Google Analytics 4 (GA4) is upon us. For most organizations, the switch to GA4 is most likely accompanied by the introduction of the GA4 Measurement Protocol. It is a feature designed for developers to directly transmit user interaction data to Google Analytics servers. This is particularly useful for tracking user engagement outside traditional websites, such as in mobile apps or other digital platforms. Users can send various types of data, including pageviews, events, and user properties, by making HTTP requests to the GA4 Measurement Protocol endpoint.
Events, representing user interactions like clicks or views, are a fundamental aspect of GA4, and the Measurement Protocol facilitates their tracking. Moreover, developers can set user properties to provide additional information about users, and user identification is supported to track user behavior across sessions and devices. Furthermore, the GA4 Measurement Protocol offers security features, allowing users to authenticate requests using API keys or OAuth tokens to ensure the integrity and confidentiality of the transmitted data.
In order to understand the compliance (or lack thereof) of GA4 regarding EU privacy regulations and data protection laws, we have to look into the GA4 Measurment Protocol:
- How is it architected
- Which events can be tracked
- What personal data its transmitted
GA4 Measurement Protocol Architecture
The GA4 Measurement Protocol is architected as a simple HTTP-based system that allows developers to send raw data directly to Google Analytics servers. The architecture involves making HTTP requests to the Measurement Protocol endpoint. Here are key components and steps in the architecture:
Endpoint and Requests
- Data is sent to the GA4 Measurement Protocol through HTTP requests.
The endpoint URL is where the requests are sent, and it usually looks like
https://www.google-analytics.com/mp/collect.
Parameters
- Data is sent in the form of parameters in the URL or as payload data in the body of the HTTP request. Parameters include information like the Measurement Protocol version, tracking ID (associated with your GA4 property), user ID, events, and user properties.
Data Types
- The protocol supports various data types, including pageviews, events, user properties, and user identification data.
- Events are a central concept, representing user interactions like button clicks, video views, or other custom events.
User Identification
- The protocol allows for user identification by associating hits with a specific user. This can be achieved by providing a user ID.
Authentication
- Security features are implemented through authentication mechanisms. Requests can be authenticated using API keys or OAuth tokens to ensure the integrity and security of the transmitted data.
Response
- Google Analytics servers respond to the HTTP requests with appropriate status codes indicating the success or failure of the data transmission.
A typical request for tracking a pageview might look like this:
https://www.google-analytics.com/collect?v=1&_v=j87&aip=1&a=223002784&t=pageview&_s=1&dl=https%3A%2F%example.org%2F&ul=en-us&de=UTF-8&dt=Example&sd=24-bit&sr=1920x1080&vp=977x937&je=0&_u=QACAAEAB~&jid=&gjid=&cid=1025531235.1534212283&tid=1111111&_gid=279826990.1607867870>m=2wgbu0NQP78LZ&z=254312532
The request contains a lot of information:
| Parameter | Description |
|---|---|
https://www.google-analytics.com/collect? | Google Analytics server |
v=1 | Universal Analytics format |
aip=1 | Whether to anonymize IP addresses |
t=pageview | Event type (pageview) |
dl=https%3A%2F%example.org%2F | Location (URL) |
ul=en-us | User language |
dt=Example | Document title |
sd=24-bit | Monitor color depth |
sr=1920×1080 | Monitor resolution |
vp=977×937 | Viewport size |
cid=1025531235.1534212283 | User's client ID used to associate different hits with a user |
tid=1111111 | Universal Analytics property |
z=254312532 | Cache buster |
GA4 Measurement Protocol Event Types
Google Analytics 4 events are the basis for understanding user interactions on a website or app. Events measure specific occurrences, such as page loads, link clicks, purchases, or system behaviors like app crashes. There are three main types of events:
-
Automatically Collected Events: These events are gathered by default when you set up Google Analytics on your platform.
-
Enhanced Measurement Events: Collected when you enable enhanced measurement during the Google Analytics setup.
-
Custom Events: Predefined events you implement for enhanced reporting capabilities (Recommended Events) or events you define for specific use cases (Custom Events). These won't appear in standard reports, so custom reports or explorations are needed for in-depth analysis.
How events are captured
Here is an example workflow of how an external link click event is being tracked in GA4:
- A visitor comes to your website and clicks on a link leading to an external site.
- Analytics captures the click event, displaying the event details and parameters in the Realtime report.
- The click event undergoes complete processing by Analytics.
- The data from the click event is then presented in various dimensions and metrics, ready to be utilized in reports, audiences, and more.
Enhanced Measurement Events
The Enhanced Measurement option can be toggled in the GA interface, allowing for a seamless integration with your website. Prior to activation, it's imperative to comprehend the specifics of each option and the data they will collect. The ability to turn off specific measurement options provides an additional layer of control.
Let's dive into the events and parameters:
Page Views: This event triggers each time a page loads or the browser history undergoes changes. It automatically collects data on page location and referrer, without capturing any PII.
Scrolls: Triggered when a user reaches the bottom of a page, the scroll event doesn't collect any parameters. It simply measures the percentage scrolled.
Outbound Clicks: Click events occur when users navigate away from the current domain. Parameters collected include link classes, link domain, link ID, and link URL. Importantly, no PII is involved in this data collection.
Site Search: The view_search_results event activates when a user encounters a search results page. It captures the search term parameter, ensuring that only non-identifiable information is logged.
Video Engagement: For YouTube embedded videos, GA4 tracks video_start, video_progress, and video_complete events. Parameters include video provider, title, URL, and visibility. No personal information is recorded.
File Downloads: The file_download event is triggered when a user downloads a file. Parameters collected encompass file extension, name, link classes, ID, text, and URL. There is no inclusion of personal data.
Form Interactions: GA4 tracks form_start and form_submit events when users engage with forms. Parameters include form ID, name, destination, and submit text. As with other events, no PII is captured.
As you can see, turning on enhanced measurement events does not mean that GA4 collects personally identifiable information (PII). However, you might incorporate personally identifiable information in the tracked data yourself such as a URL parameter for outbound clicks. You therefore have to make sure that you do not cause GA4 to collect PII More information about this can be found here: https://support.google.com/analytics/answer/7686480.
GA4 Measurment Protocol Privacy Aspects
Google has promoted GA4 as a move towards a cookie-free and privacy-friendly web analytics model, but it still raises privacy concerns. Unlike its predecessor, GA4 eliminates third-party cookies and relies on first-party cookies known as Client ID. Similar to the third-party cookies used by Universal Analytics, GA4's cookies contain a unique identifier called Client-ID, making it personally identifiable information under GDPR. Consequently, GA4 continues to transmit personal data to the United States.
GA4 introduces the use of User-ID, which is not a cookie but another tool for cross-device user tracking. User-IDs are considered personal data as they facilitate the identification of individual users within website traffic. The same applies to the unique ID, another parameter processed by Google Analytics to generate a user ID.
Data linkage is a crucial aspect. GA4 processes numerous events and metrics that may not be meaningful on their own but can be combined to identify a user. Google also collects personal data from users signed into their Google accounts, which can be linked to other data collected by GA4, enabling easy user identification. European authorities have recently affirmed that this data is also considered personal.
The fundamental issue lies in the transmission of personal data to the United States, and GA4 does not address this concern. When setting up Google Analytics 4, personal data is still transferred to the USA, posing potential privacy risks.