Google Analytics is the most popular web analytics tool for learning about a website’s performance, and it experienced some regulatory heat in 2022. The data protection authorities of a number of European Union (EU) countries have all weighed in on privacy compliance issues with the service.
The EU and the United States, where Google is based and data is transferred to (the crux of the noncompliance issue), haven’t had a data privacy adequacy agreement since July 2020. It is not known when that will be rectified. The various countries’ complaints about Google Analytics use and its insufficient protections and transfer of data are fairly similar.
European Union Data Protection Authorities’ rulings on Google Analytics and GDPR noncompliance
On January 12th, 2022, Austrian data protection authority “Datenschutzbehörde” (DSB) issued a decision resulting from an August 2020 complaint that an Austrian company’s website’s use of Google Analytics violated the July 2020 Schrems II ruling from the European Court of Justice (CJEU).
Even if data collected was anonymized, it was ruled that that was insufficient, as it would likely only have taken place after data reached US servers, not before it “left” the EU. In this case, Google Analytics did provide the option to anonymize IP addresses, which the Controller (website operator) did activate, but did not implement correctly on the website. Thus true anonymization of this data was not achieved.
It has been determined in other rulings that IP address constitutes personal data, but that was not part of the decision in this specific ruling. However, an IP address in combination with additional data, like Unique User ID (UID) was determined to enable a person to be identifiable.
Use of encryption was also not enough, as US authorities could get access to the encryption key, because Google is legally required to provide it. Austrian (or other EU) authorities could only request the encryption key.
The ruling was based on older standard contractual clauses (SCCs) and the state of regulatory affairs in 2020, but the case was passed on to German authorities so they can rule on it for the period of time after the SCCs were released.
GDPR penalties of up to € 20 million or 4 percent of global turnover could be applied in a case like the Austrian ruling regarding GDPR-noncompliant use of Google Analytics. At present, however, the case is being viewed as more of a public compliance enforcement exercise, and no penalties have been levied. Google also published a response to the ruling outlining their data protection measures.
What data does Google Analytics collect?
As already noted, some of the data Google Analytics collects that can be of privacy concern include IP address and UID. Of course, Google Analytics can collect far more information than that, though much of it is more aggregated. For example, how many visitors are on a site or its pages, how long they spend there, where they have come from, and at what stage they leave. Also, how they navigate on the site, what they do while there, and what elements they interact with.
Google Analytics can also get into information that’s a little more “personal”, like approximate geolocation, browser language, and information about users’ devices and browsers. A full list of data collection “events” can be found here.
Google Analytics supports three tags/cookies for various kinds of website use measurement: gtag.js, analytics.js and ga.js. They collect different data relating to users, website visits, sessions, and traffic channels. The different cookies have different expiration triggers. e.g. when you close a browser v.s. a specific length of time, like six months or two years.
Google Analytics and data transfers between the EU and US
The Schrems II ruling invalidated the Privacy Shield agreement between the EU and the United States on the basis that it did not provide adequate protection for data. As a result, from mid-2020 to September 2021, data transfers from the EU to the US could no longer be made on the basis of that agreement or SCCs.
However, new SCCs were released in September 2021, which can be viewed as a somewhat adequate safeguard, as long as they are connected to additional measures like encryption or anonymization, so data is not accessible by US authorities.
The Google Analytics case is based on the old legal situation, however, and no new statements were made in the new legal situation after the new SCCs were released. This new decision is still forthcoming, and current additional data protection measures are still considered insufficient.
Google is a US-based company with extensive reach online through its various and widely used tools and services, so considerable volumes of user data have long been regularly transferred between the two regions.
France’s Commission nationale de l’informatique et des libertés (CNIL) data protection authority found that Google Analytics breached Article 44 GDPR in France in February 2022. Again, a website operator’s use of Google Analytics was deemed noncompliant with the GDPR, as users’ personal data was being transferred to a country without adequate data privacy protection.
Standard contractual clauses meant to protect data were deemed insufficient, and it was determined that there were not sufficient technical, organizational or legal data protection measures in place. Data transfer was deemed to be systematic and not just done in special cases. User consent wasn’t obtained on a repeated basis for these data transfers, so consent as a legal basis for data collection was deemed invalid, and data was determined to be collected without any valid legal basis.
Additionally, the use of UID, like pseudonymization, could make a person identifiable and enable precise tracking, especially combined with data collected from other services. As with the Austrian authorities, encryption of user data was deemed insufficient for protection, as Google had the encryption key, and thus easy access to the data that French authorities did not have.
In June 2022, the CNIL issued updated guidance (in French) regarding the use of Google Analytics, giving organizations a month to update their usage of the service or risk regulatory enforcement. Legally, a proxy could be one solution to these issues.
Also in June, Garante, Italy’s data protection authority, ruled against Google Analytics data transfers to the United States as violating the GDPR. IP addresses, even when shortened, were considered personal data, so collection of them would require a legal basis and data protections. However, measures that Google did have in place were deemed not to provide a sufficient level of protection for personal data collection.
Also relating to IP addresses, US agencies could potentially access personal data. Once personal data collected was in Google’s systems, regulatory authorities and users did not have visibility into who could access it or how it could be used.
Italian website operators found in violation of the GDPR in their use of Google Analytics were given 90 days to rectify their usage of the service and to verify their GDPR compliance that personal data collected was not transferred to the US.
Is using Google Analytics illegal in the European Union?
Google Analytics is used on tens of millions of websites. Rulings that its functions could be grounds for noncompliance penalties have understandably been of concern to many website operators in the EU. Especially considering that Google, the company responsible for transferring the personal information of users, is a foreign third party that EU website operators neither control nor influence. Of course, website operators do have the choice — and in some countries it is now recommended by some countries’ data protection authorities — not to use Google Analytics at all.
Is using Google Analytics allowed in the EU?
It’s not quite as black and white as “using Google Analytics in Europe is illegal”. It is possible for Google to rectify the issues outlined in the rulings against the service. It is also possible for the EU and US to strike a new agreement regarding data protection standards, particularly where international data transfers are concerned.
Recommendations for companies
For companies that are currently using Google Analytics, it’s recommended to update to Google Analytics 4 as soon as possible. Implement additional measures in Google Analytics 4 that support user privacy. We get into more details about those later in this article. Alternatively, companies can also choose an analytics tool that is not US-based, or that doesn’t transfer to or store data in the United States.
Complaints against Google Analytics in other European Union jurisdictions
AP, the Dutch data protection authority, announced in January 2022 that it was investigating two complaints against the use of Google Analytics, and would be ruling on them. The complaints were similar to those in Austria, France and Italy.
Though the UK now has its own data privacy law post-Brexit, the UK GDPR remains similar to the EU’s GDPR. Similar data protection requirements exist for UK companies and services they use, and similar compliance issues are coming up. The UK data protection authority removed Google Analytics from its website in January 2022 after the Austrian ruling, though it should be noted that their usage of the service, which started in December 2020, was limited.
Datatilsynet, the Norwegian data protection authority, also noted in January 2022 that it would join Austria in their decision against the use of Google Analytics. It also publicly advised Norwegian companies to seek alternatives to the service.
The Danish data protection authority Datatilsynet released a statement that they were monitoring the Austrian ruling and other similar European Court of Justice rulings, and would provide relevant guidance.
A week before the Austrian ruling, the European Parliament was sanctioned by the European Data Protection Supervisor (EDPS) for using services on its COVID testing sites, including Google Analytics, that provided insufficient data protections. This was one of the earliest post-Schrems II rulings, and could prove influential in hundreds more legal complaints that have been filed.
What is Google doing to fix it?
One might wonder about a number of ways that Google could fix the issue, bypassing government intervention all together. Don’t transfer data outside of the EU? Put additional legal or technical safeguards in place? Better anonymize or encrypt the data?
Fixing the issue would be a big project. Very expensive and with a lot of changes needing to be made. Google is a huge company and Google Analytics is very widely implemented. Change needs to be planned and rolled out carefully, with exceptional planning and testing, so secure, functional wide scale change can only happen slowly. Google Analytics 4 is a start to making change, however.
As concerns about and scrutiny of companies’ activities (including Google’s) and data privacy broadly, taking action is relevant to the market and it could be more expensive in the long run if the company does not take action to address issues. Even if Google does have a fair bit of power in refusing to just capitulate to EU authorities’ demands.
Simply shutting down Google Analytics for European users would cause a fair bit of hardship to website operators’ business operations and potentially revenues. It would be challenging for Google as well, but Google Analytics is only one of their lines of business.
Is using Google Analytics GDPR-compliant?
Google Analytics is currently not compliant with the GDPR “out of the box”, and, in fact, if one follows the guidelines and statements of the data protection authorities to date, it can’t be set up to be compliant with the GDPR. However, this is an ongoing issue and things may change.
Is Google Analytics 4 GDPR-compliant?
Just upgrading to Google Analytics 4 isn’t a magic bullet that will make a company GDPR-compliant. However, that upgrade is recommended. It is likely that it will continue to evolve as a product to enable better privacy features. Once new rulings are released or new privacy agreements are reached between the EU and US, there may be more information about how Google Analytics 4 fits into the evolving privacy landscape, or further guidance for the tool’s development to enable GDPR compliance.
Is getting user consent sufficient to make Google Analytics GDPR-compliant?
Article 49 GDPR does allow for explicit user consent as a possible derogation in specific cases. However, under the European Data Protection Board’s (EDPB) guidelines, that can only be used for non-systematic transfers, which isn’t what Google Analytics does. Data transfers are a regular part of how the service works. So just obtaining user consent for Google Analytics use, especially one time, is not a viable or long-term solution for website operators.
How to use Google Analytics and be GDPR-compliant with our CMP
Taking steps to meet the conditions of Article 7 GDPR for valid user consent, website operators must obtain explicit end user consent for all Google Analytics cookies set by the website. Consent must be obtained before these cookies are activated and in operation. Using Usercentrics’ DPS Scanner helps identify and communicate to users all cookies and tracking services in use on websites to ensure full consent coverage options.
Do you need consent to use Google Analytics?
All Google Analytics cookies have to be set up and controlled so they only activate after explicit user consent has been granted. The CMP can enable blocking of the activation of services until user consent has been obtained. So basically, Google Analytics couldn’t transfer user data because it would never have collected it.
IP address anonymization must be turned on in the Google Analytics account, and website operators need to ensure it uses pseudonymous identifiers. Additional privacy controls of Google services are also recommended, including disabling some data collection and/or Google’s advertising personalization features.
Many organizations use Google Analytics on their websites because it provides extensive data and powerful tools to help lower bounce rates, visualize data, optimize web rankings, learn about and segment visitors, and more. It also integrates well with other Google tools.
Google Analytics helps companies pursue growth and revenue goals, so understandably, businesses are caught between not wanting to give that up, but also not wanting to risk GDPR violation penalties or the ire of their users over lax privacy or data protection.
At the same time, Google’s track record to date has been to fight complaints and decisions against it in the European Union. And, indeed, capitulating to EU data protection authorities and/or hamstringing the functions of their services doesn’t serve Google’s traditional business interests or revenue streams. However, as the regulatory landscape continues to change and evolve, and as more countries get on board with decisions against Google, or stop using its services entirely, something will have to change.
Consumers are changing and evolving as well, making greater demands for their online privacy. This is something that businesses need to keep in mind for their operations and growth as well.
Day to day, it is up to website operators to keep up with current regulations and requirements, and do what is necessary to achieve and maintain privacy compliance to protect users. Aside from legal necessity, taking these steps also helps build trust and long-term relationships with users.
The Usercentrics team closely monitors regulatory changes and legal rulings, makes updates to our services and posts recommendations and guidance as appropriate. However, website operators should always get relevant legal advice from qualified counsel regarding data privacy, particularly in jurisdictions relevant to them. This includes circumstances where there could be data transfers outside of the EU to countries without adequacy agreements for data privacy protection.
As the regulatory landscape and privacy compliance requirements for companies are complex and ever-changing, we’re here to help.
Book a demo and see how the Usercentrics CMP can help with your company’s data privacy goals.
Or contact one of our experts today. We’re happy to answer all of your questions.