1. Stop tracking behavior on the site
If data is not a priority, and you do not want to invest time and energy in legalizing the current installation or replacing it, you can simply turn off Google Analytics and not track it on the site.
This solution will only be an option for a very small few, where the value of data is too low, compared to the work required to replace or legalize the setup.
2. Legalization of Google Analytics
First of all, you can turn off your Universal Analytics and exclusively use GA4. Since the guide does not apply to both platforms, the easiest first step is to refrain from using the platform that it deals with. Since we can most likely expect the same decision for GA4 in the future, the next logical step would be to take precautions for this platform as well.
One of the most important points in the Data Protection Authority's ruling is that they do not fully declare Google Analytics illegal, but instead say that a setup without "additional measures" is illegal under the GDPR. There are different ways of taking these supplementary measures but the most obvious is to set up an "intermediate station" between your site and Google Analytics servers in the USA. This intermediate station consists of a script on a server that can anonymize or pseudonymize the problematic parts of the collected behavioral data before it becomes forwarded to US servers. It is also this solution that the Data Protection Authority itself refers to as a "reverse proxy" solution.
This solution is worth choosing if behavioral data is important to your company, you already have invested a lot of resources in Google Analytics, and especially if you make a lot of use of Google's marketing tools. If this is the case, the task of changing the platform can be too complex a task to pay off, and at the same time, it is not an option to do without data for a longer period.
If this solution is interesting to you, we have already developed a solution for setting up a reverse proxy, either in a cloud platform or on-premise, and had it thoroughly assessed by a lawyer specialized in GDPR.
3. Udskiftning af platform
The last option is to replace Google Analytics with a fully compliant platform, which is also described as an option in the Data Protection Authority's ruling:
"If it is not possible to take effective supplementary measures, you have to stop using the tool and possibly find another tool that can provide web statistics and which allows complying with data protection rules, e.g. by not transferring information about the visitors to unsafe third countries."
There are quite a few of these, for example, Piwik Pro, Matomo, Snowplow, and PostHog, which all have their pros and cons. We prefer Piwik Pro, as this has a clear interface and almost as much functionality as Google Analytics. If in doubt as to its legality, we can report that this is the solution that the EU Commission itself uses.
This solution will make sense for you if you have not invested large sums in your current setup, but still get enough value from your behavioral data that you want to invest in setting up a new platform. Furthermore, this is a more secure solution in terms of GDPR- compliance, so if your company works with particularly sensitive personal data, this will also be the obvious option. However, it is worth bearing in mind that these tools are not equally well integrated with Google's suite of marketing tools, so if you invest a lot in digital advertising, this is a risk factor worth considering.