New Google Analytics 4 privacy controls help banks remain compliant

By Andrew Miller

There is no doubt that the world of digital marketing is more measurable these days, thanks to advances in technology and an increased focus on analytics. The newest version of Google Analytics, named Google Analytics 4 or GA4, is rolling out now and will change how bank marketers measure their website and campaign performance when it becomes the only option in July 2023.

The holy grail for bank marketers is tracking website visitors all the way through their journey to opening accounts or applying for loans and beyond. This usually requires working with personally identifiable information (PII) and can create challenges to remaining compliant with privacy regulations such as the California Consumer Privacy Act and Virginia’s upcoming Consumer Data Protection Act . Other states are considering similar measures.

And let’s not ignore the customer perception of privacy and convenience. A 2021 survey by Statista reveals that 48percent of U.S. internet users believe it’s impossible to protect their privacy online and 69 percent are willing to accept certain risks to their online privacy to make their lives more convenient.

Marketers have to juggle the competing priorities of providing convenient, personalized services while preserving user privacy. Luckily, Google Analytics 4 has robust built-in privacy controls to help banks remain compliant with regulations and help their users feel more in control. Marketers are wise to check with their local regulatory agencies and consider these controls while planning their GA4 migration.

Google Analytics 4 does not collect personally identifiable information by default

Google prohibits marketers from sending or storing information in Google Analytics that could be used to directly identify an individual. This includes names, usernames, email addresses, mailing addresses, phone numbers and GPS coordinates. GA4 goes a step further by not collecting or storing IP addresses, which can also be considered personal information in some jurisdictions.

Now that we know GA4 does not allow PII by default, here are steps marketers should consider in response to additional privacy features during their transition from Universal Analytics to GA4.

Adjust user-level data retention periods

The previous generation of Google Analytics allowed marketers to choose “do not automatically expire” for user-level data. But this presents privacy issues in certain jurisdictions. GA4 only retains user-level data for two months by default. This is not long enough if you plan to measure the effectiveness of campaigns that can take months to turn visitors into customers. The retention period can be extended for up to 14 months in the admin settings.

This setting only affects user-level IDs and cookies. Aggregated, anonymized reporting data is available for long term reporting needs.

Respond to data deletion requests in GA4

Many current and planned privacy regulations allow individuals to request their personal data be removed from a system. This can extend to web analytics platforms that store User IDs or other identifying information. GA4 allows marketers to request the deletion of any data associated with an anonymous ID or logged in user.

Integrate with consent management platforms

Many privacy regulations empower individuals to opt in or opt out from being tracked online. Websites and apps must honor their preferences. Specialized Consent Management Platforms exist to manage user choices and integrate with GA4 to enable only the permitted tracking mechanisms.

GA4’s Consent Mode dynamically adjusts which cookies and tracking methods are enabled based on a user’s stated preference.

Limit data collection by geography

Limitations on user data collection vary by country or state. GA4 has granular, localized controls built in to allow bank marketers to respect the regulations in a particular jurisdiction without sacrificing the ability to measure performance in other regions.

The admin settings area of GA4 provides country-level and US state-level tracking options in case your bank operates in areas with tighter restrictions on geographic and device-level data.

Update your site’s privacy policy to build trust with users

It’s easy to forget that users have a right to know how they are being tracked, which options they have available to limit their tracking and in some cases how to request their data be removed from a system. Your website’s privacy policy is the first place users will look for this information.

With so many analytics configurations available to marketers, it is important to regularly review and update your privacy policy to ensure your visitors understand how their data is being used. This often involves compliance and legal reviews, so plan accordingly.

Planning for a privacy-centric migration to GA4

Balancing user privacy and convenience is full of tradeoffs, but GA4 makes it easier than ever to find the right mix based on your customers’ desires and local regulations. With just under a year before GA4 becomes the only available option for Google Analytics users, marketers need to begin planning their migration now. Knowing your privacy options in advance will help you prepare for a successful migration.

Andrew Miller is co-founder and VP for strategy at Workshop Digital, a digital marketing agency in Richmond, Virginia.