Fight, Flight or Freeze: Will you (continue) to use Google Analytics 4?

We are not lawyers. We don’t give any legal advice. This post should not be taken as legal advice. Please consult with a lawyer and a privacy legislation professional before taking any decisions.

The main thing I’ve been discussing with clients over the last few months is:

Should we move away from Google Analytics? If yes, to what and why?

The reason clients ask this question is two-fold: because of privacy regulations and because of the switch to Google Analytics 4. There is now a new implied risk to using any third party analytics tool, and the switch from Universal Analytics to Google Analytics 4 requires an investment which will always trigger the evaluation of why.

To answer this question, there are a couple of questions you should ask yourself first.

  1. How valuable is your data to you?
  2. How much risk does your data pose to you?

Once you’ve figured these 2 questions out, you are able to plot out your next move.

Valuableness of Data and Riskiness of Data

How do you define Value?

A well know quote is that value is in the eye of the beholder. But when we’re talking about business value, we should be able to somehow tie our outcomes to achieving business objectives. So when we talk about “the value” in this post, we’re looking at the value the data can add to the business. Some examples could be:

  • Data that is collected and used within the core product you are offering
  • Data that is collected to evaluate advertising spend on return on investment
  • Data that is collected to inform the company on strategic decisions

How do you define Risk?

The risk of data is what has been changing recently. The end users need for privacy, and the privacy regulations that spawned from that, mean that the era of “just collect it and we’ll see what to do with it later” is over. Now, every piece of data you collect inherently has some risk tied to it from a privacy and security perspective.

Some things to consider when classifying risk:

  • The potential fine(s) you might get if you are not taking into account privacy regulations
  • The potential bad PR you might experience
  • The ramifications you might experience when the collected data is exposed in a security breach

The rule of thumb is, the more you are able to anonymize, pseudonymize, hash, encrypt and aggregate (and dispose of the raw dataset under the aggregate), the better off you’ll likely be. However do take into account that a lot of these techniques will directly impact your “value from data”also.

Low value, low risk

Low Value, Low Risk

If your data is not that valuable, or if you’re unable to extract much value from your data because of organizational restraints, you probably want to ask yourself:

  • Is your data inherently low value, or could you improve upon it somehow?

The low risk factor is great. However likely, if you’re going to try to add value, you might also be adding additional risk, so be aware of that.

Low value, high risk

Low value, high risk

This is the worst place to be in. If you’re collecting loads of personal data (high risk) and not getting any value from it, you’re basically wasting money on collecting it and creating potential exposure from a risk perspective.

Questions to ask yourself here (in this order):

  • Can we get more value from our data? And if the answer is yes:
  • Can we minimize the risk of the data we’re collecting?

If you can’t get more value from the data you’re collecting, you probably want to look into limiting the collection to downscale the risk.

High value, low risk

High Value, Low Risk

This is the sweetspot. Apparently, you’ve found a way to get a lot of value from data that is not posing a lot of risk to you to collect. Keep at it!

High value, high risk

High Value, High Risk

This area is where a lot of larger advertisers will find themselves. They are deriving a lot of value from the data they collect, but the data is also very likely bringing a risk to the company.

Questions to ask yourself are quite straightforward: what can we do to minimize the risk involved with the data we collect, while still maintaining (as much as possible) of the value it generates.

The Fight, Flight or Freeze Framework

So this is where my “Fight, Flight or Freeze” framework comes into play with regards to evaluating the usage of Google Analytics.

Low Risk, Low Value: Freeze!

This is the easiest one. If the data you collect is not that valuable and not that risky. You could freeze, which is this context means you would stick with Google Analytics 4. Please keep in mind that even something as simple as a “Client ID” (cookie) from Google Analytics could be classified as personal data under the GDPR. So you still want to make sure you ask for consent, and probably want to enable as many privacy features as possible.

(Again, reminder, not legal advice here.)

Low Value, High Risk: Flight by Downgrading

If what you are collecting is of higher risk, but you still want to collect it. But you don’t recon you’ll be able to (easily) extract more value from the data, then I would probably recommend a “flight” towards another solution. In this case, I’m calling it a downgrade, which might not be fair, but I’m using the framework of the Google Marketing Platform as a reference. Solutions that you could “downgrade” towards are listed by the French Data Protection Authority here.

High Value, Low Risk: Fight!

If you are extracting a lot of value from your data in GA4, probably as an advertiser by integrating with the rest of the Google ecosystem, and consider the data you collect of low risk, you could decide to fight. By fighting, I mean taking all steps necessary to:

  • Document your entire data collection process
  • Hash and encrypt as much as possible
  • Use a proxy (server-side GTM) to obfuscate / anonymize data before sending it to Google Analytics
  • Strictly integrate with your consent management platform
  • Strictly implement Google Analytics 4 privacy features tied to consent given
  • etc

Now lets be clear: does this ‘solve’ the issue? No. However, solving the issue is out of your hands regardless. But by taking every aspect of your implementation into your own hands and creating the ability to manipulate all data before it reaches Google Analytics, you at least are in the driver seat.

Once a DPA reaches out to you about your implementation, you can share your tracking documentation and the steps you’ve taken to take privacy seriously, and hopefully start a dialogue to figure out what is possible.

Remember, the reason you’re doing this is because you are getting a lot of value as a business and your estimate is that the risk is relatively low. This should free up your organization to invest a bit in these measures.

High Value, High Risk: Flight by Upgrading

Now let’s say you’re a company that is getting great value from your data, but it’s basically all personal data, and it has to be for this value to be generated.

If that’s the case, my advice would be to migrate away from any third-party analytics vendor and invest in setting up your in-house data engineering team to manage your own data collection pipelines and data warehouse infrastructure. You can then build in the essential privacy principles from the ground up, limit what data you share with any third parties, and make sure that your competitive advantage is owned by your company and not in the hands of a third party like Google and at the grace of lawmakers of privacy regulations.

Currently, our advice is to look at using Snowplow in combination with Server-Side Google Tag Manager to collect all data into the Google Cloud Platform and leverage Google Datastudio on top of BigQuery to visualize your data. However, be aware that if current issues persist, using a cloud owned by a US-headquartered company might end up not being sufficient as well. That’s a discussion for another post, or an episode of our podcast Life after GDPR where we discuss this topic at length with experts.

Closing thoughts

Hopefully this post has given you a framework to classify the decision you’ll have to make. I recognize that the “value” and “risk” classifications given are very arbitrary, which will skew the outcomes quite a bit. Most work should probably be invested in quantifying the Risk with outside counsel, and the Value with your internal teams.

If you’d like to discuss this topic any further, please reach out to me on Twitter or LinkedIn so we can elaborate a bit more. Would love to hear your thoughts!

We are not lawyers. We don’t give any legal advice. This post should not be taken as legal advice. Please consult with a lawyer and a privacy legislation professional before taking any decisions.