Consumer Privacy Regulations Part 2

In our previous GA4 blog, we briefly mentioned new security features being implemented to focus on improving data security. Now, we want to give a more detailed overview of these consumer rights that all businesses should be aware of.

Google Analytics 4 will be implementing more security features that align with regulations such as the (soon-to-be) CPRA and the GDPR. These regulations protect the consumer's privacy, which may restrict a business’s or organization's ability to collect and process personal data. This week, we’ll introduce you to the GDPR.

The General Data Protection Regulation is the toughest data privacy and security law in the world. GDPR is an EU-based regulation that essentially controls how businesses, organizations, and websites are allowed to handle an individual's personal data.

This Law Applies To 

Businesses and organizations anywhere that target or collect data related to people in the EU; involving activities related to:

  1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

  2. the monitoring of their behavior as far as their behavior takes place within the Union

To put in simpler terms, if you are collecting personal data of EU citizens or residents, or marketing goods or services to them, the GDPR applies to you even if you’re not located in the EU. This can range from eCommerce businesses to websites for non-profit organizations or public institutions. 

Processing Data

In order to process data, the GDPR states that one of the following must apply:

  • data subject has given specific consent to process data (more on that below)

  • processing is necessary to enter into a contract to which the data subject is a party

  • processing is necessary in order to comply with a legal obligation

  • processing is necessary to save someone’s life

  • processing is necessary to perform a task in the public interest or carry out an official function

  • there is a legitimate interest to process someone's personal data 

Receiving Consent 

In most cases, processing data will be dependent on receiving consent. That being said, there are some requirements:

  • consent must be “freely given, specific, informed, and unambiguous”

  • requests for consent must be clearly distinguishable from the other matters, using clear and plain language

  • the data subject must have the right to withdraw his or her consent at any time

  • you will need to keep documentary evidence of consent  

Data Subject Rights

In summary, the GDPR provides the following [EU] consumer rights:

  • right to be informed 

  • right of access

  • right to rectification

  • right to erasure (deletion)

  • right to restrict processing

  • right to data portability

  • right to object

  • rights in relation to automated decision-making and profiling


Potential Penalties

If you violate these regulations, GDPR has some hefty fines depending on the case and severity of the violation. For less severe violations, fines can be up to 10 million euros, or, up to 2% of its global turnover of the preceding fiscal year. For more severe violations, fines can be up to 20 million euros, or, up to 4% of its global turnover of the preceding fiscal year. 

Moving Forward

If GDPR applies to you, here’s what you should provide when requesting consent:

  • who is processing the data

  • why you’re collecting the data

  • what you’re doing with the data

  • easy withdrawal of consent

While Google is not fully GDPR compliant yet, we look forward to having more of these security features available to us with the transition to GA4.


PK Information is a FileMaker-certified development agency serving the Tampa Bay and Knoxville regions. We believe that great software can change everything. Would your database benefit from a process review? Contact us today!