Isaline 16/05/2024 No Comments

Data Privacy: focus on GA4 & nLPD/GDPR

Is Google Analytics Data nLPD/RGPD compliant? What are the risks associated with its use? Get an understanding of the situation to be able to make an educated decision on how you want to track your clients on your website. This article is suitable for people without extended knowledge of Google Analytics or the nLPD.

I’m an SEO consultant specialising in optimising French content for Romandie. Tracking results is key to efficient search engine optimisation. I used to not care about data privacy until summer 2023. Last year, the switch between Universal Analytics and Google Analytics 4 was a turning point where I encouraged my client to think about why they use Google Analytics, what they expect of it and how the data pulled impact their work. Many asked: Isaline, should we quit Google Analytics?
Reading the article 1000 traceurs en 20 minutes: une société sous surveillance from the Fédération Romande des consommateurs was my second prompt to deep dive into the data privacy topic. Innocent actions like buying a train ticket with the national train company (SBB-CFF-FFS) tracks me. As a user, I was shocked ????

What you can expect in this article about Data Privacy, nLPD and GA4

In this article , I share my latest findings on data privacy and Google Analytics 4. Takeaways include tools to check a website’s legal requirements, opportunities and limitations within the Google Analytics 4 setup and perspectives on paid marketing. In the first part of this article, I aim at making a difficult legal discourse understandable. Then, I inform you about the privacy management measures provided by Google.

Analytics. Finally, I discuss the influence of the marketing mix and paid advertising on user’s privacy.

Ultimately I hope you to will:

understand what’s up with GA4 and what you can do about it relatively to data privacy,
foster educated discussions about data privacy in your company.

Legal disclaimer: This article is not legal advice. This article is not legally exhaustive and/or complete.

If you’re not 100% sure about your Google Analytics 4 implementation, request an audit from me. I will lay out in simple terms the technical challenges and options of your implementation. Send me a mail isaline@pilea.ch or call me 079 329 10 82. I will offer you a 30 mn Discovery call free of charge to see if I am a good fit for your project.

What should you do about advertising and tracking relative to data protection?

There is not one single answer I am afraid. You need to

audit your marketing mix and your tool: list the tools that you are using and their potential threats.
make a decision based on your results expectation, your desire to follow the law or stay in a grey zone, and the relationship you want to have with your customers
Update your tools and privacy policy accordingly.

According to the PDF of the PFPDT, companies must audit and modify their programs to create programs respectful of user’s privacy.

Sources and material for this article about Data Privacy, nLPD and GA4

La nouvelle loi fédérale sur la protection des données du point de vue du PFPDT Confédération Suisse, Préposé Fédéral à la protection des données et à la transparence (EDÖB for the Swiss Germans), in the article I refer to this document as ‘the PDF of the PFPDT’.

Le nouveau droit de la protection des données entre en vigueur aujourd’hui Confédération Suisse

1000 traceurs en 20 minutes: une société sous surveillance from the Fédération Romande des consommateurs

On the Swiss Confederation’s website, there is a comprehensive FAQ about data protection. The content is different in French, English and German. I read the French one.

Please note that I freely translate to English sections of documents provided by the Swiss Federal Government and quote their source. The French version is my reference.

Glossary

I use acronyms from the Swiss Confederation in their Swiss French variation:

LPD= Loi sur la Protection des Données, Federal Act on Data Protection

nLPD = New Federal Act on Data Protection (nFADP) = Neues Datenschutzgesetz (revDSG)

GDPR=General Data Protection Regulation

What do you need to know about GDPR and nLPD?

This section explores whet the GDPR is and its differences with the nLPD which is the Swiss adaptation of the European GDPR.

What is the GDPR?

GDPR is a regulation that establishes rules regarding the protection of individuals (not companies) concerning the processing of their personal data and rules regarding the movement of personal data.

This regulation serves to protect us (the users) our freedoms and fundamental rights, including our right to have our personal data protected.

Is the nLPD similar to the European GDPR?

The LPD/FADP is a regulation concerning data protection. Since Switzerland is not part of the European Union, it creates its own law to protect people residing within its territory. According to the PDF of the PFPDT, the LPD is the Swiss equivalent of the GDPR. It’s essentially the same thing, and Switzerland and the EU should “mutually recognize the equivalence of their data protection levels”.

From the perspective of the PFPDT, the LPD is written in the Swiss manner; it is more abstract, uses different terminology, and is shorter. From a technical implementation and documentation standpoint, one can treat the Swiss and European audiences similarly.

What is the purpose of the nLPD in brief?

The nLPD serves to provide a framework of rights and duties to Swiss companies to protect the anonymity of their users. It also provides a legal framework for increased compliance control.

Why does an SEO specialist care about data protection (GDPR)?

I use Google Analytics daily and appreciate its features. For my clients, I audit Google Analytics implementation and build performance tracking dashboards that enable data-led marketing decisions (i.e. decisions based on concrete data). When I started reading about privacy, I wasn’t sure about the legal framework. The information I found online only added to my confusion. For this reason, I decided to write everything down: that’s how I learn best.

What has changed in data protection law in Switzerland?

The revision of the data protection law aims to strengthen the self-determination and privacy of citizens and to ensure these for as long as possible. This provides a framework of obligation and duty for businesses and strengthens the supervisory power of authorities (PFPDT). The PDF of the PFPDT mentions 19 differences between the LPD and the nLPD, I mention a selection in this article.

According to the LPD, what are the duties of website owners towards users?

Website owners must:

Identify privacy and informational self-determination risks in a timely manner.
Implement technical and organisational protection measures from the outset of their digital projects in accordance with data protection requirements (Privacy by Design).
Document high risks and the technical and organisational measures aimed at eliminating or mitigating them must be documented.
“For any intended collection of personal data, the data controller must inform the data subject adequately in advance, whether the data collection is directly from them or not.” (PFPDT).

More concretely, website owners need to:

Inform the user and create a correct Privacy Policy
Obtain the consent from users to collect, store, share and use their data to personnalise ads.
Only collect what’s necessary.
Be able to show written proof of consent.
Provide clear instruction on how to revoke the consent.

What must the Privacy Policy contain?

According to the PDF of the PFPDT, the identity and contact details of the data controller must be provided, as well as the purpose of the processing and, where applicable, the recipients of the personal data. Information must also be provided about the destination state and any guarantees of an appropriate level of data protection.

What data collection about users is allowed according to the nLPD?

By default, the settings should “only process data that is absolutely necessary for the purpose pursued as long as users do not become active and must not allow for further processing.” Data must be systematically anonymized or erased. (PFPDT).

In other words, website owners must define their KPIs, why and how they are using it. They should not collect data for the purpose of collecting data. If asked for it, website owners should be able to explain their data collection and its limitations.

What is legally okay to track on a website?

It is legally okay to track how user’s navigate on your website: page views, time on page scrolling. It is not okay to track anything that is related to the user like their IP address, localisation, their use of other website, application or services. Anything that identifies a user is not okay. In other words, any profiling and remarketing is not okay. Example: it is not okay to retargert a user that viewed a product page on another website that has placeholders for ads (display).

What is the EU-US Data Privacy Framework?

The EU-U.S. Data Privacy Framework is a legal framework concerning the secure and reliable transfer of data between the European Union and the United States.

The EU-U.S. data protection framework is designed to ensure the overall protection of EU citizens’ data when their data is transferred to the United States. It provides guarantees and establishes the Data Protection Oversight Board (DPOB).

The EU Commission has determined that the safeguards offered by the United States are sufficient to authorise the transfer of data between the EU and the USA.

In Switzerland when writing this article (April 2024), the EU-US Data privacy Framework is not in force. We can expect that it will be, usually Switzerland picks up what is created for EU concerning data privacy.

Why is data transfer important?

Talking about data isn’t very concrete; we don’t really realize the information we share and scatter in our daily lives. To give you an idea, check out the survey conducted by the Romande consumer protection agency about trackers.

Imagine, information about you identifying you by your name, age, transportation habits, political opinions, religion, what you read, what you eat. All this information can be accessed and used by whom and for what purpose? That’s the crux of the matter. Does a health insurance company have the right to access it to offer you insurance? Does the government have the right to access it to verify your identity when you fill out a visa application form?

What is Google Analytics 4 and why do website owners use it?

Google Analytics 4 is a tool provided free of charge by Google (to some extent). This tool collects data about your users and their actions on a website or app.

Why do we use a tool that collects data about users?

Understanding what people do and why allows:

Improving a website for the people who use it
Optimising a website to achieve its goal, whatever the goal may be.

The goal of a website can be donation collection, signature gathering, information sharing, product or service sales. Analysing user behaviour helps improve a website and train web professionals.

Is it a good thing or a bad thing to collect data for analysis?

It’s a matter of perspective. Data collection and analysis enable understanding and improvement. For example, let’s consider the website of the La Branche association. The website showcases activities, raises awareness, collects donations, and sells products created in workshops. Web professionals have created the website. If we can train web professionals, it’s because, at some point, data was collected and analysed. Then these web professionals created a useful website for the association.

Let’s take the example of a public service: the subsidy for health insurance in the canton of Vaud. As a public service, the canton of Vaud has a duty to inform its taxpayers and to make information simple and accessible to everyone. It’s because web professionals have been trained that it’s possible to create functioning pages.

Overall, without data collection, we cannot understand or improve a web service. There are many great projects and excellent companies that deserve to be seen and found. That’s what my work is for. That being said, I believe it’s possible to do so with respect for individuals while maintaining financial balance for the company.

Why do website owners use Google Analytics 4?

In my experience, businesses primarily use Google Analytics 4 for reasons of human and financial resources, in other words, it’s simple, convenient, and cheap. Obviously, it’s possible to do things differently, but that requires more thought and potentially more investment.

By using Google Analytics 4:

It’s free, there’s no monthly subscription to pay.
It’s easy to find an external provider or someone internally who knows how to use it.
The setup is quick, simple, and many usable data points are visible.
It’s easy to connect to other tools like GoogleAds: many companies pay for GoogleAds, and obviously, they want results for their money (beware of paid advertising!).
At the start of using the tool, there’s no need to spend a lot of time thinking: many companies collect data without using it.
Switching tools requires (a lot of) time, especially if it’s connected to other tools like GoogleAds or a CRM.

Differences between UA and GA4 regarding data privacy

Between Universal Analytics and Google Anatlyics 4, Google advertised some changes regarding collection (anonymization), storage, duration and settings to disable some collections in its article EU-focused data and privacy. Google mentions that:

“Analytics drops any IP addresses that it collects from EU users before logging that data via EU domains and servers.”
Google Analytics 4 collects all data from EU-based devices (based on IP-geo lookup) through domains and on servers based in the EU before forwarding traffic to Analytics servers for processing,

→ This is okay for Europe thanks to the EU-US Data Privacy Framework. In Switzerland when writing this article, the EU-US Data privacy Framework is not in force.

you have the option to enable or disable collection of those signals on a per-region basis (this is Google Signals)
you have the option to enable/disable the collection of granular location-and-device data on a per-region basis
Default duration of the storage of some data changed.

Caveats about duration of storage

The data of the standard report is stored forever. The data of the exploration reports is available for only 14 months.

How to keep Google Signals off and Granular location and device data collection off?

Go to your Admin Panel by clicking on the bottom left of your menu
Click Data collection and modification
Click Data Collection

If you keep the Google Signal Data Collection off the button looks like blue and it says ‘Turn on’.

If you keep the Granular location and device data collection off, it looks like a check on the left and it stays grey (see image below).

There won’t be any demographic data visible in your Google Analytics when those are checked off. But if you use GoogleAds you might want to use GoogleSignals.

If you use paid advertising you will want to turn on those features

“If you disable collection of Google-signals data, you will not have access to remarketing lists based on Analytics data, advertising reporting features, or demographics and interests.” explains Google. In other words, if you want to use advertising features, you will receive notification and push from Google to turn those signals on. “By enabling the Advertising Features, you enable Google Analytics to collect data about your traffic via Google advertising cookies and identifiers, in addition to data collected through a standard Google Analytics implementation.” says the Policy requirements for Google Analytics Advertising Features.

Website owners are entirely legally responsible

Google takes no responsibility towards you turning those signals on. It is entirely your responsibility as a website owner. Google is clear on this point:

“Because laws across countries and territories vary, and because Google Analytics can be used in many ways, Google is unable to provide the exact language you need to include in your privacy policy. Only you understand the unique aspects and special considerations of your business, and your privacy policy should account for this information that only you can provide.” says the Policy requirements for Google Analytics Advertising Features.

The day I gave my talk at the Pan.Talk meetup in Zurich, Google sent an email warning website owner/advertisers in Switzerland of their legal duty:

“From July 31, 2024, advertisers will be required to obtain Swiss users’ consent to the use of cookies or local storage, where legally required; and for the collection, sharing and use of personal data used for ads personalization.” says Google’s email.

Let’s discuss the Consent Banner

Website owners have to ask for the consent of their user. There are 3 types of consent banners used.

1: Consent banner – Default opt-in, no option

The consent banner informs the user of data being collected. There are no option to opt-out or define preferences. The consent banner includes only an ‘OK’ button to click, sometimes it includes an internal link to a Privacy Policy page.

The data is collected the moment the user lands on the page: GA tracker is fired and that creates a page view in Analytics.

In the example above, we can see a single button named ‘ok’ : the user has no choice and no options.

2. Default opt-in with options to define preferences

The consent banner informs the user of data being collected. There are options to opt-out or define preferences.

In the example above, we can see 2 buttons: the user is encouraged to click ‘ok’ with the default settings as the button is in a bolder color. The second button allows the user to adapt the privacy setting, however the user has no option to completely opt-out.

The data is collected the moment the user lands on the page: GA tracker is fired and that creates a page view in Analytics. From the moment the user opts out the user’s data is no longer collected.

In the video below, we can see the GA4 tracker being fired and a long list of tools. For example, DoubleClick is used for paid advertisement, it is part of Google Marketing Platform. There is a long list of advertising/marketing tools mentioned on the CSS Privacy Policy.

3. Default opt-out

The consent banner informs the user of data being collected. There are options to opt-out or define preferences. User’s data is not collected until the user accepts the collection.

In the example, the user has the option to ‘Accept everything’ or ‘Refuse everything’ or ‘Customise’ which mean choosing preference. The user can click on a link to have further details about the tracking. In this example, the copywriting is what I would call ‘default’ meaning that it has no effort to customise to encourage the user to accept the tracking. I would qualify this example ‘best practice without optimisation’.

The data is collected after the user opts in: GA tracker is fired and that creates a page view in Analytics.

The Consent banner plugin needs to be correctly set up on WordPress

WordPress website owners need to correctly set up the Consent plugin on their website. If not correctly set up, it will fire GA4 before the consent of the user and it will fire even if the user rejects the consent.

In the video below, we can see GA4 being fired before the user accepts data to be collected and even after consent being rejected.

4. No consent banner – I don’t track data because I won’t use it

We rarely talk about it, however it is an option to not install any tracking tool. On the website below, the website owner informs in his privacy policy not using any tracking tools. The website owner is consistent with their use of their website and planning for optimisation: they do not invest in paid advertising and they do not plan to use the data to optimise the website therefore, they don’t track user’s activity.

I used to systematically set up tracking tools on a website. Today, I support my clients to define their KPI to understand why they track their user’s activity and how they will use this knowledge to optimise their website. It is like ‘Marie Kondo-ing’ data: if you don’t use, don’t track and don’t store. Why participate in a system that tracks their users? Google will be using GA4 data no matter if you take data-led informed decisions or not.

In the video below, we can see that there is no remarketing, advertising cookies or GA4 being fired when navigating the website.

What is a correct Consent banner according to GDPR?

The consent banner should:

inform users of the use of cookies and similar tracking technologies on the site,
link to a cookie policy with detailed information about the technology used, the duration of the storage and how to revoke consent,
give users the option to deny or grant consent.

What is a correct user’s tracking according to GDPR?

It tracks the user’s activity on the website after the user gives explicit consent. It does not collect personal information, it does not allow profiling and remarketing.

Data loss and inaccuracy caused by the consent banner

The UK’s Information Commissioner’s Office (ICO) shared that their website traffic dropped by 90.8% after showing their visitors a cookie consent banner. Data loss and data inaccuracy are commonly discussed in the SEO and Analytics community. It turns out that when you ask for users’ consent, they decline. It turns out that if you respect the user’s decision and collect data only after their explicit consent, you see your traffic and activity drop. There is no way around this.

To me, saying ‘data inaccuracy’ is misleading because the data allowed to be tracked is correct. Data loss means that because user’s declining to be tracked, you won’t know of their activity. Is it a loss really or was the data you collected a theft? Taking something from someone without their explicit consent seems wrong in the first place.

Focus on directionality and trends instead of absolute numbers

Dana DiTomaso suggests “to stop focusing on exact numbers and instead focus on directionality because the numbers aren’t exact (they never were exact) and trying to make them so won’t help.”

I like the idea of directionality. When discussing KPIs with my clients, I want them to focus on the trends of their KPI and not the absolute numbers. Looking at a trend and comparing it to another time period is more informative than looking at a total number. Does the trend represent the resources and effort invested? If not, why and what can be changed in terms of process or tasks?

Precision can be a trap, adds Dana. Let’s consider these four potential conversion rates: 5.71%, 5.7%, 6%. Does the additional precision actually change what decision you’re going to make based on this data?

Think copywriting – More people will give consent.

Make the banner more visible and with a good copywriting rather than having a small banner on the bottom of the page. It influences how much data a website collects or loses.

In the example below, the consent banner customises the text to make it friendly. It is a Consent Banner opt out per default.

When clicking on “Customise my preferences’” it provides a list of the tools used that the user can separately accept and a link to the Privacy Policy.

What is Google Consent v2

According to the GDPR, website owners have to ask for their user’s consent and later to provide the consent if asked for it. You can use a Consent Management Platform (CMP) or maintain your own consent solution. Google consent mode is a Google certified CMP. It makes dealing with consent easier for companies using Google Advertising products and Analytics tools. It allows you to adjust how your Google tags behave based on the user’s interaction with the consent banner on your website.

Basic versus Advanced Google Consent mode

In it’s basic set up, Google Consent v2 seems GPRS compliant. In its Advanced set up, Google consent V2 is more of a grey area (not 100% compliant).

Basic

“When you implement consent mode in its basic version, you prevent Google tags from loading until a user interacts with a consent banner.” says Google. In other words, it is default opt-out. It tracks only after the user opted in.

Advanced

“When you implement consent mode in its advanced version, Google tags load when a user opens the website or app.” says Google. In other words it is default opt-in, it tracks before the user has accepted the tracking.

Google provides a useful overview of the two options:

Let’s discuss the marketing mix

Third party cookies have a bad reputation for being intrusive as they track people’s online behaviour without their knowledge or consent.

Why you need to audit your marketing mix

If the marketing mix includes paid advertising and/or remarketing it can cause privacy issues. The more a company relies on paid ads (not SEO) for their traffic the more they might share data with third parties and/or use profiling service and/or data broker.

If you use Google’s Advertising Products : “Google Analytics Advertising Features let you enable features in Analytics that aren’t available through standard implementations.” source.

If you enable the Google Signal Collection, The responsibility is completely yours. “By enabling the Advertising Features, you enable Google Analytics to collect data about your traffic via Google advertising cookies and identifiers, in addition to data collected through a standard Google Analytics implementation.” source.

Wrap up: marketing, consent and all

Data privacy is not only about GA4, it is about the marketing mix and the third party tools. To me, it’s not about GA4 or not GA4, rather how website owners want to play the game and meet their audience.

Website owners need to question their marketing mix, their expectations and their relationship with their users. Using advertising features reduces the privacy of the users. Data sharing increases the risk of breaching privacy laws. To me, companies are responsible towards their users of the tools and methods they are using. Quoting the FRC, “Swiss actors who include these trackers in their applications absolve themselves of responsibility regarding the issues raised, or even demonstrate a lax attitude towards their legal obligations.” Deferring the responsibility to a tool is not good enough. Hopefully this article will help a larger audience understand the issue and options.

It is about an evaluation of risk vs opportunities and personal decisions: How does the company want to meet their users? How compliant does the company want the website to be? What kind of resources does it want to invest? What risks can it afford? How does the company grow? What type of results does the company expect? None of these questions have a simple and straightforward answer and each company/website is different.