Google Analytics is deemed illegal – are you in trouble?
What is happening with Google Analytics?
During the course of 2022, there have been several rulings in European national courts against using Google Analytics citing the transfer of personal information as one of the primary reasons.
The case started rolling when Austrian citizen Maximilian Schrems filed a complaint at the European Court of Justice as Facebook Ireland transferred his personal information to the legal entity in the US. The court has ruled against the existing agreements – the so-called Safe harbor and Privacy shield agreements. As a result, the transfer of personal data to third parties is in violation of the legal framework of the European Union and the GDPR framework. Most EU countries are currently going through the process of figuring out the legal repercussions on a national level. The latest addition is Denmark, where The Danish Data Protection Agency (Datatilsynet) currently has sent out guidelines to confirm the framework although at this stage it’s not a law.
Already now, work is being put into a transatlantic legal framework that would make all this go away for now. There is an in-principle agreement in place but nothing more concrete than that.
Why is it important for website owners?
According to Statista, in 2021 Google accounted for 70% of the total global market share of web analytics tools. With the rise of privacy concerns globally, companies whether they are based in the EU or not need to understand what parts of web analytics are causing the legal issues at the moment and attempt to adhere to policies before they are subject to civil lawsuits or government enforcement.
What is required from business owners in the EU to adhere to the legal framework while using Google Analytics?
Some (self-proclaimed) experts are of the opinion that simple changes in the Google Analytics settings, and the processing of the IP address of the individual user, will resolve the issue. But according to the CNIL – an independent French administrative regulatory body whose mission is to ensure that data privacy, the only possible solution is to set up a proxy server and pseudonymization of data before the data export.
There will also be a need to limit data considerably.
Excerpt from CNIL:
- the absence of transfer of the IP address to the servers of the analytics tool. If a location is transmitted to the servers of the measurement tool, it must be carried out by the proxy server and the level of precision must ensure that this information does not allow the person to be re-identified (for example, by using a geographical mesh ensuring a minimum number of Internet users per cell);
- the replacement of the user identifier by the proxy server. To ensure effective pseudonymization, the algorithm performing the replacement should ensure a sufficient level of collision (i.e. a sufficient probability that two different identifiers will give an identical result after a hash) and include a time-varying component (adding a value to the hashed data that evolves over time so that the hash result is not always the same for the same identifier) ;
- the removal of external referrer information from the site;
- the removal of any parameters contained in the collected URLs (e.g. UTMs, but also URL parameters allowing internal routing of the site);
- reprocessing of information that can be used to generate a fingerprint, such as user agents, to remove the rarest configurations that can lead to re-identification;
- the absence of collection of cross-site or lasting identifiers (CRM ID, unique ID);
- the deletion of any other data that could lead to re-identification.
On top of that, the hosting conditions of the proxy must also be looked into to ensure that no data will be transferred outside the EU to a country with no data protection.
Google Analytics and data transfers: how to make your analytics tool compliant with the GDPR?
As there is no standard solution in place yet, business owners are currently in a bind when it comes to implementing a viable solution – especially as strict as the one depicted by CNIL. The solution depicted above must be considered extremely secure but still has not been validated by any authority.
But there are softer versions of solutions that can be implemented depending on how the guidelines are interpreted. Google Analytics and Google Analytics 4 can both be configured to avoid the collection of personally identifiable data.
Am I following regulations if I upgrade to Google Analytics 4 – the most recent version?
As it stands right now, most national authorities in the EU are currently going through Universal Analytics and deeming this part not fit and aligned with GDPR guidelines. Google Analytics 4 will undoubtedly be next in line and as Google is using the same servers and sending personal data to the US, there is a strong likelihood that the same regulations will cover Google Analytics 4 for the very same reasons.
Do business owners have other alternatives than Google when it comes to web analytics?
Yes, there are many alternatives out there, and free as well. But because of the issues with a technical solution to privacy and also data protection, in reality, maybe only a handful can be trusted with this. In addition, very few of them can connect the tool seamlessly to all pertinent advertising platforms such as Google ads, Youtube, Search, Display, etc. These platforms are the bread and butter for most SMB advertisers today and they get that all for free with Google Analytics.
So if you look at the alternatives, it often comes down to investment in changing web analytics setup, trusting a new partner, and loss in business features. In short, most companies have no real feasible new place to go really.
So what should you do right now as a business owner?
Given the fact that it’s almost impossible for SMBs to adhere to current guidelines in the strictest form without investing massively in external consultation and setting up additional data infrastructure, doing less seems to be the only way forward. As national data institutions are currently interpreting Google Analytics to be illegal, there’s still wiggle room to set up more simple solutions that are in principle adhering to GDPR guidelines.
We propose the following:
- Continue to work with professionals in the industry and constantly improve your setup to account for your desired level of adhering to the current GDPR winds blowing.
- If you are not already working on how not to track personally identifiable information you should get started.
- You can still use Google Analytics in a respectable manner but you need to look into the setup:
- Check up on cookie management and consent
- Server-side tagging can help you control your data, anonymize personal data and optimize marketing performance.
Until the individual countries get their act straight in terms of real law making around this issue, there is still room to maneuver for businesses. In our opinion, it’s a good idea to set up data protection through the ways proposed earlier, but to set up proxy servers before there is even a fixed way to adhere to guidelines will for most SMBs be a costly and perhaps unneccesary intervention.
What do you think will happen? Comment below!
Stay in the know.
Read about key industry updates, and learn about digital marketing best practices from Digital Excellence’s experience.