Marketers worldwide have known Google’s Universal Analytics would eventually disappear and be replaced with GA4 Analytics. Many of us set up GA4 accounts and then forgot about it. We hadn’t started to prepare for the future with Google Analytics 4.
Learn how to update Google Analytics 4 on your own with this helpful GA4 walkthrough.
Google is Sunsetting UA, Time to Switch to GA4
Now is the time to get ready. Google has officially announced that Universal Analytics Will Officially Stop Collecting Data in 2023. All standard Universal Analytics properties will stop processing new hits on July 1, 2023. “Universal Analytics 360 properties will receive an additional three months of new hit processing, ending on October 1, 2023,” said Google. Update: The last day to switch from Universal Analytics 360 to GA4 is changing from October 1, 2023, to July 1, 2024, per Google’s latest announcement.
The new Google Analytics 4 will change how businesses think about online marketing to their customers. If you haven’t started playing around with Google Analytics 4 yet, now is the time. The next generation of Google Analytics still feels limited compared to the original version of Universal Analytics, but GA4 is the future.
Google Analytics 4 doesn’t have to be confusing. We can help you get started by implementing GA4 on your business website for you. Ready to get started?
Here’s how to get started on your own:
Start Collecting Data Today
When you create a new Google Analytics 4 property, you’ll notice that it’s empty of data. The historical data you have in Universal Analytics, the original analytics you already know, won’t be transferred to the new property.
To retain that historical perspective of what’s happening on your website, start collecting new data as soon as possible. The new setup also restructures that data into the life cycle of your website visitors. Now businesses can better focus on improving their relationship with their customers.
Simplify Your Tracking Strategy
Regarding tracking, the new version of Analytics does a lot of the heavy lifting for you. Fear no more if you ever found your head spinning while adding a category, actions, or labels to custom conversion tracking. Everything is now considered an event, and the “Enhanced Measurement” automatically creates the most common event tracking for you.
The most exciting feature of the new GA4 tool is the ability to create insights and predictions about your website or audience built on artificial intelligence. Google is betting that predictive AI can fill in the gaps in the data left by removing browser cookies.
Lean on Predictive AI Intelligence
One shining feature of the new Google Analytics 4 properties is their use of AI learning to create predictive audiences to help your business grow. For example, there is now the ability to create Purchase Probability audiences, users likely to purchase within the next seven days, and Churn Probability audiences, users most likely to churn within the next seven days.
This new ability to create audiences based on customer behavior enables your team to look ahead and make careful predictions that can influence your campaign strategy. It also gives you a handy insights tool to provide easy-to-read summaries of your data based on your campaigns. Integrate your Google Ads campaigns, for example, and use Analytics insights to inform you on the next steps to improve the effective use of your budget or ad targeting.
Manipulate Your Website, Not Your Audience
Google’s recent release of FLoC, which stands for Federated Learning of Cohorts, changes how advertisers target their customers. Instead of stalking individual users around the internet, Google will sort crowds of users into groups of similar behavior, interests, or intent.
Update: As of 2022, Google has abandoned its strategy of FLoC. They’ve recently switched to their Topics API to replace tracking cookies, which match advertisers to audiences based on interest-based advertising. See an introduction to the Topics API from Google down below.
As the internet shifts to protect individual data privacy, marketers are forced to improve their websites, messaging, or even products and services rather than improving their targeting. This is a good thing. Audiences should expect to see better websites focused on helping them, and businesses should be rewarded for that increase in trust online.
Where Universal Analytics built its foundational data on cookies and IP addresses, Google Analytics works across platforms using its event-based data modeling. “Google Analytics 4 will also no longer store IP addresses,” said Google. “Google Analytics 4 is designed with privacy at its core to provide a better experience for our customers and their users.”
GDPR and Google Analytics 4
Disclaimer: We’re not lawyers. This article is based on our research and interpretation of the General Data Protection Regulation (GDPR) and other “e-privacy” regulations. PLEASE talk to your legal counsel, that specializes in privacy laws!
Are you confused about GDPR and Google Analytics? This article will help. You’ll probably have to make a few small changes to your website and your Google Analytics tracking. Let’s dive in.
This article needs to identify two groups: data controller and data processor.
- Data Controller: This is you (or your organization). You control which data is sent to Google Analytics.
- Data Processor: This is Google Analytics, or more broadly, Google, because they process the data.
Technically, the Data Processor is bound by new legal obligations to conform to the EU GDPR. But there’s still plenty that you need to know and maybe do.
Google is well aware of this development and has set up its Privacy Compliance website. They say they’re “working hard to prepare for the EU’s General Data Protection Regulation.
It’s a pretty safe bet that, given how important Google Analytics is to—like—the entire internet, it will be fully compliant by May 25, 2018. And as part of that, Google will have to provide its users with a data processing agreement—you’ll need to accept the agreement.
TO DO: How to Make Your Google Analytics GDPR Compliant
First and foremost, you need to know what data you are not sending to Google Analytics servers.
Ultimately the data will be handled by Google on their servers, but they have policies—and GDPR has regulations—about which information you can send them in the first place.
#1) Personally Identifiable Information (PII)
Collecting any Personally Identifiable Information (PII) is—and has always been—against the Google Analytics Terms of Service. (This is true for the standard/free GA and the paid Google Analytics 360 solution.)
Here’s how to check your website and GA data for PII:
Page URLs, Page Titles, etc
A common example of PII data collection is when you capture a Page URL that contains an “email= query string” parameter. If this is the case, you are likely leaking PII to other marketing technologies on your site!
Forms
Ensure that any data entered into forms by users does not contain PII. Most often, this comes in the form of Event Tracking. If your ga(send)
or _gaq.push()
functions send an event label containing the user’s email address (for example); that’s bad news.
For purposes of this article—about Google Analytics and GDPR—this applies to form data that GA also collects. If you store this PII yourself or submit it to other trackers, be aware that GDOR also has implications for those services/servers.
[callout]Note: It’s important to note that filtering out PII via Google Analytics filters is not good enough. It would be best to address this at the code level to prevent the data from sending to Google Analytics.[/callout]#2) Anonymize IP Addresses
The GDPR legislation considers IP addresses to be personally identifiable. I disagree with that, but they didn’t ask my opinion.
Google doesn’t reveal users’ IP addresses in its reporting by default, but they do use them to provide geolocation data, which is reported.
So, to be safe, we recommend enabling Analytics’ standard IP Anonymization feature.
If you use Google Tag Manager
If you use Google Tag Manager, you can make this change in the GTM interface. No code change is required.
Adjust your tag or Google Analytics Settings variable:
- Go to More Settings -> Fields to Set
- Add a new field called. ‘
anonymizeIp
’ and give it a value of ‘true
’.
If you use Google Analytics Snippet
If you don’t use GTM, you may need to edit the code directly, but how to edit the code depends on which version of GA you use.
(Don’t you love this stuff?)
Analytics.js “Universal Analytics” version
This is the GDPR anonymous IP address command line for the newest version of the Google Analytics snippet.
GA.js
Google deprecated this version in 2016, but many websites still use it. (Don’t worry; it still works just fine. But you do miss out on some new features.)
If you use the ga.js version, here’s how to add the _gat._anonymizeIp
code.
What does this code do?
This code tells Google to anonymize the IP address. But what does that mean?
It means they’ll remove the last octet of the IP address (your IP becomes 123.123.123.0 — where the last portion/octet is replaced with a ‘0’).
Here’s what Google’s documentation says—
…the last octet of the user IP address is set to zero while still in memory.
For example, an IP address of 12.214.31.144 would be changed to 12.214.31.0.
If the IP address is an IPv6 address, the last 80 of the 128 bits are set to zero.
(I added the emphasis and pretty colors!)
The documentation goes on to explain that anonymization happens as early as possible in the data collection process:
Only after this anonymization process is the request written to disk for processing.
If the IP anonymization method is used, then at no time is the full IP address written to disk.
These two lines are the important parts. This is why anonymization is GDPR-compliant.
They even provide this handy dandy graphic to illustrate how it works:
Are there any downsides?
Unfortunately yes. Well… kind of.
This will have a small impact on your data. It’s up to you whether or not that’s a downside.
IP addresses are location-specific, like zip codes, area codes, and bank routing numbers. That means that for Analytics purposes, they’re used in geo-locating your users.
When you remove the last octet (set the last few digits to zero), you remove the most specific part of that data. The result is that the accuracy of your geographic reporting is slightly reduced.
Just how reduced?
Well, according to ConversionWorks, not bad.
81% of the visits have less than 50 km [~31 miles] discrepancy (or no discrepancy at all).
There are some statistical outliers, of course. But for the most part, your anonymized, GDPR-compliant IP address data can narrow down to the city but not to the city block.
#3) Pseudonymous Identifiers
Your implementation of Google Analytics could already be using pseudonymous identifiers.
What the fluff does that mean?
IAPP to the rescue. IAPP is a not-for-profit “global information privacy community and resource” that educates and advocates for the privacy profession globally.
Here’s what they say about pseudonymization:
The GDPR introduces a new concept in European data protection law – “pseudonymization” – for a process rendering data neither anonymous nor directly identifying.
Pseudonymization is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately.
So it’s not directly identifiable. But it’s not-not identifiable, either.
Pseudonyms are good.
The whole point of GDPR is to allow users to be more private. Using pseudonyms improves their privacy.
In Article 5, the GDPR defines pseudonymization as
“the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information”
They go on to talk about storing that information securely. But the point is the same: one step below anonymous is pseudo-anonymous.
Pseudonyms are good but not good enough.
Pseudonymization alone is not enough to save you from GDPR requirements. Still, the GDPR does recognize that it “can reduce risks to the data subjects concerned and help controllers and processors meet their data-protection obligations.”
So that’s something.
It also created strong incentives for Data Controllers (that’s you, remember?).
Under the GDPR, pseudonymization can help you:
- Fulfill its data security obligations
- Safeguard personal data for scientific, historical, and statistical purposes
- Mitigate its breach notification obligations
Examples of Pseudonymous Identifiers
This information could identify individuals if you have enough data to connect the dots. Here are some common examples:
User ID
Probably an alphanumeric database ID. You don’t want this to be plain-text PII such as email, username, etc.
Hashed/Encrypted Data (email, e.g.)
Hashing and encrypting are different, but both count as pseudonyms. If you store emails, etc., and you plan to use hashing, Google has some criteria:
“Google has a minimum hashing requirement of SHA256 and strongly recommends the use of a salt, minimum 8 characters.”
Transaction IDs
Technically, this is a pseudonymous identifier since it can identify an individual customer or user when linked with another data source. If you store these IDs, they should probably be alphanumeric IDs.
A note on disclosure: pseudonymous user data is still user data. You’ll need explicit consent (via opt-in) from your users, and you should ensure that your Privacy Policy explains this data collection and purpose.
In both cases, the language used needs to be clear (no technical or legal terms) and answer these questions:
- What data is collected?
- How will it be used?
According to Blast Analytics and Marketing, Google announced at their Analytics Superweek Summit that they’d soon allow for User ID/Client ID data deletion.
#4) Update your Privacy Policy
Everybody has a Privacy Policy on their website by now. You have one on your site.
Right?
Frankly, lots of websites probably never had one at all. That has to change.
The most important update to your Privacy Policy under GDPR is that it has existed and has to be clear, concise, and easy to understand.
Econsultancy put together a great list of questions to consider when writing a Privacy Policy:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
#5) Build an Opt-In/Out Capability
Here’s where the rubber meets the road for GDPR. The big takeaway from the whole legislative initiative is this:
If EU citizens don’t want to be tracked online, they don’t have to be.
As the Data Controllers, this means that we are now legally obligated to let them decide.
And “we’re gonna track you unless you say no” is not good enough. It has to be “can we track you? Please click yes or no.”
Remember: ask a lawyer. We’re just marketing nerds.
What to ask your lawyer
If you are collecting User ID or other pseudonymous identifiers, you may need to gain consent from the user.
If so, this consent needs to be explicit (opt-in). All those cookie notices stating that if you proceed to use the site, you consent? Yea, not anymore. That’s not considered consent anymore.
So that’s the question: do I need to gain consent from my users?
Delay Google Analytics loading
Depending on what your lawyer says, you’ll need to ask users for their permission clearly and, most importantly, before Google Analytics executes.
This looks like an overlay modal/popup that asks the user for permission. If the user clicks “yes” or “opt-in,” either the page reloads, or the Google Analytics (and other martech scripts) start to run.
Audit Trail
GDPR requires that you keep a record of users’ opt-ins to prove that consent has been given.
Typically this comes in the form of some application or security log that provides an audit trail of the actions taken against data from the time of its creation to its erasure.
Our solution to this (so far) is to track this “yes” consent in Google Analytics as an event and record it in our database, attached to the Google Analytics Client and User ID.
Get Comfortable With The Future of Analytics
Any new advancements or upgrades to Google’s Analytics tool will happen on GA4 properties. To be exact, Universal Analytics is slated to get phased out on July 1, 2023; there will be no further investments in the tool.
Start tracking data (again, set that up today) so that by the time Google shuts down Universal Analytics, you’ll be comfortable with the new perspective of analyzing cohorts of customers throughout their life cycle with your business. Then, you can properly let the power of predictive AI insights help you grow traffic as you grow your business.