Google Analytics Privacy Audit

[NoopDog]

Need

We need to review the GA4 settings and implementation to appropriately limit the data we collect about individuals and their behavior on the site while maximizing the amount of information we receive about how users interact with the site.

The goals are to:

1. Review each setting and determine what an appropriate value should be.
2. Document the choices.
3. Set the value.
4. Create a report using the GA4 API if possible to audit the setting vs the desired value.

Audit Overview

A privacy audit is crucial to ensure that you're collecting data responsibly, respecting user privacy, and complying with legal requirements like GDPR or CCPA. Here’s a list of key items to check during your audit, along with choices and steps for enabling/disabling each setting:

Google Tag Manager

1. Tag Implementation

• Tag Implementation: Ensure tags are implemented correctly to avoid collecting sensitive information inadvertently.
  • How to Check: Use the Preview mode in Google Tag Manager to verify tag firing. Learn more

2. Consent Mode Integration

• Consent Mode Integration: Integrate Google Tag Manager with consent management platforms to respect user consent settings.
  • How to Manage: Use Google Tag Manager to configure tags based on user consent. Learn more

3. Access Control

• Access Control: Review who has access to Google Tag Manager and their level of permissions.
  • How to Manage: Go to Admin → User Management and adjust roles to maintain appropriate access levels. Learn more

4. Data Layer Usage

• Data Layer Usage: Ensure the data layer is used to pass structured information without PII.
  • How to Implement: Follow best practices for data layer usage to ensure data accuracy and compliance. Learn more

Google Analytics 4 (GA4)

1. Data Collection Policies

• User Data Collection: Verify the type of user data collected (e.g., IP address, cookies, demographics).

  • Choices: Enable/disable collection of demographics and interests.
  • How to Manage: Go to Admin → Data Settings → Data Collection. Disable the "Advertising Features" option to restrict data collection. Learn more

• Anonymize IP Addresses: Ensure IP anonymization is enabled to limit user traceability.

  • Choices: Enable IP anonymization.
  • How to Enable: IP anonymization is automatically enabled in GA4 and cannot be disabled. Learn more

2. Cookie Management

• Cookie Consent: Make sure users provide explicit consent before tracking.

  • Choices: Use a cookie consent banner to allow users to opt-in or out.
  • How to Manage: Use a third-party consent management tool that integrates with Google Analytics. Learn more

• Data Retention Settings: Review and configure how long user-level and event-level data are retained.

  • Choices: Set retention period (e.g., 2 months, 14 months).
  • How to Set: Go to Admin → Data Settings → Data Retention. Learn more

3. Google Signals

• Cross-Device Tracking: Google Signals enables cross-device tracking but also collects additional user information.
  • Choices: Enable or disable Google Signals.
  • How to Manage: Go to Admin → Data Settings → Data Collection and toggle Google Signals. Learn more

4. User Identification

• Avoid Personally Identifiable Information (PII): Ensure no PII (like email addresses or phone numbers) is being collected.
  • How to Check: Review all event parameters to verify that no fields contain PII. Learn more

5. User Rights Management

• Data Deletion Requests: Ensure users can request their data to be deleted.
  • How to Manage: Use the Data Deletion Requests tool in Google Analytics under Admin → Data Deletion Requests. Learn more

6. Audience and Remarketing

• Advertising Features: Verify whether remarketing or advertising reporting features are enabled.
  • Choices: Enable/disable remarketing and advertising features.
  • How to Manage: Go to Admin → Data Settings → Data Collection and toggle the relevant settings. Learn more

7. Integration with Other Services

• Third-Party Integrations: Check if Google Analytics is sharing data with other platforms, such as Google Ads.
  • Choices: Restrict data sharing to only what is necessary.
  • How to Manage: Go to Admin → Account Settings and adjust data sharing settings. Learn more

8. Access Control

• User Permissions: Review who has access to Google Analytics and what permissions they have.
  • How to Manage: Go to Admin → Account/User Management and adjust roles to minimize unnecessary access. Learn more

9. Reporting Identity

• Blended Data: Determine if user data is being combined from multiple sessions or devices.
  • Choices: Use aggregated data without individual identifiers where possible.
  • How to Configure: Go to Admin → Property Settings and adjust reporting identity options. Learn more

10. GDPR & CCPA Compliance

• Data Processing Agreement: Make sure you have a Data Processing Agreement (DPA) in place with Google.

  • How to Check: Go to Admin → Account Settings and confirm DPA acceptance. Learn more

• User Consent Mode: Implement consent mode for tag behavior adjustments based on user consent.

  • How to Enable: Use Google Tag Manager to enable consent mode, adjusting tags to fire based on user consent. Learn more

11. Custom Dimensions and Metrics

• Limit Sensitive Data: Ensure no sensitive data is being tracked in custom dimensions or metrics.
  • How to Check: Review all custom dimensions/metrics in Admin → Custom Definitions. Learn more