing, and the collection of detailed location and device data on a per-region basis. Google Analytics 4 also enables the deletion of user data upon request, complying with user privacy rights under the GDPR.

How do you enable a user to delete their data from Google Analytics 4?

Under the GDPR, individuals have the right to request the deletion of their personal data. To enable a user to have their data deleted from Google Analytics, you should set up a method by which users can request data deletion and share this publicly in your privacy policy. This contact information must be easily accessible and the contact method must be a commonly used one. Upon receiving a data deletion request from a user, you can create a data deletion request from your Google Analytics 4 account. The GDPR also requires companies to respond to and/or comply with user requests in a timely manner.