Google Analytics 4 New Privacy Controls Help Banks Stay Compliant

By Andrew Miller

TThere’s no doubt that the world of digital marketing is more measurable these days, thanks to advancements in technology and an emphasis on analytics. The latest version of Google Analytics, named Google Analytics 4 or GA4, is rolling out now and will change the way banking marketers measure their website and campaign performance when it becomes the only option in July 2023.

The holy grail for banking marketers is tracking website visitors through their journey to opening accounts or applying for loans and beyond. This typically requires working with personally identifiable information (PII) and can create challenges in staying compliant with privacy regulations such as the California Consumer Privacy Act and Virginia’s upcoming Consumer Data Protection Act. Other states are considering similar measures.


And let’s not ignore customer perceptions of privacy and convenience. A 2021 survey by Statista reveals that 48% of American Internet users think it’s impossible to protect their privacy online and 69% are willing to accept some risk to their online privacy to make their lives more convenient.

Marketers must juggle competing priorities of providing convenient and personalized services while maintaining user privacy. Fortunately, Google Analytics 4 has robust built-in privacy controls to help banks stay compliant with regulations and help their users feel more in control. Marketers are advised to check with their local regulatory bodies and consider these controls when planning their GA4 migration.

Google Analytics 4 does not collect personally identifiable information by default

Google prohibits marketers from sending or storing any information in Google Analytics that could be used to directly identify an individual. This includes names, usernames, email addresses, mailing addresses, phone numbers and GPS coordinates. GA4 goes a step further by not collecting or storing IP addresses, which may also be considered personal information in some jurisdictions.

Now that we know that GA4 does not allow PII by default, here are the steps marketers should consider in response to additional privacy features when transitioning from Universal Analytics to GA4.

Adjust data retention periods at the user level

The previous generation of Google Analytics allowed marketers to choose “not to automatically expire” for user-level data. But this poses privacy concerns in some jurisdictions. GA4 only retains user-level data for two months by default. That’s not long enough if you plan to measure the effectiveness of campaigns that can take months to turn visitors into customers. The retention period can be extended up to 14 months in the administration settings.

This setting only affects user-level identifiers and cookies. Aggregated and anonymized reporting data is available for long-term reporting purposes.

thousand 1

Respond to data deletion requests in GA4

Many current and planned privacy regulations allow individuals to request that their personal data be removed from a system. This may extend to web analytics platforms that store user IDs or other identifying information. GA4 allows marketers to request deletion of all data associated with an anonymous ID or logged in user.

Integration with consent management platforms

Many privacy regulations allow individuals to opt-in or opt-out of being tracked online. Websites and apps should respect their preferences. Specialized consent management platforms exist to manage user choices and integrate with GA4 to enable only authorized tracking mechanisms.

LES GA4 Consent Mode dynamically adjusts the cookies and tracking methods enabled based on the preferences indicated by the user.

Limit data collection by geographic area

Limitations on user data collection vary by country or state. GA4 has granular and localized controls built in to allow bank marketers to comply with regulations in a particular jurisdiction without sacrificing the ability to measure performance in other regions.

The Admin Settings area of ​​GA4 provides country and US state level tracking options in case your bank operates in areas with tighter geo data and device level restrictions.

Miller 2

Update your site’s privacy policy to build user trust

It’s easy to forget that users have a right to know how they are being tracked, what options they have to limit their tracking, and in some cases, how to request that their data be removed from a system. Your website’s privacy policy is the first place users will look for this information.

With so many analytics configurations available to marketers, it’s important to review and update your privacy policy regularly to ensure your visitors understand how their data is being used. This often involves compliance and legal reviews, so plan accordingly.

Planning a privacy-centric migration to GA4

The balance between privacy and user convenience is full of trade-offs, but GA4 makes it easier than ever to find the right mix based on your customers’ desires and local regulations. With just under a year until GA4 becomes the only option available to Google Analytics users, marketers should start planning their migration now. Knowing your privacy options ahead of time will help you prepare for a successful migration.

Andrew Miller is co-founder and vice president of strategy at Atelier Numérique, a digital marketing agency in Richmond, Virginia.

Leave a Comment