Google Analytics (GA4) and Data Protection – What Belongs in the Privacy Policy

Google Analytics GA4 is a widely used analysis tool with which website operators collect visitor data in order to optimise their website and evaluate user behaviour. For lawful use of Google Analytics, however, the privacy policy must contain numerous statements on data processing – purpose, legal basis, recipients, third-country transfer, and retention period. This article sets out what information website operators should document on Google Analytics GA4 in their privacy policy and how the company Google is to be classified as a processor.

A. Purpose and Function

Google Analytics is an analysis tool from Google with which website operators collect detailed statistics on the traffic of their website. The tool measures how visitors interact with a website – which pages they visit, how long they stay there, which links they click, and which conversions (registrations, purchases, downloads) take place.

GA4 (the current generation of Google Analytics, introduced in 2020 as the successor to Universal Analytics) is integrated into a website by means of a JavaScript snippet. This snippet, known as gtag.js, is embedded directly in the source code of the website – typically in the <head> area of the HTML page. The snippet automatically loads when the website is visited and sends event data (events) to Google's servers.

The provider states that gtag.js performs the following tasks:

• Automatic capture of standard events (page load times, scrolling behaviour, clicks on links, video playback data)
• Possibility to define custom events (e.g. form submits, shopping cart additions)
• Storage of a unique Client ID in the browser cookie (_ga) in order to track users across sessions
• Transmission of this data to Google servers in the USA (third-country transfer)

The integration of GA4 is therefore significantly different from mere server logging: The code loads in the visitor's browser and actively establishes a connection to Google's infrastructure.

B. Mandatory Disclosures in the Privacy Policy

The GDPR requires website operators to inform visitors comprehensively in their privacy policy about the data processing. Pursuant to Article 13(1) GDPR, at least the following information is required:

1. Purposes of processing (Art. 13(1)(c)) – What is the data used for?
2. Legal basis (Art. 13(1)(c)) – Which basis permits the processing?
3. Legitimate interests (Art. 13(1)(d)) – Where the legal basis is Art. 6(1)(f) GDPR (legitimate interests), which specific interests are pursued?
4. Recipients of the data (Art. 13(1)(e)) – To whom is the data disclosed?
5. Third-country transfer (Art. 13(1)(f)) – Where data is transferred outside the EU/EEA: to which country and what guarantees are in place?
6. Retention period (Art. 13(2)(a)) – How long is the data stored?
7. Data subject rights (Art. 13(2)(b)–(h)) – Information on rights of access, erasure, objection, etc.

This information does not have to be set out for each individual tool in the form of a separate text template – a frequently encountered practice. A tool-per-text-template approach leads to extremely long, poorly readable privacy policies and thus runs counter to the transparency and intelligibility requirement of Article 12(1) GDPR ("easily accessible ... in a clear and intelligible form").

Better: a topic-oriented approach. Instead of "GA4 text template", "Facebook Pixel text template", "Hotjar text template", etc., website operators should structure their privacy policy by processing categories (e.g. "Web analysis and reach measurement", "Remarketing and advertising", "Contact forms") and then attach a clear recipient list with all tools, their addresses, and roles in the annex. This structure is more comprehensible for visitors and easier to verify for data protection officers and supervisory authorities.

The matterius privacy policy generator follows this methodologically proven, topic-oriented structure.

C. Provider

Google Analytics is operated by Google Ireland Limited, a Google company based in the European Union. The full address is:

Google Ireland Limited Gordon House, Barrow Street Dublin 4, D04 E5W5 Ireland

Google Ireland Limited acts as a processor within the meaning of Article 28 GDPR. The actual data processing, however, is carried out by the parent company Google LLC, a US company based in the United States. Google LLC is therefore the recipient of the usage data within the meaning of Article 13(1)(e) GDPR (third-country recipient).

Data protection framework conditions (DPF): The provider states that Google LLC is certified under the Data Privacy Framework (DPF) – an intergovernmental agreement between the EU and the USA that stipulates that US companies that participate in the DPF programme must observe a level of data protection equivalent to that in the EU. The DPF certification of Google LLC can be checked on the official page of the U.S. Department of Commerce: https://www.dataprivacyframework.gov/participant/5780

In addition to the DPF, Google concludes Standard Contractual Clauses (SCC) – legal contractual clauses between Google Ireland Limited and Google LLC that provide for additional safeguards for data transfers to the USA. These clauses are documented in Google's data processing terms: https://policies.google.com/privacy/frameworks

For all information on Google's data protection obligations, Google's privacy policy can be consulted: https://policies.google.com/privacy?hl=de

D. Data Processing – Procedure

The data processing process at Google Analytics GA4 follows a standardised procedure:

E. Data Collected

Google Analytics GA4 continuously records a wide range of usage data. The provider documents these as events and user properties. Specifically, these include:

• Client ID: A unique identifier that gtag.js assigns to the browser (_ga cookie)
• Session ID: Identifies an individual website session
• Page data: URL of the page visited, page title, referrer
• Event data: Automatically recorded events such as page_view, scroll, click, view_search_results; scope depending on configuration
• Device data: Device type (desktop, mobile, tablet), operating system and its version, browser name and version
• Location data: Geographical location derived from the IP address (country, city) – the IP itself, according to the provider, is not stored
• Conversion events: Custom events for business goals (sign-up, purchase, download, form submission)
• User properties: Custom attributes set by the website operator (e.g. customer segment, user type)

This data can be classified by data type:

• Web server log data: Time, browser, operating system, IP region (location inference)
• Click paths and navigation behaviour: Pages visited, scroll depth, element interactions, referrer
• Device information: Device type, OS, browser, screen resolution, language
• Browser configuration: User agent, font rendering, locale, time zone
• Coarse location data: Session country and city determined from IP
• User profiles and segmentation: Visit frequency, customer segments, interests (where remarketing/Google Audience is active)
• Events and conversions: Registrations, purchases, downloads, form submissions
• Interaction measurement data: Scroll depth, clicks, video playback duration, external link clicks
• Telemetry data: Page load times, error reports, resource availability

F. Purposes of Use

Google Analytics GA4 is used for collecting usage data for the following purposes:

• General product improvement: Analysis of visitor navigation patterns in order to optimise the user-friendliness of the website
• General marketing and campaign success measurement: Capture of visitor numbers, sources (Google Ads, organic search, social media, direct), conversion rates
• User segmentation and profiling: Division of visitors by behaviour, interests, device type, geographical origin
• Interest-based content provision: Personalisation of website content based on previous visits
• Remarketing and interest-based targeting: Where GA4 is linked to Google Ads, visitor segments can be used for advertisements outside the website

These purposes are oriented towards the business model of the provider Google, for whom GA4 data is also valuable for improving its advertising network offerings (Google Ads, Google Display Network).

G. Legal Bases

The processing of usage data by Google Analytics requires one or more legal bases under Article 6 GDPR:

1. Consent (Article 6(1)(a) GDPR):

This is the regular legal basis for cookie-based tracking such as GA4. The reason: GA4 sets cookies, and pursuant to Article 7(4) TTDG (Telecommunications Telemedia Data Protection Act, which transposes the ePrivacy Directive in Germany), prior, explicit consent is required. The website operator must display an active cookie consent banner before gtag.js fires. Consent must take the form of an opt-in (positive confirmation) – opt-out is not permissible. Only after the user's consent should Google Analytics actively collect data.

2. Legitimate Interest (Article 6(1)(f) GDPR):

In theory, a website operator could argue that website analysis serves their legitimate business interests (understanding user behaviour, conversion optimisation). However: Google Analytics is cookie-based and therefore falls primarily under the consent obligation of the TTDG. A purely interest-balancing approach without consent is legally controversial and is generally not accepted by German data protection supervisory authorities. To be examined on a case-by-case basis.

Practically relevant conclusion: For GA4, consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TTDG) regularly comes into consideration as the legal basis. This must be explicitly named in the privacy policy and implemented in a separate consent mechanism.

H. Special Features and Notes

Data Processing Agreement (DPA):

For Google Analytics, a written Data Processing Agreement (DPA) under Article 28 GDPR is required. This can be concluded directly in the Google Analytics backend:

1. Sign in to the Google Analytics account
2. Navigate to Administration > Account Settings (or Account Settings in the English interface)
3. In the section "Addendum for Data Processing" (or "Anhang zur Datenverarbeitung") → View / View Addendum
4. Review and confirm with the checkbox and Save

This agreement is mandatory – without it, the data processing is unlawful. Google Ireland Limited acts here as a processor, but actually processes via Google LLC (USA).

Third-country transfer and protection mechanisms:

Visitor data is transmitted by Google Analytics to Google LLC in the USA – outside the EU/EEA. The USA is regarded under the GDPR as a third country without an adequacy decision of the EU Commission (since Schrems II). Therefore, additional guarantees must be in place:

• Data Privacy Framework (DPF): Google LLC is DPF-certified. The provider states that Google LLC is bound by the DPF principles and thereby provides an adequate level of protection.
• Standard Contractual Clauses (SCC): Google additionally concludes SCC between Google Ireland Limited (EU) and Google LLC (USA).

These mechanisms are explained in the privacy policy under the heading "Third-country transfer" and substantiated by a reference to Google's privacy policy and DPF certificate.

IP anonymisation (no longer relevant in GA4):

In Universal Analytics (the predecessor version), a manual "IP anonymisation" could be set. In GA4 this is no longer necessary: The provider states that GA4 in principle does not store IP addresses but only uses them for location determination and discards them immediately after the geographical region has been determined.

Data Retention:

The default in GA4 is a retention period of 2 months. In the backend this can be increased up to 14 months. This setting should be documented and mentioned in the privacy policy (compliance with Art. 13(2)(a) GDPR).

Opt-out and user objection:

Users can deactivate Google Analytics by:

• Browser extension: Google provides an official opt-out extension at https://tools.google.com/dlpage/gaoptout?hl=de (available for Chrome, Firefox, Safari, Edge)
• Do Not Track signal: Browsers can send a DNT signal; compliance is, however, voluntary
• Withdrawing consent: Users should be informed in the privacy policy that they can withdraw their consent

Sub-processors:

Google works with further sub-processors in data processing, which may be disclosed on user request (e.g. for cloud storage, query services, security). A current list can be viewed in Google's data processing terms or requested directly from Google.

I. Frequently Asked Questions on Google Analytics and Data Protection

J. Conclusion

Google Analytics GA4 is a powerful analysis tool that records and processes extensive visitor data. For website operators, the following core obligations result:

1. Obtain consent: A cookie consent banner before loading GA4 is mandatory (TTDG § 25(1)).
2. Conclude a DPA with Google: The written Data Processing Agreement must be accepted in the GA4 backend – without it, use is unlawful (Art. 28 GDPR).
3. Adapt the privacy policy: A new or revised privacy policy with information on purpose, legal bases, recipients, third-country transfer, and retention period.
4. Technical measures: Implement Consent Mode v2, check retention period, provide user opt-out options.

A key point: Many website operators write long, redundant privacy policies with individual "text templates" for each tool. This is not only poorly readable but also runs counter to Article 12(1) GDPR. A topic-oriented structure with a central recipient list is better – this is more comprehensible for visitors and easier for compliance teams to manage.

The matterius privacy policy generator makes this proven, methodologically sound approach available in an automated form and saves website operators time-consuming manual research and individual legal examinations.