Google Analytics 4 new privacy controls help banks stay compliant

Written by Andrew Miller

TThere is no doubt that the world of digital marketing is becoming more measurable these days, thanks to advances in technology and focus on analytics. The latest version of Google Analytics, called Google Analytics 4 or GA4, is now rolling out, and it will change the way bank marketers measure the performance of their websites and campaigns when it becomes the only option in July 2023.

The sacred goal of bank marketers is to track website visitors through their journey of opening accounts or applying for loans and beyond. This typically requires working with personally identifiable information (PII) and can create challenges in staying compliant with privacy regulations such as the California Consumer Privacy Act and the upcoming Virginia Consumer Data Protection Act. Other countries are considering similar measures.


And let’s not ignore customers’ perceptions of privacy and comfort. A survey conducted by Statista in 2021 revealed that 48% of American Internet users believe that it is impossible to protect their online privacy and 69% are willing to accept some risk to their online privacy to make their lives more comfortable.

Marketers must reconcile competing priorities to provide convenient and personalized services while preserving user privacy. Fortunately, Google Analytics 4 has powerful privacy controls built in to help banks comply with regulations and help users feel more in control. Marketers are advised to check with local regulatory agencies and consider these controls when planning a GA4 migration.

Google Analytics 4 does not collect personally identifiable information by default

Google prohibits marketers from sending or storing any information in Google Analytics that can be used to directly identify an individual. This includes names, usernames, email addresses, postal addresses, phone numbers, and GPS coordinates. GA4 goes one step further by not collecting or storing IP addresses, which can also be considered personal information in some jurisdictions.

Now that we know that GA4 does not allow personally identifiable information by default, here are the steps marketers should consider in response to additional privacy features when moving from Universal Analytics to GA4.

Set data retention periods at the user level

The previous generation of Google Analytics allowed marketers to choose to “not automatically expire” data at the user level. But this raises privacy concerns in some jurisdictions. GA4 only retains user-level data for two months by default. This is not long enough if you plan to measure the effectiveness of campaigns that can take months to convert visitors into customers. The retention period can be extended up to 14 months in the management settings.

This setting only affects identifiers and cookies at the user level. Aggregated and anonymized reporting data is available for long-term reporting purposes.

Responding to requests to delete data in GA4

Many current and planned privacy regulations allow individuals to request removal of their personal data from the system. This may extend to web analytics platforms that store user IDs or other identifying information. GA4 allows marketers to request that all data associated with an anonymous identifier or logged-in user be deleted.

Integration with approval management platforms

Many privacy regulations allow individuals to opt in or out of online tracking. Websites and apps should respect their preferences. Specialized consent management platforms exist to manage user choices and integrate with GA4 to enable only authorized tracking mechanisms.

Consent Mode in LES GA4 adjusts which cookies and tracking methods are enabled dynamically based on the preferences indicated by the user.

Limit data collection by geographic area

Restrictions on the collection of user data vary by country or state. GA4 has granular and local controls built in to allow bank marketers to comply with regulations in a particular jurisdiction without sacrificing the ability to measure performance in others.

The GA4 Administrator Settings area provides nationwide and US-level tracking options if your bank operates in regions with stricter restrictions on geographic and device-level data.

Miller 2

Update your site’s privacy policy to build user trust

It’s easy to forget that users have a right to know how they are tracked, the options available to them to limit their tracking, and in some cases, how to request that their data be removed from the system. Your website’s privacy policy is the first place users look for this information.

With so many analytics configurations available to marketers, it’s important to review and update the Privacy Policy regularly to ensure visitors understand how their data is being used. This often includes compliance and legal reviews, so plan accordingly.

Planning a privacy-focused migration to GA4

The balance between privacy and user convenience is full of trade-offs, but GA4 makes it easier than ever to find the right mix based on your customers’ desires and local regulations. With just under a year until GA4 is the only option available to Google Analytics users, marketers should start planning their migration now. Knowing your privacy options early on will help you prepare for a successful migration.

Andrew Miller is co-founder and vice president of strategy at Atelier Numérique, a digital marketing agency in Richmond, Virginia.

Leave a Comment