Google Analytics remains the most widely adopted analytics tool on the market. It’s free, deeply embedded across the web, and relatively easy to implement.

But “free” has never meant “low-risk.”

While Google positioned the migration from Universal Analytics to GA4 as a major step forward for privacy, the reality is more nuanced. Some changes improved surface-level compliance. Others shifted responsibility further onto organizations—without resolving the underlying privacy and governance issues teams are still grappling with.

If you’re relying on GA4 today, it’s important to understand what the migration actually changed and what it didn’t.

The Promise of GA4 vs. the Reality

When Google announced the GA4 migration, it framed the update as a response to rising privacy expectations and regulatory pressure. And to be fair, GA4 did introduce changes that reduced some legacy risks:

• IP anonymization is now enabled by default

• Data retention settings are more configurable

• Event-based tracking replaces some older session models

• Certain reporting features tied to cookies were deprecated

But none of these changes fundamentally alter the most important questions organizations face when it comes to privacy:

• Who owns the data?

• Who can use it, and for what purposes?

• How is consent honored across tools — not just captured once?

On those questions, GA4 largely maintains the same structural challenges as its predecessor.

Key Consideration #1: Google Still Owns and Uses the Data

One of the most persistent misconceptions about Google Analytics is that it functions purely as a neutral measurement tool.

It doesn’t.

When you use GA4, Google acts as a data processor with its own interests, particularly tied to advertising and product development. Depending on configuration, data collected through GA4 can be used to inform Google Ads, audience modeling, and benchmarking — sometimes in ways teams don’t fully anticipate.

From a governance standpoint, this matters.

Any time an external entity retains broad rights over audience data, organizations take on additional risk:

• Reduced control over downstream use

• Increased disclosure obligations

• More complex consent requirements

• Greater exposure if expectations shift

Even when data sharing settings are limited, GA4 remains part of a broader ecosystem designed to support advertising optimization—not neutral analytics.

The more third parties involved, the more fragile trust becomes.

Key Consideration #2: GA4 Still Relies on a Weak Consent Model

GA4 continues to collect unique user identifiers by default. Under most modern privacy laws, collecting identifiable or linkable data requires meaningful consent, especially when the data is not strictly necessary for basic site functionality.

Google’s response to this challenge has evolved into Consent Mode v2, which is now widely promoted as the solution.

Here’s the practical reality.

Consent Mode v2 adjusts how Google tags behave based on a user’s consent choice. When users opt out, GA4 does not set cookies, but it still sends cookieless signals (“pings”) to Google servers.

These signals may include:

• IP-derived location data

• Device and browser characteristics

• Event timing and context

Google then uses modeling to estimate missing conversions and behaviors, filling gaps created by opt-outs.

From a compliance and trust perspective, this creates tension.

While Consent Mode v2 may help organizations maintain reporting continuity, it does not eliminate the need for clear disclosure, intentional configuration, and strong internal governance. Consent is no longer a binary switch; it becomes a layered decision that many teams don’t fully understand or document.

In practice, many organizations are:

• Collecting modeled data without fully explaining it

• Assuming compliance based on tool defaults

• Treating consent as a technical setting rather than a governance decision

That’s risky.

Key Consideration #3: Transatlantic Data Transfers Remain Unresolved

One of the most significant privacy issues associated with Google Analytics has not been resolved by GA4.

User data, including for EU residents, continues to be processed on U.S.-based infrastructure. Google, as a U.S. company, remains subject to U.S. surveillance laws such as the CLOUD Act.

While frameworks like the EU-U.S. Data Privacy Framework exist, enforcement and interpretation continue to evolve. European regulators have repeatedly signaled that use of GA requires careful assessment, contractual safeguards, and clear communication to users.

For organizations operating internationally or even nationally with EU audiences this creates ongoing obligations:

• Expanded privacy policy disclosures

• Heightened risk assessments

• Potential regulator scrutiny

GA4 does not remove these responsibilities.

The Real Issue: Governance, Not Features

The biggest takeaway from the GA4 migration isn’t that Google Analytics is “bad” or “non-compliant” in all cases.

It’s that analytics tools cannot solve governance problems.

GA4 assumes:

• Someone has defined acceptable data use

• Someone understands consent implications

• Someone has mapped how data flows across tools

• Someone revisits decisions as laws and expectations change

In many organizations, no one has.

That’s why privacy gaps tend to surface during:

• Audits

• Vendor reviews

• Board questions

• Public scrutiny

• Or moments of crisis

Not because teams are careless, but because assumptions were never made explicit.

Is It Time to Consider an Alternative?

For many organizations, yes.

Privacy-forward analytics tools (such as self-hosted or EU-based platforms) offer benefits that GA4 structurally cannot:

• Full data ownership

• Reduced reliance on third-party processors

• Clearer consent enforcement

• No data sampling

• Greater alignment with global privacy expectations

They often come at a financial cost, but “free” analytics has costs too. They just show up elsewhere:

• In trust erosion

• In opt-out rates

• In governance debt

• In future migration pain

The decision isn’t purely technical. It’s strategic.

The Bigger ROI Question

When evaluating analytics tools, the real ROI question isn’t:

“What insights do we get today?”

It’s:

“What kind of relationship are we building with our audiences—and what decisions are we making easier or harder in the future?”

Respecting audience expectations around data use doesn’t limit growth. It enables it.

But only when organizations slow down enough to define:

• What data is truly necessary

• What consent actually means in practice

• What tradeoffs they’re willing to accept

Those decisions — not tool defaults — determine whether privacy becomes a liability or a foundation.

If you’d like to talk through how your analytics setup fits into your broader privacy and governance posture, I’m always happy to help. This is exactly the kind of decision-making work I support through 1:1 advisory and cross-team strategy engagements like Enterprise Privacy & Technology Roadmapping.