With great data comes great responsibility

15th December 2022

By Federico Taboadela

Shifting from Universal Analytics to Google Analytics 4 & how your brand can balance changes to privacy & analytics

With great data comes great responsibility

So said Spiderman’s Uncle Ben. And in our quest to find the right time, right person and right place we’ve become obsessed with data – which is great for business, but it comes at a price. As this year’s Optus breach showed, customers expect brands to be faultless with their data. If we get it wrong, or fall on the wrong side of the law, it can be disastrous for consumer confidence, and your bottom lines.

Plus, the world of privacy is always evolving – the laws are getting stricter all the time. So how do we keep up? More importantly, how do we as marketers act ethically, responsibly and legally?

The answer: it starts with understanding why you’re using the data, and how that’s being affected by the changes in regulation and our software. Today, we’re going to hone-in on the software. Because if you’re not across the implications as it transitions from one version to another, you could be at risk of losing an incredibly powerful business asset – your customers’ trust. Especially if it comes to light that you’re not collecting and using their data ethically or lawfully.

The biggest and most important upcoming software transition is with Google Analytics. In July next year they’re switching off Universal Analytics. Its replacement, Google Analytics 4 (GA4), left behind some old school practices, put privacy first, and was designed to work with the privacy regulations brought in by governments worldwide. In Europe that’s the General Data Protection Regulation (GDPR), and here it’s The Australian Privacy Principles.

That means Universal Analytics, an industry standard of the past decade, will be gone from next July. And if you don’t export your historical records, some of the data you’ve collected with it is scheduled to go six months after.

In this blog we’ll be looking at some updated features in GA4, the regulations that have been introduced and influenced their design, along with how you can ensure your organisation is set up to keep pace with the changes.

So, how did we get here?

It started with Google and the GDPR, published by the European Union way back in 2016.

You’d think by being one of the most advanced tech companies in the world, Google would be pretty well across the regulations.

You’d think that. But even they can get it wrong.

In August 2020, the Austrian Data Protection Authority picked up on a medical news website using Google Analytics in a way that violated the GDPR. Cue a wave of complaints from European regulators. Their issue was that GA’s systems were sending enough information to ID people directly into US servers.

Despite all of Google’s security nous, US surveillance companies could still, in theory, get anyone’s data that ended up in the US.

To fight back against the bad press (some went as far to suggest that Google were behaving illegally), GA4 brought in new features to make privacy controls even stricter.

They toughened up on European users’ IP addresses. Sure, they continued masking IPs by replacing their final digits with zeroes (a feature known as IP Anonymisation) for users around the world. But they stopped logging and storing them altogether in the EU.

In addition to this, Google also enabled the option to stop tracking particular data about a person’s device. This included the device’s brand, model, browser, operating system, screen resolution, latitude and longitude – all information that could be combined with other data to identify a person and where they are with 99% accuracy (a practice known as digital fingerprinting).

Google also had to make sure that analytics data was collected and processed in a local region. So EU-based servers began being the only place to process EU-based data in compliance with the GDPR regulations.

If all of this sounds like a bit of a legal minefield, just know that it is. It’s up to digital marketers to track and keep data ethically and responsibly.

Some thoughts on tracking your customers the right way.

This is by no means the full list. But here some of the major things to keep in mind.

Firstly, those cookie consent prompts that pop up on our websites are a must. Let the people who come to your website decide if they’ll be tracked. Be clear on what consent you’re asking for and why you’re asking for it. And don’t practice bundled consent – that’s where you group lots of different consent options behind one checkbox.

Next, I’d recommend Server-side tagging over the Client-side alternative. It’s a 100% effective way to make a visitor’s IP address anonymous. It takes a little investment, but it will give you more control over who you share your website visitors’ data with.

Be mindful of how you share data across Google’s products, especially when creating and sharing rule-based audiences. To do this in GA4, either leave Google Signals disabled, or set it up so that personalised ads are disabled when a visitor opts out. Never have them enabled by default.

Adopt the Privacy by Design principle. That is, build privacy-law compliance into your company’s infrastructure, processes and tech. For example, have a process in place that handles an individual’s request to access or correct their personal information. Or establish a Data Breach Response Plan so you’re ready if the worst occurs.

And never forget that where your users are based is important. You have to understand what the regulations are across regions, not just in your own.

Of course, there’s a lot more that changed between Universal Analytics to GA4 than we could get across in this piece. We’ll be sharing a booklet soon in which we’ll explore the features that have changed in GA4. This primer was more to help you understand not only the ethics of the issue, but also its recent history – especially with the coming end of Universal Analytics.

That said, privacy laws are progressively getting stricter in every country, including here in Australia. So be ready for the inevitable. The time will come when privacy laws force you to upgrade your infrastructure and practices. To reduce your risk of non-compliance, make sure you upgrade before that time comes. You’ll save yourself a lot of stress, and you might even win more trust from your end users.

If you’re not sure about where to start with Google Analytics, check out the Google Analytics Academy. If you’d like professional help operating in a privacy compliant way, or you simply believe you should invest more in technology and processes to be up to date, we can help. Just get in touch via hello@affinity.ad

Explore more articles

Potential Realised

Are you ready to realise your potential? Whether you want to put your brand, or your career, on the path to growth we should chat.
Call AFFINITY’s CEO, Luke Brown, on + 61 2 8354 4400.