Is Google Analytics Too Intrusive - especially for CBD?

I have not signed up our store for Google Analytics because frankly, it is so intrusive into the amount of data collected, like showing customers tags attached to them, discounts that we may not want just openly advertised, and it has the full permission to change anything in our store (literally)? It also has full permission to downgrade and block us in Google (and it appears that this stretches into our Shopify store - which may not be true, but the terms and conditions language is VERY concerning). So, for our store, dealing in CBD oils, Google does NOT allow CBD oils for Google Ads and has already blocked us in the Google listings - so as far as merchant analytics, I actually worry about what it can do. It wants access to our Gmail account? It’s google. They already have access - so this additional “linked” access which they otherwise would not get, including being able to shut down our paid Gmail account (yes - that language IS in there), is disturbing. I have appreciated Shopify’s analytics up until now, but this feels like this is crossing the line of our ability to run a storefront free of intrusion and abuse? Furthermore, the amount of data being collected on customer transactions may violate the PCI compliance with credit card data collected and NO ONE on Shopify’s end is discussing this? How is PCI compliance being maintained when the rule is a “need to know” basis and Google analytics does NOT need to know their credit card or personal shopping data? I am sure that the answer may lie in customer data not being transmitted to Google, but through our gateway accounts, but that is not entirely true (or so it seems?) when Google can access every detail of a transaction to the level of being able to CHANGE details in the transaction (and that is EXACTLY what their terms and conditions language states), which them gives them access to the shopping experience as it happens and they can intercept credit card numbers (and this is not a “crazy” concern as Google has gotten into trouble in the past doing this and has made no efforts to change this practice). Losing PCI compliance is a huge concern and very costly with our card processors.

How am I to promise our customers a secured and hassle free experience when Google can now hijack their shopping and “browser history???” data (not that Google already doesn’t access everyone’s data in some form or another), and make it appear to my customers that I’ve literally sold their data to Google (because they will blame us, the store owners - not Shopify and not Google)? Furthermore - I’ve read that I would have to pay for Google Analytics 4? WHAT? How is it they get ALL of our info, can LITERALLY control our store and change data, track ALL of our customers’ data (of which Google HAS been caught MULTIPLE times selling user data), and we have to pay them for it? There is supposedly a down-graded version that is free, but I’ve read the terms and conditions and it is no different in intrusiveness.

Please tell me that anyone else in the world here has a problem with this? Please Shopify - explain to us why we are paying for your service and you have been a trusted and amazing platform for so many businesses (at least up until now), but this is now our only alternative? All the “instructions” for turning off permissions are not built for a dummy like me to follow and even then, I fear that Google will just bypass those permissions every time it “updates” (this has been a very REAL problem for users with Google histories that they turn off but get “automatically” turned back on when Google does updates). And, in all the language of terms and conditions, Google Analytics can, at their own whim and timing, turn on any additional controls and features and accesses they want, without notice (because it’s up to us to constantly monitor Google’s terms???) - and yet I am supposed to have a “secure” account with Shopify that I can trust and offer my customers a “secure” transaction? I was considering opening a second store for one of my other companies, but now, I’m not so sure. There are other “analytic” alternatives - but it seems like all those cost? It’s just combining figures from a database into a chart - which is really not that hard - so, please tell me there is another option? Please tell me this concern is somehow controlled? Please tell me that you have a comprehensive, detailed and transparent list of the levels of access, when that access occurs, how it occurs, and what information may or may not be revealed at those levels? Please tell me that you have already legally secured PCI compliance in spite of what appears to be a concern? Please tell me that you have controls in place to ensure that Google cannot add programmatic features as it wants to, arbitrarily? Please tell me that Google will NOT change anything in my shop or emails? Please tell me why each level of control that Google Analytics is requesting is necessary.

I imagine: customer visit -tracking cookie, and this is used for site visits, where they came from, and what they did ONLY during a transaction - including a sign in by assigned customer ID only for repeats. That it only tracks what products they looked at and for conversion, what they purchased. Then, every other analytic is nothing more than tracking our monthly sales and reporting back. I cannot fathom what additional details would be needed? Sure - a customer assigned ID may also tell me if they signed up for emails, or perhaps I want to know which credit card type was most used in the store (which does not require knowing which customers used which cards as I can already see that without violating PCI compliance), but I don’t need Google Analytics to know more than that. Thank you in advance for your feedback.

I know this is already long, but I felt it important to include that I’ve done my homework and thus, my concerns come from this: The reason UA is being phased out has to do with some very poor security measures - so there is already a GDPR concern. The EC ruled in 2020 against Google in violation of GDPR rules (privacy shield invalidation rules). Some of the fixes suggested requiring customer consent and knowledge that Google Analytics was being used, but this does not resolve GDPR or PCI. There have also been questions raised by the PCI compliance groups as to the software programming language used by Google and that its proprietary standard which cannot be altered by customers to further protect users is a potential area of concern and is under review. In 2019, there were a LOT of people complaining because even 1 out of compliance portion of PCI, under scrutiny, caused everything to become non PCI compliant and this affected a lot of people (this was on a Google support forum, no less). Other web merchants employing GA4 have provided more advanced, customization of the GA4 integration due to the privacy concerns (especially in the healthcare field). That said, we utilize some of Google’s Gmail enhanced security and privacy features and within their own organization, we are compliant on these factors. Google DOES have PCI compliance - but only for their own software architecture and payment processing (Google Pay). I mentioned customer ID’s because that IS the tool used by GA4. They did away with session cookies and assign a ClientID & UserID - which singles and tracks individual user behavior using their specific cross-platform linking system (emails, social media, merchant accounts, etc). And for anyone tracking along - Google only recently had a “customer data hacking breach” - which, who becomes legally responsible for that? Google - or Shopify - or us little guys that auto-signed our customers up for this? Anyway - sorry to have made this longer, but my point is that I’ve done my homework and there is a substantial amount of concern and am hoping that Shopify has more than a generic explanation and can provide some security and sensability to this question. Thank you!!!

I completely agree with you. I, like you have thoroughly read thru the terms and conditions and have been a bit horrified at the level of overt data grabbing GA4 would allow. Even more horrified that Shopify is allowing it and not making the consequences of using GA4 crystal clear to Shopify businesses so they can make an informed decision to use it. This effects anyone with an online shop that also uses Shopify’s POS system. I have both an online and physical store that uses Shopify’s POS, based on the terms and conditions as they are written for GA4, Google would also have access to all my physical customer data. Even customer that have been aquired thru my brick and mortar store…and have never used my website. My business is leather goods and I sell nothing that Google would block, but that only means that all of my customers data is free for the taking? How do I explain to a customer that has never been on my site, that their credit card data and purchase history in my physical store is being used by Google for tracking and analysis? I’ve committed in writing, to never sell my customers data to third party. Giving it away to Google is the same thing. I currently use the old Google Analytics for traffic insights, but do not pass any transactional data to the platform, something GA has consistently complained about every time I log in. This overreach has made me seriously consider completely removing GA from my site and going with an alternative. I would prefer not to do that sense I do use Google Ads.

Shopify needs to rethink how they are letting GA4 abuse privacy. They need to do it before this data grabbing results in legal privacy consequences for many shop owners, or worse yet lands Shopify in front of a Congressional committee trying to explain their negligence.

Thank you. One of our consultants is a business analyst and works for several companies and was the one who brought this to our attention. From his own company, he has already reached out to the PCI compliance org group with this concern and the FTC with zero response, which is concerning to us. Sadly, GDPR compliance is only a European standard and Americans are not protected under the same laws. As noted in my first post, there are court cases specifically against GA4 for GDPR violations. Google had a data breach through T-Mobile in just January of this year and in 2018, Google lost 52 million users data to a hacker. And, with the advent of AI comes more sophisticated data loss potentials when we consolidate everyone’s information under one roof. As I previously noted, Google UA (the current analytics we’ve been using) was retired because of security issues and listed among those, this is no joke, it can be looked up online: “Cross-platform tracking: Universal Analytics does not support cross-platform tracking, which means that it is difficult to track users across different devices and apps. This can be a problem for businesses that want to track the customer journey across different channels.” That is not a security issue - but clearly an issue of lacking invasive authority and made it perfectly clear that one of GA4’s goals is to use the User-ID / Client-ID cross platform tracking. Even if this did not violate customer’s credit cards specifically, it certainly breaches their right to purchase products without being tracked and have this information essentially “sold” so they can be marketed to. We do ask for emails as an option and we do use that in our own marketing campaign. And, certainly, we could pay a mass marketer or campaign system like Twitter to do that. And, that onus would be on us. However…

In 2012, Google was fined $22.5 million by the Federal Trade Commission (FTC) for violating users’ privacy by collecting personal information without their consent. In 2018, Google was again fined by the FTC for $5 billion for violating users’ privacy by collecting and storing location data without their consent. Therefore, based on Google’s historical track record, their “assurance” that they will not track user’s financial information holds little to no water when they once again NEEDLESSLY (and mind you folks - it is VERY needless) generate programming code that has the capability to do this. There is absolutely no reason for this coding and remains our primary reason for not taking on GA4. I am wondering if Shopify is even looking into this, if the PCI compliance group or FTC are looking into this, or there is any support for those of us paying Shopify for our stores and their services, to address this issue beyond, “Well, Google told us they won’t and we believe them.” o.0 Really? Anyway - I am surprised there are not more people in these forums concerned about this. Most people just click on “ok” and ignore the terms and conditions, but the one thing I think Shopify did VERY WELL, was to inform us right up front -emboldened and highlighted - all of the levels of access GA4 will have. So, no one has an excuse to say they didn’t read the T&S - it was in plain writing, up front. I hope more people get on board and contact PCI compliance (pci security standards org) and the FTC to help clarify. And I hope Shopify please reads this and they consider what Tshoregal has said - if someone on this platform sells to Europe, 100%, the GDPR will be triggered and there WILL be lawsuits. If the PCI compliance is violated - there will be financial recompense and Shopify will be caught up in it which could hurt all of us. My goal here is to protect ourselves, the other store owners, and Shopify - because we all depend on this. Thanks again!