Google just launched its new Google Analytics 4 Privacy Settings (which they said they would in their recent webinar, which we wrote about previously). Here’s an overview of what they announced, plus some of our thoughts. You can read the Google Support Page here.
What will change?
Google (says) they don’t log IP addresses in GA4. Additionally, they claim to drop any sensitive data that it collects from “EU Users” before logging that data via (Google Owned) EU Domains and servers.
This means that Google has to figure out who is an EU user, in order to decide whether they will process the data on these newly created designated EU-based processing servers.
They do this by performing a geo-location lookup on your IP address. Yes, the IP address which they promise they don’t log. This allows them to get geolocation data, all the way to the granularity of “city”. However, when they perform this geo-lookup, they claim it is done on EU-based servers, before it forwards the data (without the IP, but with the GEO data) to Google Analytics servers to surface it to you in Google Analytics reports.
Regardless of where a Googel Analytics property is based: if an EU user (somebody browsing from an IP address based within the EU) interacts with your analytics, Google will process that data in the EU.
This also means you got a new setting to configure in GA4 (see screenshot below).
But it’s not just Geo location: it’s also meta data
If you disable this for a specific region, it won’t just impact the geo data though! It will also impact the following additional metadata:
– Browser minor version
– Browser User-Agent string
– Device brand
– Device model
– Device name
– Operating system minor version
– Platform minor version
– Screen resolution
So Google seems to try to tackle two (potential) problems at once: many would argue that with enough meta data you could still fingerprint unique users. This would make that even harder to do!
Some thoughts
I think it’s a smart move by Google, because it will spark another discussion. Probably most privacy advocates will argue that the data is still processed on a server owned by Google (a US company) and thus it’s not enough to protect EU users. (Because US companies could in theory be forced to hand over data to government companies, regardless of whether the data is stored on an EU server owned by the company.)
However, I don’t see any other option for a company like Google.
Their products serve people world wide. If they want to serve a different version of their software to different regions, the only way to solve that is by performing an IP-Geo Lookup. They now did this, and they offer this service… What else can they do? Hire some third-party EU-based data processor company to handle the data obfuscation part for all EU visitors?