Google Analytics IP Anonymization and GDPR Compliance

The GDPR caused significant changes in how we use Google Analytics and how the tool itself has changed. In the new version, GA4, IP addresses from visitors of the EEA zone are automatically removed. Yet, there is still a heavy discussion going on about whether these measures are sufficient to comply with the GDPR.

Key takeaways

  • Google Analytics 4 doesn’t log or store IP addresses from the EU.
  • That is a big step towards GDPR compliance.
  • IP addresses can namely be used to reveal the identity of users. 
  • Yet, not all EU countries agree that these measures are sufficient to protect the privacy of its residents
  • A study from 2018 showed that IP anonymization has a low impact on geo location data.

Does Google Analytics 4 collect IP addresses?

No, it doesn’t log or store IP addresses for traffic in the EU. As an additional measure towards GDPR compliance, GA4 sends the data from EU users to servers based in the EU.

That may sound logical to you, but let’s not forget that Google is a US company that thrives on collecting data of people. And that has been a sensitive matter for quite some time. 

How do I know? 

Long before the GDPR went into effect, the Data Driven U team was investigating how these changes would affect your Analytics data. And we've delved deep into some of the potential GDPR compliance problems with your analytics data collection. 

We found and shared solutions with our blog and newsletter readers and the data-driven members of our thriving community

At this very moment, things are still changing. You need to be aware of the following fact:

I am not a lawyer and it is your sole responsibility and duty to consult your legal department or a lawyer for all matters related to privacy and local regulations.  

So, what was all this fuss about IP addresses actually about?

Under GDPR, IP addresses are considered personal data. The famous EU privacy law forbids businesses to collect and store personal data of users located in the EEA without explicit consent of the owner of the data. 

Now, you may think that IP addresses are only some digits with dots in between. But that unique number allows technology to track the whereabouts of devices. Add surfing history to the mix and you can quickly understand the concerns about privacy. 

Is GA4 IP anonymization enough to comply with GDPR?

In 2020, an Austrian privacy activist campaigned against Facebook. It led to the end of the EU-US Privacy Shield framework. If you are interested in the legal details, you can read them here

What still matters today is that Google Analytics and GDPR compliance has become a foggy landscape and it’s unlikely that the clouds will clear up soon. 

Some countries are still in doubt, others are taking measures, like Italy did in 2022 and Austria banned it in December 2021. 

Is Google Analytics 4 GDPR compliant out of the box?

The answer is, No. It's my understanding that the standard Google Analytics 4 setup does not comply with GDPR. For some EU countries, such as Austria, even the built-in IP anonymization is considered as a violation of the EU privacy rules. Others, like France and The Netherlands are figuring it. 

The logic and reasoning behind the objections against GA is simply put as follows: Google sends data to US based servers and there is not any guarantee that the government won’t get access to this data. 

Advanced Google Analytics installs and personal data

Advanced Google Analytics installations can track many forms of personal and third-party data. These installations can track demographics, display features, user IDs, custom dimensions, etc.

We will not spend too much time talking about advanced GA installs in this article, because if you want to track this data, you should be strongly considering asking for consent from users instead of trying to circumvent the system.

A lot of analytics geeks utilize advanced Google Analytics tracking code installations. In these cases, there's not one setting you can change to become GDPR compliant. It's going to take more work than that, like gathering user consent. The alternative is to stop collecting user data.

What reports does IP data enable? 

IP data fuels your Geo reports, custom service provider dimensions, and also allows you to filter specific users from reports by entering their IP address which can allow you to do several things including filtering internal traffic.

But as you know from the above, GA4 anonymizes IP addresses That raises the following question… 

What was the impact of IP anonymization on your Google Analytics data?

You might be wondering if losing IP data compromised the accuracy of your reports. Let's look at how the loss of IP data affects our measurement accuracy.

Spoiler alert: IP addresses report the wrong city all the time!

IP addresses commonly misreport your location. I know this because every time I log on to this blog, my dashboard tells me I am in a city 20 miles away from where I am currently located.

That said, Google Analytics seems to have a more accurate IP reporting database than most other platforms. And with anonymized IPs, your Google Analytics data will be about 30% less accurate at the city level.

In 2018, Huiyan at Conversion Works did an excellent study about the impact of anonymizing IPs on Google Analytics data. 

Huiyan found that IP anonymization only affects city-level data in Google Analytics.

Her study found that losing IP data had almost no impact on the accuracy of your continent or country-level data.

Huiyan's study showed us that you will lose some accuracy from your city-level reporting data. Your city-level reporting accuracy may even decrease by about 30% for users on desktop or tablet devices.

So what's my reaction to this? I'll let the late, great Chris Farley answer that question.

Lad-dee Friggin' Daa!

The loss of IP address data is not a significant loss (for me).

I don't see losing some city-level reporting accuracy as a big deal. Keep in mind your city-level data won't be entirely inaccurate, it will just be less accurate. So, you'll still have a good idea of the general city area of your users. But your reports might not be able to identify your user’s specific locations or neighborhoods.

Essentially, the city dots on your Google Analytics reporting map might have gotten a little bigger since GA started anonymizing user IP data.

I suppose if you're doing highly targeted, local market analysis, this data loss could be a cause for concern. And in that case, it’s likely that you are tracking enough data that you will want to consider obtaining tracking consent anyway.

Final note

In a GDPR world, the automatic GA4 IP anonymization makes it easier to respect the privacy of users. 

Yet, IP addresses are only one aspect of this unsettled complex matter.

The more data you track and the more tools you connect and use in your business, the more complex it becomes to untangle the web of regulations and comply with every single one of them. 
But don’t you ever dare to use that as an excuse to ignore data. Instead, collect only the data you need to run and grow your business while respecting the privacy of your users. If Google Analytics is not an option for you, there are always alternatives.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top