GDPR-Compliant Analytics: Google Analytics Alternatives in the Google Tech Stack

Navigating the complexities of GDPR compliance has led many companies to reconsider their reliance on traditional Google Analytics solutions. The shift towards stricter data privacy laws, including GDPR, consent mode, and cookie restrictions, has sparked a search for analytics alternatives that ensure data is stored exclusively within the EU.

Collecting data in compliance with GDPR has become a significant challenge, particularly regarding the usage of tools like Google Analytics, and the necessity for privacy-friendly alternatives in light of recent legal developments.

Yet, transitioning away from a familiar tech stack presents challenges, from steep learning curves to resource-intensive site redevelopment. Explicit user consent is required when handling personal data for marketing purposes, especially before repurposing data for advertising and remarketing efforts.

Fortunately, there’s a viable path forward without abandoning the Google tech stack. This article outlines practical strategies for remaining GDPR-compliant while continuing to leverage Google’s powerful analytical tools.

Discover how to adjust your configurations and practices to meet compliance requirements effectively, ensuring your marketing analytics remain both powerful and lawful. With OWOX BI, you can ensure compliance with the GDPR while working with sensitive data. Don’t waste time and resources on reprocessing data or learning and adopting a new tech stack.

Note: This post was originally published in November 2022 and was completely updated in October 2024 for accuracy and comprehensiveness on Data analytics.

Web analytics is the process of collecting, analyzing, and reporting data about website usage patterns. It helps website owners and marketers understand how users interact with their websites, including which pages they visit, how long they stay, and what actions they take.

Web analytics provides valuable insights that can be used to improve website design, user experience, and marketing strategies. With the increasing importance of online presence, web analytics has become a crucial tool for businesses to measure their online performance and make data-driven decisions.

A few years ago, everyone who worked in data analytics imagined the coming years as a beautiful world where data and personalization were everywhere, with the ad tech stack developing rapidly.

What do we know about those good old days?

• 99.5% of specialists used Google Tag Manager to send data wherever they wanted.
• 85.7% of specialists used Google Analytics for website data collection, ensuring compliance with GDPR regulations by properly handling analytics data.

• Almost everyone used ETL and DWH for data processing.
• It was really easy to define keys and use them to join data and build any reports you wanted.

• Various data visualization tools, including Looker Studio and Google Sheets, are seamlessly connected to data storage.
• In short, it was much easier to deal with data without today’s external requirements.

Today, we have to put extra effort into working with users’ data. We don’t have flying cars, and data personalization is not everywhere. In addition, we have requirements and limitations that create additional concerns.

Browsers and platforms limit the lifetime of third-party cookies set by a third-party domain. This affects the display of important identifiers for analytics systems, such as Client ID in Google Analytics 4. Because of this, a significant amount of information on the effectiveness of advertising channels will already not be available in the future:

• The share of conversions for new visitors will grow. These will not actually be “new” visitors, however, but rather former “returning” visitors who have been assigned a new cookie.
• The share of direct / none conversions will grow.
• The ROI of paid ads in reports will have a 10% to 20% margin of error. Most often, it will be on the lower side.

The General Data Protection Regulation (GDPR) establishes rigorous standards for safeguarding data privacy within the European Union. GDPR impacts how data is collected, stored, processed, and shared in data analytics.

Analysts must ensure that personal data is used ethically, with clear consent from individuals, and for explicitly stated purposes. Data subjects have rights such as accessing their data, requesting corrections, and objecting to processing.

Firms must implement measures to protect data from breaches and ensure transparency in their data practices. Non-compliance can lead to significant fines, making GDPR compliance crucial for businesses handling EU residents' data.

After the EU’s General Data Protection Regulation (GDPR) went into effect, Google Analytics users in Europe faced a problem. Google Analytics has become illegal for website operators to use in several countries due to decisions by European data protection authorities, as it does not comply with the GDPR. Ensuring Google Analytics is GDPR-compliant is crucial for businesses to navigate the complexities of data privacy laws and avoid legal pitfalls.

In addition, to comply with GDPR requirements, websites must use consent mode. Google Consent Mode is a vital tool for balancing user privacy and data collection in compliance with GDPR and other data protection laws. A website must not identify users who do not want to share cookies.

Updated Google Analytics 4 (GA4) is designed with privacy considerations in mind and offers features intended to help users manage data collection and compliance with regulations such as GDPR. However, whether GA4 is GDPR-compliant depends on how website owners configure and use it.

The compliance of GA4 with GDPR is not just about the features it offers, but also about the practices adopted by businesses that use it.

Following are some aspects to consider regarding GA4’s compliance with GDPR.

• User Consent: GDPR requires clear and affirmative consent from users before any personal data is collected. Website owners must obtain explicit user consent to process personal data before activating GA4 tracking on their site. GA4 includes features configuring not to collect data until consent is obtained, but it is up to the website owner to implement these mechanisms properly.
• Anonymizing IP Addresses: GA4 has settings to anonymize IP addresses, which is crucial for enhancing Google Analytics privacy and complying with GDPR. Again, implementing this feature correctly is the responsibility of the website owner.

• Data Processing Agreement (DPA): Businesses using GA4 should ensure they have a Data Processing Agreement in place with Google. This is a key requirement under GDPR, outlining the responsibilities of each party in the processing of personal data.
• Data Storage and Transfer: Concerns have been raised about the transfer of data to the United States, where Google’s servers are located. The EU has stringent requirements for the transfer of personal data outside the EU. Recent legal developments have highlighted the complexities and challenges associated with data transfers, emphasizing the need for organizations to ensure compliance with GDPR regulations. Google offers options such as data localization for GA4, but it’s essential to configure these options in compliance with GDPR.

• Access, Rectification, and Erasure: GDPR grants individuals rights over their data, including the right to access, correct, and delete their personal data. GA4 users must ensure they can fulfill these rights when requested.
• Data Minimization and Purpose Limitation: GA4 collects a wide range of data by default. GDPR requires that only data necessary for the specified purposes be collected. Thus, configuring GA4 to limit data collection to what is strictly necessary is crucial.

• Data Security: GDPR mandates that personal data be processed securely. GA4 provides several security features and recommendations, but it's up to the website owner to implement adequate security measures to protect the data.

While GA4 includes features that can help with GDPR compliance, simply using GA4 does not automatically make a website GDPR-compliant. Compliance is determined by how the website owner configures and uses the tool, including obtaining user consent, managing data collection and processing, ensuring data security, and respecting user rights.

Given the dynamic nature of Google Analytics privacy laws and technology, it's also advisable to stay informed about any updates from Google regarding GA4 and any changes in GDPR interpretations or enforcement. Consulting with a legal professional specializing in data protection laws is recommended for specific legal advice and to ensure compliance.

Advertisers will continue to collect user activity data, but they won’t be able to determine which interactions with ads lead to conversions. The average share of users who reject cookies on websites with consent mode implemented is 30%.

Depending on the type of website, this share can reach 40%. Ensuring Google Analytics' compliance with GDPR is crucial in this context, as it involves implementing measures like cookie consent banners and integrating features that align usage with GDPR requirements.

The volume of online conversions in marketing reports will remain the same, but the conversions will not be connected with the source of clicks and completed orders from the CRM. As a result, you won’t be able to attribute most conversions to advertising campaigns and will get a low ROI.

To understand how to make Google Analytics GDPR-compliant, it is essential to outline the necessary steps and considerations for ensuring that the use of Google Analytics 4 adheres to GDPR regulations in all aspects of data handling.

Today, when an analyst begins to think about collecting, processing, and transforming data, they have to answer the following tricky questions.

• What shall I do about the lack of data due to the GDPR, consent mode, and restrictions on the use of cookies?
• What shall I do with consenting users and non-consenting users? How can I distinguish them and get data in my reports that can be trusted?
• What kind of consent do I have to ask for to track UTM parameters? (It’s essential to track UTM parameters to match sessions/website conversions with your campaigns.)
• To which endpoints can I send users’ data? (Double-check what kinds of services you use before you send data there.)
• What kind of data can I track for non-consenting users?

• How can I make sure that European customers’ data is processed and stored in an EU location?
• How does PII data flow through all my data pipelines and transformations?

Those who have already had conversations with their legal teams know how frustrating it can be to provide a clear answer to what’s going on with PII data on its journey to the final report.

• How can you build roll-up reports for all regions if all those regions have different laws and regulations and also different servers?
• Why are direct traffic and the share of new users unexpectedly increasing?

Let’s do our best to cover all the questions above to make analysts’ lives easier in the coming weeks, months, and probably years.

Google Analytics is a popular web analytics tool, but it may not be the best choice for every business, especially those concerned about data privacy and GDPR compliance. Fortunately, several Google Analytics alternatives offer similar features and functionalities while prioritizing user privacy and data security. Some popular alternatives include:

• Fathom: A privacy-friendly analytics tool that tracks website usage patterns without collecting personally identifiable information. Fathom is designed to be simple and easy to use, making it a great choice for businesses looking to comply with GDPR while still gaining valuable insights into user behavior.
• Matomo: An open-source analytics platform that offers a range of features, including custom alerts and tag managers. Matomo allows businesses to host their data on their own servers, ensuring complete control over data privacy and security. This makes it an excellent alternative for those looking to maintain GDPR compliance.
• Plausible: A lightweight analytics tool that focuses on simplicity and privacy, making it an excellent choice for small businesses and individuals. Plausible does not use cookies and does not collect any personally identifiable information, ensuring full compliance with GDPR.
• Umami: An open-source analytics tool that collects no personal information, making it easy to comply with GDPR regulations. Umami is designed to be easy to set up and use, providing essential insights without compromising user privacy.

By considering these alternatives, businesses can continue to leverage powerful web analytics tools while ensuring they remain compliant with GDPR and other data privacy regulations.

Google Analytics, a premier tool from the top search engine company, is crucial for tracking visitor origins, analyzing site interactions, and assessing engagement metrics like bounce rates.

It also evaluates the duration of visits and calculates the proportion of visitors completing key actions, such as making a purchase or subscribing to a newsletter. Despite its strengths, Google Analytics presents both advantages and challenges, making it a powerful but complex tool for web analytics.

Here are a few reasons why we should use it:

• Cost-effective: Google Analytics is available at no cost.
• Centralized data: Integrates with other Google services like Search Console and Google Ads to consolidate marketing data.
• Enhanced B2B marketing: Provides insights into visitor behaviors, such as clicks and scrolling activities.
• Detailed traffic reports: The traffic acquisition report identifies the sources of both new and returning visitors, including direct, organic, and paid channels.
• Resource optimization: Helps prioritize marketing efforts on channels that generate the most traffic and conversions.

Almost every marketing team has a formed Google tech stack that everyone is used to, which has worked flawlessly for years. However, the limitations and innovations described above are forcing companies to look for other tools for working with data. The good news is that you can continue using the familiar Google tech stack if you follow these guidelines.

You have to understand which regions website visitors are from. How many are from the US vs the EU? You definitely have to start working with countries where visitors most commonly come from. We believe everybody knows where to find their geo reports. Check them out and define the list of countries where the majority of your visitors come from.

What laws are applicable to visitors from these countries? Thank god, there’s a great website that combines all the laws and regulations around the world and makes it easy to define which you have to follow to be compliant.

Once you’ve completed steps one and two, you have to deduplicate all those requirements from different countries. Consult with lawyers to translate from legal English to data analysts’ English.

At the end of this stage, you will have figured out all the privacy restrictions no matter which platform you’re going to send data to. It’s not only about Google.

Finally, you have to implement consent mode to ensure explicit user consent is obtained. It’s really easy to implement those rules with the help of third-party tags or third-party products that are integrated with GTM. Follow these links to find GTM templates in order to ask your visitors for consent to send their data to analytics services.

Finally, we are getting to the data processing stage. While at the previous stage, you realized what kind of data you could collect with what kind of consent, you can now start capturing and processing this data.

Everybody knows that we can no longer just send PII data to GA4 as we did before — not even if the data from GA4 is then exported to GBQ and the location of GBQ is set to EU. This is because EU laws say you cannot send PII directly to GA4 without a proper setup.

This is not the hardest task. All you need to do is go over this checklist, accept the new Google DPA, and disable the Data sharing settings. Most importantly, ghost hits and Google signals have to be disabled as well.

With the above done, you can make GA4 compliant in terms of privacy and all regulations by preventing the collection of PII without consent.

However, as soon as you adjust all these settings in GA, you will find that the really important data is nowhere to be found in GA4 or, consequently, in Google BigQuery Export.

We are talking about granular location data, some PII data that you need for certain reports, and some custom dimensions that are used as a key to join it, for instance, with CRM data.

Obviously, this state of affairs won't work for you because, at the end of the day, as an analyst, you want to build an actionable report, and you want to deal with SQL-accessible data. Luckily, there is another solution you can implement: server-side tracking.

You can use the OWOX solution or build your own.

The Dutch Data Protection Authority has been actively investigating complaints against Google Analytics, highlighting its role in addressing data protection issues similar to those raised in other European countries.

Either way, the most important thing about the server is that it must be located in the EU. This is how you can be sure that all PII data is filtered before you send it to any other service.

Based on our experience, server-side tracking increases the accuracy of acquisition campaign tracking by 20%. So, there is a business reason, not just a legal reason, for migrating to server-side tracking.

The third part is setting up a server-side tag manager. Why is it important? Because you’d like to have control over all the data you send not just to your analytics service but to all third-party ad services as well (Facebook, Bing).

At this point, you can host your server-side tag manager in an EU location and filter out all PII fields, such as IP address. You can send just the data required for each ad service.

This is how you can export data in a way that complies with GDPR requirements.

If you still face objections from the legal team, say: Hey, how do we make sure that nobody can access our visitors’ PII data in Google BigQuery?

At this point, there is also a solution. You can turn on customer-managed cloud KMS keys and encrypt your data in order to prevent anyone, and I mean anyone, from getting access to it.

To be honest, we haven’t encountered any organization that would still have doubts about using GCP once they have followed all of these recommendations.

User data deletion is an essential aspect of GDPR compliance. The regulation requires businesses to delete personal data when it is no longer necessary for the purpose it was collected. Google Analytics 4 (GA4) provides a User Explorer report that allows website owners to differentiate users and erase a user’s data from GA4 if required. However, it is crucial to note that GA4 does not automatically delete user data, and website owners must take proactive steps to ensure compliance.

To ensure GDPR compliance, businesses should implement a data deletion policy that includes:

1. Regularly reviewing and deleting unnecessary data: Periodically audit your data to identify and remove any information that is no longer needed for your business purposes.
2. Providing users with the option to delete their data: Make it easy for users to request the deletion of their personal data. This can be done through a simple form or a dedicated section on your website.
3. Ensuring that data is deleted securely and irreversibly: When deleting data, ensure that it is done in a way that prevents it from being recovered. This may involve using specialized software or services that guarantee secure data deletion.
4. Documenting data deletion processes and procedures: Keep detailed records of your data deletion practices, including the methods used and the dates on which data was deleted. This documentation can be crucial in demonstrating your compliance with GDPR requirements.

By prioritizing user data deletion and GDPR compliance, businesses can build trust with their users and avoid potential fines and reputational damage. Ensuring that your data practices align with GDPR not only protects your business but also fosters a positive relationship with your audience.

Now, let’s jump to some more practical recommendations. What does consent mode look like?

As soon as you start sending data with consent (for example, using OWOX BI), you will get a dedicated parameter that contains this consent mode.

Here is a session table. As you can see, it has a dedicated ConsentMode field that contains the value of consent granted on the website.

In order to collect data for analytics purposes, you have to get consent, and you can figure out the consent options with the value of this ConsentMode parameter. If the gsc parameter has one of these values, you may collect your data for analytics purposes.

However, if your website visitors haven’t given their consent, you still can store their data but without any personally identifiable information — just like how your web server logs contain IP addresses and user agents but don’t have unique user IDs.

Unlike Universal Analytics, the newer Google Analytics 4 (GA4) offers privacy-centric upgrades such as user data deletion capabilities and automatic IP anonymization, addressing limitations in Universal Analytics. Transitioning from Universal Analytics to GA4 is essential for compliance with evolving privacy laws like GDPR.

Let’s take a look at how it works.

Imagine you have not been granted consent. Now, each hit will have a new client ID and OWOX user ID.

On top of that, granular location data will be unavailable. The idea behind this is the following:

1. You cannot collect any kind of data that can directly or indirectly identify the individual. What kind of data is that? City, latitude, longitude, browser (meaning minor version number and user agent), anything that can be used for fingerprinting, including device brand/model, and so on.
2. However, you can store non-PII data, such as page views, without any PII that can be used to identify individuals. Below, you will find out why you need this data.

The most obvious idea is to get the totals, right? We believe that everyone would like to have accurate totals in terms of page views and number of conversions, and it doesn’t matter which particular users these metrics come from.

Now, let’s move to data reporting, which starts with data lineage. As soon as you collect all your data, you probably cannot avoid answering how your PII data flows, and how to set and control all your data transformations, joining, and cleaning.

It would be great to have a dedicated tool that shows all those transformations and how you arrived at the final report in the clearest and the most auditable way — a tool that would help you understand if your PII flows correctly.

For instance, as soon as you collect data from different regions, you’ll need to join it to build a roll-up. Or say that data on which users give consent and don't give consent is stored separately, and the overall metric needs to be calculated in one report. To do this, you need knowledge of the data schema.

You will need to keep dozens of transformations in your head. And if suddenly an error appears in the calculations, without a clear and understandable data lineage, you will spend a lot of time searching for and eliminating it. These are just a few of hundreds of use cases when you need data lineage.

To solve this problem, which our clients have often faced, we have created a clear transformation graph in OWOX BI that clearly shows how, where, and why your data is moving.

With it, you can easily see the calculation logic and influence it:

• Track how data moves and changes from connectors to dashboards.
• Set and control data transformations and metrics calculation logic in each report.
• Manage SQL transformations in a few clicks.
• Schedule data updates to keep data fresh.
• Immediately see any error or delay in updating data.

First, a data catalog is a way to organize your inventory of data assets, especially those that contain PII data. You have to have a clear mark of what type of PII data it is. For instance, you might encrypt your data, hash it, or decrypt it. It depends on how you are going to use it.

Secondly, you have to assign an owner for each data asset. For instance, you can set yourself as the owner for Visitors in order to easily understand who owns the data and what kinds of fields are related to PII data.

Last but not least, you can even define PII data security on a column basis to determine if you’d like to encrypt the data or hash it.

The great news is that GC offers a simple way to use column key encryption without any need to rewrite all SQL queries from scratch.

By following the recommendations in this article, you will be able to:

1. Get all of your data in Google BigQuery
2. Filter all PII data for non-consenting users
3. Avoid losing non-consent PII data to get totals and build roll-up reports
4. Tell your legal team how your data flows through all pipelines