without consent?
Google Analytics (latest version 4) is a tracking tool for analyzing reach and user behavior.
- Headquarters: Mountain View, California, United States
- Category: Marketing Service
- Legal Basis: Consent required via Consent Management Platform (CMP)
What is Google Analytics 4?
Google Analytics 4 (GA4) is the successor of Google Universal Analytics (UA) and therefore a web analytics tool that can now also analyze data from iOS or Android apps. But this is far from the only innovation GA4 has to offer. In fact, the innovations are so far-reaching that one could practically speak of a new tool.
Why is Google Analytics 4 used?
Google Analytics is by far the European market leader when it comes to web analytics. With the free tool, the American tech giant has opened up the world of web analytics to everyone, albeit not entirely altruistically.
The analysis options are diverse and have been improved even further with GA4. Limiting the possibilities depends only on the customer himself or else on the legislator. And this is where it gets exciting. Because GA4 has also improved on the subject of data protection. Why this is not enough, however, and GA4 can still not be used without hesitation, is explained below.
In our service knowledge base you will find comprehensive information on individual services – clearly arranged and digital!
Expert knowledge and pro tips on top 😉
Legal foundation for the processing
The basis for the processing of the data results from the GDPR in combination with the TTDSG, whereby the GDPR takes precedence should there ever be a collision.
The GDPR regulates the processing of personal data and the TTDSG focuses on access to the end device, e.g. the use of cookies.
When is there a requirement for consent?
Personal Data
The processing of personal data is only permitted if at least one of the letters of Art. 6 (1) GDPR is fulfilled. The two important letters are the following:
- Die betroffene Person hat ihre Einwilligung erteilt (lit. a)
- The processing is necessary to protect your legitimate interest (lit. f)
Cookies
According to Art. 25 (1) TTDSG, consent is required if cookies are set that are not technically absolutely necessary.
It should be noted that this means not only the well-known small text files and pixels, but all technologies that allow to find out, link or infer a user, a user agent or device.
Thus, all information elements that enable the identification of a person are subject to consent.
The requirements for exemption from consent
To ensure consent-free use, the following conditions would need to be met:
- Conclusion of a processing contract with the processor
- No use of cookies or similar profiling techniques
- Processing of personal data exclusively in Europe
- The processor does not use the obtained data for its own purposes
- The processor does not link or enrich the data across different websites
- Possibility of opting out or revoking as well as detailed information about the collection of personal data in the privacy statement
- IP anonymization (“Privacy by Default”)
- Automatic opt-out for Do-Not-Track settings in the browser
- Proof of points 1-8 carried out by the website operator
IP address
Note that the IP address is generally a personal data. If you want to prevent personal data from being transmitted, you must always ensure that the IP address is disguised.
Server location
As long as it is not clear whether/that data is collected from a secure server location, compatibility with the GDPR is difficult.
Company headquarters
In the case of American companies or their subsidiaries, the fact that it is an American company must also be taken into account. Since the ruling on the Privacy Shield, American companies belong to an insecure third country.
Why is Google Analytics 4 subject to consent?
- It will be difficult to establish a legitimate interest for a marketing tool like Google Analytics 4. Especially since Google Signals tries to link the sent data to Google accounts. The service can be deactivated, but it is not clear whether Google will not still try to link the data.
- The IP address of the users is a personal data. Although the IP address is now anonymized by default in GA4, but even then it can be assumed that Google logs the server accesses and thus gets the IP address of the users.
- Furthermore, there is the problem that Google is a U.S. company and the U.S. is considered an unsafe third country since the termination of the Privacy Shield. As a result, there is currently no legal basis for the transfer of data to the USA.
Thus, there are violations of the above points (2, 3, 4, 5, 7 and 9). Freedom of consent cannot be established.
However, the combination with Google Tag Manager can, with the right configuration, lead to GA4 being used without consent.
Conclusion on the privacy-compliant use of Google Analytics 4
Google has improved significantly with Google Analytics 4 compared to UA in terms of functions and benefits for users. Google has also made an effort to meet the European requirements in terms of data protection. It wasn’t quite enough, but it’s definitely a step in the right direction.
In summary, we can still identify the following problems:
- It must be ensured that no personal data is forwarded to Google
- Google may not use the data for its own purposes and link it to existing data
- Google is not allowed to get the IP address of the user by logging
- If cookieless tracking is used, care must be taken that the user can nevertheless not be identified and, above all, that Google cannot identify the user
If you add Google Tag Manager and run the whole thing as server-side tagging, you have the option of tracking without consent thanks to the increased data protection and improved data sovereignty. This is clearly at the expense of data quality, but at least there is a possibility.
Any questions?
Then feel free to call us. We will help you with questions about our product and features or generally about all data protection topics: