Google Enhanced Ecommerce and Data Protection – What Belongs in Your Privacy Policy

When a website operator uses Google Enhanced Ecommerce, it processes usage, click and conversion data of website visitors for the purposes of reach analysis, conversion measurement and the optimisation of online shops and digital offerings – regularly on the basis of consent under section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR. This page provides website operators in Germany with an overview of the data Google Enhanced Ecommerce typically processes, the purposes pursued by the operator, and which mandatory information needs to be included in the website's privacy policy.

The presentation is based on the publicly available information of the provider and on publicly researchable sources. It does not replace a case-by-case assessment of the specific use by the website operator.

A. Purpose and Functionality of Google Enhanced Ecommerce

Google Enhanced Ecommerce is an extension of the web analytics service Google Analytics 4 (GA4) that is specifically tailored to the analysis of e-commerce activity. It enables website operators to track and evaluate user behaviour along the typical purchase funnel – from initial product contact through to a completed order – using standardised events and parameters.

While GA4 as the base web analytics product captures page views, session duration and general interactions, Enhanced Ecommerce extends this data set with shop-specific events such as product views, add-to-cart, start and completion of the checkout process, and refunds. Each event is enriched with item parameters such as product ID, product name, price, quantity, category and variant.

This page deals exclusively with the integration function Enhanced Ecommerce as part of GA4. Other Google services such as Google Ads, Google Tag Manager, Google Signals or the Google Marketing Platform are not subject of this presentation, even though they are technically often used together with GA4 Enhanced Ecommerce.

B. Mandatory Information in the Privacy Policy When Using Google Enhanced Ecommerce

In addition to general information on the website operator, the rights of the data subject and the supervisory authority, the GDPR requires a number of specific items of information for tools such as Google Enhanced Ecommerce. These include in particular:

• the purposes of processing (Art. 13(1)(c) GDPR),
• the legal bases of processing (Art. 13(1)(c) GDPR),
• where processing relies on a balancing of interests, the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients of the personal data (Art. 13(1)(e) GDPR),
• whether the data are transferred to an insecure third country outside the EU/EEA and on what basis (Art. 13(1)(f) GDPR),
• the storage period or – if not possible – the criteria for determining that period (Art. 13(2)(a) GDPR),
• and – where data are not collected directly from the data subject – the categories of personal data processed (Art. 14(1)(d) GDPR).

The following sections break down these mandatory items of information for Google Enhanced Ecommerce.

In practice, it is not necessary to list every individual tool – not even Google Enhanced Ecommerce – in the privacy policy with its own dedicated text block. While this practice has become widespread, it leads to long, redundant and hard-to-maintain privacy policies that fall short of the transparency principle of Art. 12(1) GDPR (concise, transparent, intelligible and easily accessible). A more appropriate approach is a topic-oriented one, which describes processing operations across the board (e.g. tracking, sales, marketing) and lists the specific service providers used – including Google Enhanced Ecommerce – as recipients in an appendix. This is precisely the methodology used by the matterius generator.

C. Provider of Google Enhanced Ecommerce

According to publicly available information, the contractual counterparty for website operators in the EEA is:

• Company: Google Ireland Limited
• Address: Gordon House, Barrow Street, Dublin 4, D04 E5W5, Ireland
• Country of establishment: Ireland (EEA)
• Group structure: Subsidiary of Google LLC, Mountain View, USA. Sub-processors of the Google group in the USA and other third countries are regularly involved.
• DPF status of the US parent: Google LLC is, according to publicly available information, certified under the EU-US Data Privacy Framework. The current status can be checked via the DPF list: https://www.dataprivacyframework.gov/s/participant-search.
• Privacy Policy: https://policies.google.com/privacy
• Data processing terms / DPA: https://business.safety.google/adsprocessorterms/

D. Data Processing With Google Enhanced Ecommerce – Step by Step

E. Data Collected by Google Enhanced Ecommerce

When using Google Enhanced Ecommerce, the data essentially captured include technical log data on the page request (in particular IP address, timestamp, referrer, user agent), information about the device and browser, a coarse location derived from the IP address, click and movement patterns on the page, and shop-specific event data with product and order context. In addition, identifiers stored in cookies or local storage are involved, as well as – if activated – user- or customer-related identifiers (e.g. user ID, hashed email address for "Enhanced Conversions").

These data fall into the following standardised data categories:

• Server log data: Data that servers of the Google group receive on each request, in particular IP address, date and time, URL of the requested resource, referrer, browser, operating system and device information, and technical metadata of the request.
• Click paths: Pages visited and the sequence in which they are visited, as well as clicked links and buttons with date and time, e.g. product pages, category pages and checkout steps.
• Device data: Information about the device used, e.g. device type, operating system, screen resolution and touch support.
• Browser information: Information about the browser used, e.g. browser name, version and language settings.
• Coarse location data: Coarse location of the user derived from the IP address at city or municipality level.
• Conversion events: User interactions defined by the website operator as relevant, in particular view_item, add_to_cart, begin_checkout, add_payment_info, purchase, refund, together with item parameters such as product ID, product name, category, price, quantity, coupon and order value.
• Interaction data: Information on user behaviour within individual pages, e.g. scroll depth, clicks, dwell time.
• User profiles: Where features such as Google Signals or links to a user account are enabled, the website operator may derive and store interests, segment assignments and usage histories.
• Technical telemetry data: Certain technical data on the use of the website, e.g. load times and error messages.

F. Purposes of Use of Google Enhanced Ecommerce

Website operators typically use Google Enhanced Ecommerce in order to analyse reach and user behaviour of their own online services, to understand and optimise purchase journeys, to assess the performance of individual products and categories, and to measure the effectiveness of marketing measures based on conversion data. Where links to advertising products are activated, individualised marketing purposes are added.

The purposes typically pursued by the website operator fall into the following standardised purpose categories:

• Provision of functionality: Provision of the basic functionality of the embedded measurement and analytics feature, including detection of errors in data collection.
• General product improvement: Optimisation of the website and the shop based on frequently accessed content, device classes and purchase journeys, as well as general business planning based on aggregated metrics.
• General marketing: Reach analysis, evaluation of communication channels, success measurement of advertising campaigns.
• User profile creation: Where corresponding features are activated, formation of segments and target groups based on interests and purchasing behaviour.
• User-specific product improvement: Display of interest-based products and content, pre-selection of settings.
• User-specific marketing: Where linked with advertising products, alignment of advertising on the basis of recorded conversion events, e.g. remarketing for products viewed or added to the cart.

G. Legal Bases for the Use of Google Enhanced Ecommerce

According to the publicly available information of the provider and the prevailing data protection literature, Google Enhanced Ecommerce primarily falls into the tool category Tracking (Statistics) and – where linked with advertising features – Tracking (Marketing).

The following legal bases typically come into consideration:

• Consent (Art. 6(1)(a) GDPR in conjunction with section 25(1) TDDDG): Since Enhanced Ecommerce regularly involves the use of cookies or comparable storage and access technologies and goes beyond the mere provision of website functionality, user consent regularly comes into consideration. In practice, this is typically obtained via a consent banner (statistics and possibly marketing consent).
• Legitimate interests (Art. 6(1)(f) GDPR): Reliance on legitimate interests is discussed controversially in the literature and only comes into consideration in the case of strictly anonymised, cookieless reach measurement without transfer of individual identifiers. For the classic use of GA4 Enhanced Ecommerce with cookies, client IDs and conversion tracking, this path generally does not apply. Possible legitimate interests in such a special case would be improvement and business steering.

The choice of the applicable legal basis always depends on the specific setup, the configuration and the consent management. It is to be assessed by the website operator on a case-by-case basis.

H. Particularities and Notes Regarding Google Enhanced Ecommerce

• Opt-out for end users: Google offers a browser add-on for deactivating Google Analytics: https://tools.google.com/dlpage/gaoptout. Control is also exercised via the website operator's consent banner.
• Third-country transfer: Processing by Google LLC and other sub-processors of the Google group in the USA and other third countries is regularly to be expected. According to publicly available information, Google bases the transfer to its parent company on the adequacy decision for the EU-US Data Privacy Framework and additionally on EU Standard Contractual Clauses.
• DPA / data processing terms: For the use of GA4, Google provides data processing terms (Google Ads Data Processing Terms) which, according to publicly available information, are intended to meet the requirements of Art. 28 GDPR. These terms must be accepted or reviewed in the Google account.
• Sub-processors: A list of sub-processors used by Google is provided in the Trust Center; the specific status is to be checked on a case-by-case basis.
• Recommended settings: IP anonymisation is, according to the publicly available information of the provider, the default in GA4. Website operators should also limit the retention period to what is necessary, consciously enable or disable Google Signals and the "Google products and services" feature, and only use links to advertising accounts where this processing is covered by consent.
• Enhanced Conversions: Where the "Enhanced Conversions" feature is used, additional user-related identifiers (e.g. hashed email addresses) are transferred. This may affect the role of the provider and the applicable legal bases and is to be assessed by the website operator on a case-by-case basis.

I. FAQ on Google Enhanced Ecommerce and Data Protection

J. Conclusion on Google Enhanced Ecommerce in the Privacy Policy

Google Enhanced Ecommerce is an extension of Google Analytics 4 that enables detailed evaluation of the purchase journey for online shops and transaction-oriented websites. From a data protection perspective, according to the publicly available information, it is a tracking tool with a focus on statistics and – depending on configuration – marketing. For the classic use with cookies and client IDs, consent under section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR regularly comes into consideration. Third-country transfers to group companies of the Google group in the USA are regularly to be expected and are, according to the publicly available information, based on the EU-US Data Privacy Framework and Standard Contractual Clauses.

For the website operator, it is generally of little benefit to include a dedicated text block for every individual tool – including Google Enhanced Ecommerce – in the privacy policy. Such tool-specific blocks make the privacy policy long, hard to read and difficult to maintain, and thus run counter to the transparency principle of Art. 12(1) GDPR.

A structured, topic-oriented approach is more appropriate, in which tools are explained across topic blocks (server operation, tracking, sales, newsletter …) and individual service providers such as Google Ireland Limited are only referred to in the recipients appendix. This is precisely the methodology used by the matterius generator.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com