2 posts tagged with "Analytics Provider"

The European Data Protection Organization NOYB's complaints have prompted various European data protection authorities to express concerns about the use of Google Analytics. These complaints have led to a unified stance among authorities, questioning the legality of data transfers to the USA. European data protection authorities have started issuing warnings to website operators and, in some cases, imposing fines, such as a recent penalty of 1 million euros. This has sparked an examination of the privacy challenges associated with using Google Analytics, considering the statements of supervisory authorities in the context of the new EU-U.S. Data Privacy Framework (DPF).

Google Analytics Overview​

Google Analytics is a website and app usage analysis tool offered for the European market by Google Ireland Ltd. The legal assessment differentiates between Google Universal Analytics and Google Analytics 4 (GA4). Since July 1, 2023, data processing through Google Universal Analytics has ceased, making GA4 the standard version to consider.

The key differences between Google Analytics 4 and Google Universal Analytics can be summarized as the following:

• Anonymize-IP: IP address truncation is now mandatory and limited to EU servers.
• Tracking without Cookies: GA4 is designed to function without cookies in the future, aligning with Google's plan to phase out support for third-party cookies in the Chrome browser.
• AI Analytics: GA4 introduces AI-driven predictions and customer segmentation based on both historical behavior and AI models.
• Multi-Stage User Identification: GA4 attempts to identify users through Google Signals, even without a User ID. This involves manual matching, potentially using customer lists with assigned IDs.
• Cross-Domain Tracking: GA4 retains the capability for cross-domain tracking via cookies.

While GA4 aims to move away from cookie-dependent tracking, current integrations still largely rely on cookies, making GA4 and Google Universal Analytics similar in this regard.

Cookie Tracking in Google Analytics​

User consent for Google Analytics results in the storage of various Google cookies with unique IDs on the user's device. This enables device recognition, facilitating the transmission of various data to Google servers for behavioral analysis.

European data protection authorities have criticized multiple aspects of Google Analytics over the years. Key concerns include data transfers to the USA, compliance with Schrems II rulings, the feasibility of obtaining consent for such transfers, and doubts about Google Analytics' legal classification as a data processor.

Several European data protection authorities have taken action against the use of Google Analytics, citing concerns and issuing warnings. Recent decisions include fines, with each decision generally based on the 101 complaints submitted by NOYB across EU member states.

Impact of the EU-U.S. Data Privacy Framework​

The adequacy decision on the Data Privacy Framework for the USA, effective July 10, 2023, facilitates data transfers to certified recipients in the USA, including Google. Using GA4 instead of Google Universal Analytics may mitigate previous concerns about data transfers to the USA, thanks to this framework. However, full GDPR compliance for Google Analytics remains uncertain, with potential data transfers to other third countries.

While Google positions itself as a data processor for Google Analytics, suspicions persist about Google using the data for its own purposes, potentially leading to a joint responsibility scenario with website operators. Despite the Data Privacy Framework, risks and penalties remain for website operators if Google is found to benefit from data processing.

Regardless of data privacy adequacy and responsibility issues, Google Analytics data processing must be justified. Consent is often required, and obtaining it involves challenges related to cookie consent, GDPR compliance, and potential revocation implications. The intricate interplay between GDPR and the Telemedia Act (TTDSG) highlights the need for careful consideration in implementing and managing consent for Google Analytics.

In conclusion, despite the EU-U.S. Data Privacy Framework, Google Analytics users face ongoing challenges related to data privacy, adequacy, roles, and consent. Navigating these complexities requires a thorough understanding of the legal landscape and careful implementation of consent mechanisms.

Google Analytics 4 (GA4) is upon us. For most organizations, the switch to GA4 is most likely accompanied by the introduction of the GA4 Measurement Protocol. It is a feature designed for developers to directly transmit user interaction data to Google Analytics servers. This is particularly useful for tracking user engagement outside traditional websites, such as in mobile apps or other digital platforms. Users can send various types of data, including pageviews, events, and user properties, by making HTTP requests to the GA4 Measurement Protocol endpoint.

Events, representing user interactions like clicks or views, are a fundamental aspect of GA4, and the Measurement Protocol facilitates their tracking. Moreover, developers can set user properties to provide additional information about users, and user identification is supported to track user behavior across sessions and devices. Furthermore, the GA4 Measurement Protocol offers security features, allowing users to authenticate requests using API keys or OAuth tokens to ensure the integrity and confidentiality of the transmitted data.

In order to understand the compliance (or lack thereof) of GA4 regarding EU privacy regulations and data protection laws, we have to look into the GA4 Measurment Protocol:

• How is it architected
• Which events can be tracked
• What personal data its transmitted

GA4 Measurement Protocol Architecture​

The GA4 Measurement Protocol is architected as a simple HTTP-based system that allows developers to send raw data directly to Google Analytics servers. The architecture involves making HTTP requests to the Measurement Protocol endpoint. Here are key components and steps in the architecture:

Endpoint and Requests​

• Data is sent to the GA4 Measurement Protocol through HTTP requests. The endpoint URL is where the requests are sent, and it usually looks like https://www.google-analytics.com/mp/collect.

Parameters​

• Data is sent in the form of parameters in the URL or as payload data in the body of the HTTP request. Parameters include information like the Measurement Protocol version, tracking ID (associated with your GA4 property), user ID, events, and user properties.

Data Types​

• The protocol supports various data types, including pageviews, events, user properties, and user identification data.
• Events are a central concept, representing user interactions like button clicks, video views, or other custom events.

User Identification​

• The protocol allows for user identification by associating hits with a specific user. This can be achieved by providing a user ID.

Authentication​

• Security features are implemented through authentication mechanisms. Requests can be authenticated using API keys or OAuth tokens to ensure the integrity and security of the transmitted data.

Response​

• Google Analytics servers respond to the HTTP requests with appropriate status codes indicating the success or failure of the data transmission.

A typical request for tracking a pageview might look like this:

https://www.google-analytics.com/collect?v=1&_v=j87&aip=1&a=223002784&t=pageview&_s=1&dl=https%3A%2F%example.org%2F&ul=en-us&de=UTF-8&dt=Example&sd=24-bit&sr=1920x1080&vp=977x937&je=0&_u=QACAAEAB~&jid=&gjid=&cid=1025531235.1534212283&tid=1111111&_gid=279826990.1607867870&gtm=2wgbu0NQP78LZ&z=254312532

The request contains a lot of information:

GA4 Measurement Protocol Event Types​

Google Analytics 4 events are the basis for understanding user interactions on a website or app. Events measure specific occurrences, such as page loads, link clicks, purchases, or system behaviors like app crashes. There are three main types of events:

• Automatically Collected Events: These events are gathered by default when you set up Google Analytics on your platform.

• Enhanced Measurement Events: Collected when you enable enhanced measurement during the Google Analytics setup.

• Custom Events: Predefined events you implement for enhanced reporting capabilities (Recommended Events) or events you define for specific use cases (Custom Events). These won't appear in standard reports, so custom reports or explorations are needed for in-depth analysis.

How events are captured​

Here is an example workflow of how an external link click event is being tracked in GA4:

1. A visitor comes to your website and clicks on a link leading to an external site.
2. Analytics captures the click event, displaying the event details and parameters in the Realtime report.
3. The click event undergoes complete processing by Analytics.
4. The data from the click event is then presented in various dimensions and metrics, ready to be utilized in reports, audiences, and more.

Enhanced Measurement Events​

The Enhanced Measurement option can be toggled in the GA interface, allowing for a seamless integration with your website. Prior to activation, it's imperative to comprehend the specifics of each option and the data they will collect. The ability to turn off specific measurement options provides an additional layer of control.

Let's dive into the events and parameters:

Page Views: This event triggers each time a page loads or the browser history undergoes changes. It automatically collects data on page location and referrer, without capturing any PII.

Scrolls: Triggered when a user reaches the bottom of a page, the scroll event doesn't collect any parameters. It simply measures the percentage scrolled.

Outbound Clicks: Click events occur when users navigate away from the current domain. Parameters collected include link classes, link domain, link ID, and link URL. Importantly, no PII is involved in this data collection.

Site Search: The view_search_results event activates when a user encounters a search results page. It captures the search term parameter, ensuring that only non-identifiable information is logged.

Video Engagement: For YouTube embedded videos, GA4 tracks video_start, video_progress, and video_complete events. Parameters include video provider, title, URL, and visibility. No personal information is recorded.

File Downloads: The file_download event is triggered when a user downloads a file. Parameters collected encompass file extension, name, link classes, ID, text, and URL. There is no inclusion of personal data.

Form Interactions: GA4 tracks form_start and form_submit events when users engage with forms. Parameters include form ID, name, destination, and submit text. As with other events, no PII is captured.

As you can see, turning on enhanced measurement events does not mean that GA4 collects personally identifiable information (PII). However, you might incorporate personally identifiable information in the tracked data yourself such as a URL parameter for outbound clicks. You therefore have to make sure that you do not cause GA4 to collect PII More information about this can be found here: https://support.google.com/analytics/answer/7686480.

GA4 Measurment Protocol Privacy Aspects​

Google has promoted GA4 as a move towards a cookie-free and privacy-friendly web analytics model, but it still raises privacy concerns. Unlike its predecessor, GA4 eliminates third-party cookies and relies on first-party cookies known as Client ID. Similar to the third-party cookies used by Universal Analytics, GA4's cookies contain a unique identifier called Client-ID, making it personally identifiable information under GDPR. Consequently, GA4 continues to transmit personal data to the United States.

GA4 introduces the use of User-ID, which is not a cookie but another tool for cross-device user tracking. User-IDs are considered personal data as they facilitate the identification of individual users within website traffic. The same applies to the unique ID, another parameter processed by Google Analytics to generate a user ID.

Data linkage is a crucial aspect. GA4 processes numerous events and metrics that may not be meaningful on their own but can be combined to identify a user. Google also collects personal data from users signed into their Google accounts, which can be linked to other data collected by GA4, enabling easy user identification. European authorities have recently affirmed that this data is also considered personal.

The fundamental issue lies in the transmission of personal data to the United States, and GA4 does not address this concern. When setting up Google Analytics 4, personal data is still transferred to the USA, posing potential privacy risks.