Google Analytics 4:
Privacy Settings & Data Control Configuration

Notice
If you want to know more about Google’s stance on using Google Analytics within the EU and under GDPR, and the most recent rulings by European Data Protection Authorities about Google Analytics, visit this page: Google Analytics 4 – Privacy & GDPR Status

Google Analytics 4 has a lot of settings you can configure in the tool itself and when collecting the data. On this page we will try to keep you up-to-date about all these features and how you can customize them to configure Google Analytics 4 in the “Most Privacy Preserving Way”. 

Table of Contents

Configure Google Analytics 4 in the “Most Privacy Preserving Way”

(Latest update: March 22nd 2022)

Integrate with Your Consent Management Platform

Although it’s not a Google Analytics setting by itself, it is important that you connect your consent management platform (“cookie banner”) to your tag management solution and your analytics configuration. If somebody decides to opt-out, your configuration should actually respect that choice.

There are many ways to configure this. If you are using Google Tag Manager, then a low-cost option to explore could be CookieBot. They have a guide outlining integration with Google Tag Manager which you can find here.

Deciding how to exactly implement this on a detailed level is something your company should evaluate with legal counsel. However, building the infrastructure and ability will be required to move forward, regardless of what option you choose. 

consent management platform
consent management platform

Settings to configure within Google Analytics 4

Account Level: Data sharing settings

On the highest level in your Google Analytics 4 admin settings, you can disable the “Data sharing settings” under the “Account settings”.

Property Level: Data Settings: Data Collection

This is where you can activate or deactivate Google Analytics Advertising Features.

If you want to play it safe, simply never click “Enable Google signals data collection”. To be safe, disable Ads Personalisation in all regions.

User Data Collection Acknowledgement

This setting is generating a lot of attention, because it’s very unclear for most people what Google means here. As far as we can see, this is Google’s way of making you responsible for collecting personal data and connecting that to the Google Analytics data, by stating that you have informed your website visitor and collected their rights to do so. However it does not seem to have any technical impact to Google Analytics as far as we know.


Property Level: Data Settings: Data Retention

Data Retention is a tricky one. From a usability point of view, you want as much data as possible in your analytics tool because it makes it more usable. 2 Months of data will only let you compare today with 60 days ago, which is very limited.

One thing that you could do, is configure the Google BigQuery export to export all GA4 data into your own Google Cloud Platform account (where you are the full owner and there is no data processing by Google Analytics happening anymore.) This would require you to do any analysis on data spanning more than 2 months outside of Google Analytics.

We recommend our client to go with the 14 months option and specify that in their privacy policy. But going forward, the 2-month + BigQuery route might become more popular.

Google Analytics 4 Property Settings on Data Retention

Google Analytics 4 Property Settings on Data Retention

Property level: Product Links

One of the interesting features of Google Analytics is that it deeply integrates with other Google Products. Although this is extremely powerful and convenient, it does create some challenges when looking at it from a privacy perspective.

If you want to play it safe, only the BigQuery export (as long as you mention in your privacy policy that you have Google Cloud Platform as a data processor) and the Google Search Console (organic search data, not on user level) can be integrated without changing how we classify Google Analytics.

Once you enable the advertising integrations, the data sharing settings we disabled in earlier settings will get enabled and we’re turning Google Analytics into an advertising tool.

Google Analytics 4 Property Settings on Product Links

Google Analytics 4 Property Settings on Product Links

Settings to Configure in Google Tag Manager

Within Google Tag Manager you can also take several steps to optimize for privacy.

Add “fields to set” to Google Analytics 4 Configuration Tag

There are 2 fields to set when firing the Google Analytics 4 script which determine how Google Analytics processes the data. They correspond with what you’ve configured earlier on in this post under the Data Collection Settings.

The settings are documented here.

Set “allow_google_signals” and “allow_ad_personalization_signals” to “false” to ensure that what we’ve just configured in Google Analytics is also integrated with the data we send towards Google Analytics. (An added benefit is that it’s auditable from the outside by anybody evaluating your setup.)

Please note: anonymize IP and ForceSSL used to be used in Universal Analytics but are default settings for Google Analytics 4.

Google Analytics 4 Fields to Set in Google Tag Manager for Privacy

Google Analytics 4 Fields to Set in Google Tag Manager for Privacy

Use Server-Side GTM to Deploy Google Tag Manager and Google Analytics

This step takes a lot more work but does open up way more possibilities to configure Google Analytics to your exact needs. By running Server-Side Google Tag Manager on your own Google Cloud Platform instance, you now own the data collection endpoint.

If you want to learn more on this topic, please read our blogpost on why Server-Side GTM is essential to preserve Privacy and read Simo Ahava’s extensive guide to setting up Server-Side GTM.