Many European data protection authorities (including Austria, France, Norway, Denmark, and Germany) have officially classified Google Analytics as non-compliant with the GDPR. This raises many questions for companies, as marketing teams have long considered the tool a standard... and for a good reason.
In this article, we’ll explain the problems with Google Analytics – especially Google Tag Manager – and what you can do to prevent conflicts with data subjects and data protection authorities.
Why is Google Analytics not privacy-compliant?
The short answer is because Google – through its Google Analytics service, among other means – collects the personal data of website visitors and transmits it to servers in the U.S., where American authorities can access it.
According to U.S. legislation such as 50 U.S.C. § 1881(b)(4), Google qualifies as an ‘electronic communication provider’, making the tech giant susceptible to cooperation with U.S. intelligence agencies (e.g. as per 50 U.S.C. 1881a or ‘FISA 702’). Under FISA 702, Google is required to actively provide the U.S. government with personal data.
One of two main points of criticism, the possibility of monitoring of this kind, led to the overturning of the EU-US Privacy Shield as a security guarantee in the Schrems II ruling from the European Court of Justice (ECJ).
So what does this all mean? In plain English, the data protection authorities have ruled that the use of Google Analytics on the websites of companies in the EU is incompatible with and thus violates the GDPR.
If you combine Google Analytics with standard contractual clauses, is it privacy-compliant again after all?
In response to the Schrems II ruling, the EU Commission adopted standard contractual clauses (SCCs) in 2021, with the aim of simplifying data transfers to third countries like the USA. According to the ECJ, transfers are lawful provided that the third country where the data is transferred can guarantee a level of data protection on par with the EU’s.
As a matter of fact, this is still not the case in the States, where even the use of SCCs cannot prevent access by U.S. intelligence agencies.
Thus, Google’s contractual framework – specifically the ‘Google Ads Data Processing Terms’ and the ‘Google Ads Data Processing Terms: Model Contract Clauses, Standard Contractual Clauses for Processors’ – do not provide adequate security measures within the meaning of the GDPR.
Why is Google Analytics taking all the heat and not all the other providers who also transfer personal data to the USA?
Due to its far-reaching penetration, Google Analytics, among other tech giants, has come under fire from privacy advocates. Max Schrems and his NGO noyb want to turn up the pressure so that the overturning of the Privacy Shield will have real consequences, such as companies ceasing transfers of personal data to the U.S.
So, in August 2022, noyb filed complaints against 101 European companies that still use Google Analytics and Facebook Connect. From the linked article:
‘Among the 101 companies listed in noyb’s 2022 complaints are Airbnb Ireland, the University of Luxembourg, TV Spielfilm Verlag, Chefkoch and Lieferando. Privacy advocates selected the companies based on the popularity of their respective domain within Europe (such as .de for Germany), two specific tracking codes and the sites' rough visitor counts.’
Google’s and Meta’s tools are only examples of some that do not comply with European data protection regulations. Indeed, the same goes for the 101 companies listed in the complaints themselves. But noyb’s complaints have especially turned up the heat on Google Analytics.
Another reason Google Analytics is top of mind for so many of us is that, compared to other tools, the data it collects can be used to create user profiles and even link them with data already on hand.
What personal data does Google Analytics process?
When surfers visit a website that uses Google Analytics, it processes the following of their personal data:
- The visitor’s HTTP request
- Browser and system information, including:
-Accessing device type (smartphone or computer)
-IP address (sometimes in anonymised form if appropriate browsers settings were made)
-Browser used and add-ons
-Screen resolution of accessing device
- User behaviour, including:
-Time spent on individual pages
- (First-party) cookies (if the user has consented to cookie tracking). These cookies allow Google Analytics to trace:
-Whether a visitor has already been on the website before (i.e. new or returning user)
-How the visitor came to the website (Google search query, including any keywords used, Facebook link, etc.)
Here’s how the technology works:
This means that users’ behaviour on your website is tracked and transmitted to a Google server using a list of parameters attached to a pixel GIF image request.
In addition, Google Analytics uses the information it gathers to its own ends, which is a different privacy problem in and of itself. With Google Analytics, the idea is that Google merely acts as a processor on behalf of website operators. But Google is contractually bound by the directives of the website operator, which regularly precludes the use of processed data for Google’s own purpose.
What are the implications for companies that Google Analytics is not privacy-compliant?
Google Analytics is not just another free tool for analysing website performance. It is the tool. Sure, there are some alternatives that can be hosted in the EU. But in addition to being often not free, they work differently, requiring marketing teams to rethink their entire approach.
To evaluate whether your company should switch to a tool besides Google Analytics, you can start by answering the following questions:
- Do you really need Google Analytics? Do you evaluate the data it delivers? If no one checks the account or the data is not used as a basis for decision-making anyway, you can probably do without the tool and its data.
- Which Google Analytics data is relevant for you, and are there European or on-premise providers that can deliver the same insights? There are alternatives out there; Ionos lists some on its website, for example.
What can you do to keep using Google Analytics?
Ideally, you can switch to an alternative. But if you make the business decision to keep using Google Analytics and accept the privacy risks, you should prioritise data protection as much as possible. In that interest, we recommend doing the following:
- Inform website visitors transparently about your use of Google Analytics.
- Obtain the express consent of website visitors to your use of Google Analytics.
- The tool allows visitors to request IP address anonymisation. Activate this function on your website.
Using data capture platforms to integrate Google Analytics in compliance with privacy law
Another option to make Google Analytics compliant with privacy law is to use a proxy solution or a data capture platform (DCP). DCPs make it possible to track web users with something called server-side tracking.
Server-side tracking means that, instead of saving countless third-party cookies alongside tracking code in users’ browsers, only the website owner’s cookie and code are stored there, so the data they generate is first-party data.
Using a data capture platform, the website owner can then forward this data to tools they use, such as Google Analytics, where it can be used as usual. This is because, as a basic feature, DCPs allow you to pseudonymise data before forwarding it to your tools.
This method makes it possible to use third-party tools in a privacy-compliant way, even according to the strict criteria of the GDPR and Schrems II. As knock-on benefit, it can also let you avoid the often costly switch to less sophisticated tools.
And that is not the last of the advantages that using a data capture platform affords:
- As the website owner, you get full control over the data you collect
- The quality of the data you collect improves because ad blockers and tracking preventers tend not to block first-party cookies and code
- You can respond easily and quickly to changes in the legal framework for data protection without having to change your tech stack
But this solution has some drawbacks as well:
- Developing a data capture platform is a highly costly undertaking as it entails developing and maintaining numerous integration options for existing tools in addition to tracking and data protection features.
- Since server-side tracking takes place on servers, you need to set up and maintain a suitable server infrastructure that complies with privacy law. This results in ongoing costs.
An alternative to in-house development is using an SaaS solution, such as the JENTIS Data Capture Platform. JENTIS DCP is easy to use and offers comprehensive data protection features and integration options. As a managed service, you as the website owner do not have to worry about the servers, the technical infrastructure, or maintaining tool integrations.
We’ve been trusted by over 3,000+ customers worldwide to keep their data safe. Contact us today to find out how you can operationalise data privacy, information security, and compliance – and start to focus on generating trust, mitigating risks, and driving revenue.