Description
We've recently introduced GA4. We use it to learn how our website is used.
We'll keep track of measures we're taking or still have to take to make tracking compliant.
Note that we have no intention of tracking any personally identifiable information.
From this guide I understand the following:
ePrivacy Directive (EU “Cookie Laws”)
- Don't store any cookie without consent.
General Data Protection Regulation (GDPR)
- Don't track any personal information without
- providing the purpose
- having consent
It is possible to not track personally identifiable information (PII) at all.
Some features need to be configured for that:
- disable Google signals data collection (get started button means it's disabled)
- disable Ads Personalisation
- Disable collection of user ip addresses (configured in Google Tag Manager)
Quoting a piece that summarises GDPR compliancy:
Generally, if you do not have Google Signals data collection enabled within GA4, are not linking your Google Analytics 4 properties with Google Ads, and are only using the data in analytics for aggregate statistical reporting purposes, then it’s possible that no GA4 data will be classified as “personal data” and therefore the principles of GDPR will not apply. This also assumes you are not collecting any “personal data” in custom parameters associated with events, either.
California Consumer Privacy Act (CCPA)
Has a different (more strict) rule for what "personal information" is. This makes the anonymous client ID fall under "personal information" under the CCPA, meaning GA4 is always affected.
However, you're free to collect personal information as long as you don't sell it.
- Do not enable Google Ads as that may mark it as "selling" personal information.
Quote from that article regarding CCPA:
Generally, if you are only using GA data for reporting purposes within Google Analytics, then you wouldn’t be “selling” any of this data.