[jeroenhd]

I'm not so sure your take on IP address anonymization. The source states:

    The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.

The Google documentation says:

    The IP-anonymization feature in Universal Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to Google Analytics.

IANAL but I'm pretty sure the IP anonymization setting is no longer an acceptable way of getting GDPR compliance. It may have been acceptable under Austrian or French ruling before, I don't know about those, but from 90 days from now you'll have to explicitly require consent for _at least_ all Italian users.

As a side note, OneTrust has the worst of the worst cookie banners, to the point that I no longer even open websites that have that crap installed. It's also illegal by making it harder to reject tracking than to opt-in, there just haven't been any specific lawsuits about this party yet.

[snowwrestler]

That Google documentation is for the IP anonymization feature of Universal Analytics, which is being sunset in about a year.

Google announced earlier this year that Google Analytics 4, its successor, does not log or store IP address at all.

I don’t know whether UA or GA4 service was the subject of the Italy case, but I would not be surprised if it was UA. Most sites have not switched over to GA4 yet.

[autoexec]

> Google announced earlier this year that Google Analytics 4, its successor, does not log or store IP address at all.

So if I go to a website and it has me load code from Google's servers it's still got to send my IP address to them. I'm not sure why we'd take them at their word that they won't keep that data around (I'd like to see that independently verified). but it'll be sent to the server logs if nothing else. What does not storing the IP address even mean? Do they hash it and store that instead? Do they do a quick lookup and just flag your dossier logging the connection and when it happened before dropping the IP info?

If people care about their privacy I think it's probably best not to send information to Google in the first place. There are alternatives to google analytics after all.

[closewith]

In a privacy-conscious implementation of GTM/GA, those scripts can be loaded from a first-party server controlled by the company, and Google will never see the user's IP address.

There is no real alternative to Google Analytics for most companies because of the Google Ads integration. If you advertise with Google, you need to send them conversion data, which means the GCLID. Without Google Ads, switching would be simple. Most enterprises already pay for other analytics tools.

[autoexec]

> In a privacy-conscious implementation of GTM/GA, those scripts can be loaded from a first-party server controlled by the company,

Thanks! I didn't know that was an option. I haven't noticed sites doing it yet at least, but I hope it catches on even for sites targeting US visitors! It'd be especially nice for government websites using GA.

[denton-scratch]

> Google Analytics 4, its successor, does not log or store IP address at all.

The fact that it receives the IP address at all renders it illegal in Italy, and probably anywhere GDPR is in force. And IP address truncation doesn't get you anywhere; it's Google that does the truncating, so the whole address is actually sent to Goo, by which time it has departed from GDPR jurisdiction.