Google Analytics and GDPR compliance rulings in the European Union

Google Analytics is the most popular web analytics tool for learning about a website’s performance, and it experienced some regulatory heat in 2022. The data protection authorities of a number of European Union (EU) countries have all weighed in on privacy compliance issues with the service.

The EU and the United States, where Google is based and data is transferred to (the crux of the noncompliance issue), haven’t had a data privacy adequacy agreement since July 2020. It is not known when that will be rectified. The various countries’ complaints about Google Analytics use and its insufficient protections and transfer of data are fairly similar.

On January 12th, 2022, Austrian data protection authority “Datenschutzbehörde” (DSB) issued a decision resulting from an August 2020 complaint that an Austrian company’s website’s use of Google Analytics violated the July 2020 Schrems II ruling from the European Court of Justice (CJEU).

Even if data collected was anonymized, it was ruled that that was insufficient, as it would likely only have taken place after data reached US servers, not before it “left” the EU. In this case, Google Analytics did provide the option to anonymize IP addresses, which the Controller (website operator) did activate, but did not implement correctly on the website. Thus true anonymization of this data was not achieved.

It has been determined in other rulings that IP address constitutes personal data, but that was not part of the decision in this specific ruling. However, an IP address in combination with additional data, like Unique User ID (UID) was determined to enable a person to be identifiable.

Use of encryption was also not enough, as US authorities could get access to the encryption key, because Google is legally required to provide it. Austrian (or other EU) authorities could only request the encryption key.

The ruling was based on older standard contractual clauses (SCCs) and the state of regulatory affairs in 2020, but the case was passed on to German authorities so they can rule on it for the period of time after the SCCs were released.

GDPR penalties of up to € 20 million or 4 percent of global turnover could be applied in a case like the Austrian ruling regarding GDPR-noncompliant use of Google Analytics. At present, however, the case is being viewed as more of a public compliance enforcement exercise, and no penalties have been levied. Google also published a response to the ruling outlining their data protection measures.

As already noted, some of the data Google Analytics collects that can be of privacy concern include IP address and UID. Of course, Google Analytics can collect far more information than that, though much of it is more aggregated. For example, how many visitors are on a site or its pages, how long they spend there, where they have come from, and at what stage they leave. Also, how they navigate on the site, what they do while there, and what elements they interact with.

Google Analytics can also get into information that’s a little more “personal”, like approximate geolocation, browser language, and information about users’ devices and browsers. A full list of data collection “events” can be found here.

Google Analytics supports three tags/cookies for various kinds of website use measurement: gtag.js, analytics.js and ga.js. They collect different data relating to users, website visits, sessions, and traffic channels. The different cookies have different expiration triggers. e.g. when you close a browser v.s. a specific length of time, like six months or two years.

The Schrems II ruling invalidated the Privacy Shield agreement between the EU and the United States on the basis that it did not provide adequate protection for data. As a result, from mid-2020 to September 2021, data transfers from the EU to the US could no longer be made on the basis of that agreement or SCCs.

However, new SCCs were released in September 2021, which can be viewed as a somewhat adequate safeguard, as long as they are connected to additional measures like encryption or anonymization, so data is not accessible by US authorities.

The Google Analytics case is based on the old legal situation, however, and no new statements were made in the new legal situation after the new SCCs were released. This new decision is still forthcoming, and current additional data protection measures are still considered insufficient.

Google is a US-based company with extensive reach online through its various and widely used tools and services, so considerable volumes of user data have long been regularly transferred between the two regions.

France’s Commission nationale de l’informatique et des libertés (CNIL) data protection authority found that Google Analytics breached Article 44 GDPR in France in February 2022. Again, a website operator’s use of Google Analytics was deemed noncompliant with the GDPR, as users’ personal data was being transferred to a country without adequate data privacy protection.

Standard contractual clauses meant to protect data were deemed insufficient, and it was determined that there were not sufficient technical, organizational or legal data protection measures in place. Data transfer was deemed to be systematic and not just done in special cases. User consent wasn’t obtained on a repeated basis for these data transfers, so consent as a legal basis for data collection was deemed invalid, and data was determined to be collected without any valid legal basis.

Additionally, the use of UID, like pseudonymization, could make a person identifiable and enable precise tracking, especially combined with data collected from other services. As with the Austrian authorities, encryption of user data was deemed insufficient for protection, as Google had the encryption key, and thus easy access to the data that French authorities did not have.

In June 2022, the CNIL issued updated guidance (in French) regarding the use of Google Analytics, giving organizations a month to update their usage of the service or risk regulatory enforcement. Legally, a proxy could be one solution to these issues.

Also in June, Garante, Italy’s data protection authority, ruled against Google Analytics data transfers to the United States as violating the GDPR. IP addresses, even when shortened, were considered personal data, so collection of them would require a legal basis and data protections. However, measures that Google did have in place were deemed not to provide a sufficient level of protection for personal data collection.

Also relating to IP addresses, US agencies could potentially access personal data. Once personal data collected was in Google’s systems, regulatory authorities and users did not have visibility into who could access it or how it could be used.

Italian website operators found in violation of the GDPR in their use of Google Analytics were given 90 days to rectify their usage of the service and to verify their GDPR compliance that personal data collected was not transferred to the US.

Google Analytics is used on tens of millions of websites. Rulings that its functions could be grounds for noncompliance penalties have understandably been of concern to many website operators in the EU. Especially considering that Google, the company responsible for transferring the personal information of users, is a foreign third party that EU website operators neither control nor influence. Of course, website operators do have the choice — and in some countries it is now recommended by some countries’ data protection authorities — not to use Google Analytics at all.

It’s not quite as black and white as “using Google Analytics in Europe is illegal”. It is possible for Google to rectify the issues outlined in the rulings against the service. It is also possible for the EU and US to strike a new agreement regarding data protection standards, particularly where international data transfers are concerned.

For companies that are currently using Google Analytics, it’s recommended to update to Google Analytics 4 as soon as possible. Implement additional measures in Google Analytics 4 that support user privacy. We get into more details about those later in this article. Alternatively, companies can also choose an analytics tool that is not US-based, or that doesn’t transfer to or store data in the United States.

AP, the Dutch data protection authority, announced in January 2022 that it was investigating two complaints against the use of Google Analytics, and would be ruling on them. The complaints were similar to those in Austria, France and Italy.

Though the UK now has its own data privacy law post-Brexit, the UK GDPR remains similar to the EU’s GDPR. Similar data protection requirements exist for UK companies and services they use, and similar compliance issues are coming up. The UK data protection authority removed Google Analytics from its website in January 2022 after the Austrian ruling, though it should be noted that their usage of the service, which started in December 2020, was limited.

Datatilsynet, the Norwegian data protection authority, also noted in January 2022 that it would join Austria in their decision against the use of Google Analytics. It also publicly advised Norwegian companies to seek alternatives to the service.

The Danish data protection authority Datatilsynet released a statement that they were monitoring the Austrian ruling and other similar European Court of Justice rulings, and would provide relevant guidance.

A week before the Austrian ruling, the European Parliament was sanctioned by the European Data Protection Supervisor (EDPS) for using services on its COVID testing sites, including Google Analytics, that provided insufficient data protections. This was one of the earliest post-Schrems II rulings, and could prove influential in hundreds more legal complaints that have been filed.

One might wonder about a number of ways that Google could fix the issue, bypassing government intervention all together. Don’t transfer data outside of the EU? Put additional legal or technical safeguards in place? Better anonymize or encrypt the data?

Fixing the issue would be a big project. Very expensive and with a lot of changes needing to be made. Google is a huge company and Google Analytics is very widely implemented. Change needs to be planned and rolled out carefully, with exceptional planning and testing, so secure, functional wide scale change can only happen slowly. Google Analytics 4 is a start to making change, however.

As concerns about and scrutiny of companies’ activities (including Google’s) and data privacy broadly, taking action is relevant to the market and it could be more expensive in the long run if the company does not take action to address issues. Even if Google does have a fair bit of power in refusing to just capitulate to EU authorities’ demands.

Simply shutting down Google Analytics for European users would cause a fair bit of hardship to website operators’ business operations and potentially revenues. It would be challenging for Google as well, but Google Analytics is only one of their lines of business.

Google Analytics is currently not compliant with the GDPR “out of the box”, and, in fact, if one follows the guidelines and statements of the data protection authorities to date, it can’t be set up to be compliant with the GDPR. However, this is an ongoing issue and things may change.

Just upgrading to Google Analytics 4 isn’t a magic bullet that will make a company GDPR-compliant. However, that upgrade is recommended. It is likely that it will continue to evolve as a product to enable better privacy features. Once new rulings are released or new privacy agreements are reached between the EU and US, there may be more information about how Google Analytics 4 fits into the evolving privacy landscape, or further guidance for the tool’s development to enable GDPR compliance.

Article 49 GDPR does allow for explicit user consent as a possible derogation in specific cases. However, under the European Data Protection Board’s (EDPB) guidelines, that can only be used for non-systematic transfers, which isn’t what Google Analytics does. Data transfers are a regular part of how the service works. So just obtaining user consent for Google Analytics use, especially one time, is not a viable or long-term solution for website operators.

Taking steps to meet the conditions of Article 7 GDPR for valid user consent, website operators must obtain explicit end user consent for all Google Analytics cookies set by the website. Consent must be obtained before these cookies are activated and in operation. Using Usercentrics’ DPS Scanner helps identify and communicate to users all cookies and tracking services in use on websites to ensure full consent coverage options.

All Google Analytics cookies have to be set up and controlled so they only activate after explicit user consent has been granted. The CMP can enable blocking of the activation of services until user consent has been obtained. So basically, Google Analytics couldn’t transfer user data because it would never have collected it.

IP address anonymization must be turned on in the Google Analytics account, and website operators need to ensure it uses pseudonymous identifiers. Additional privacy controls of Google services are also recommended, including disabling some data collection and/or Google’s advertising personalization features.

Website operators must also provide clear, transparent data processing information for users on the website. This information would be included in the privacy policy. Additionally, some information can be provided in the cookie policy, with details of the Google Analytics cookies that are used on the site, including the provider, duration and purpose.

Cookie policies are typically part of websites’ larger privacy policies. The GDPR requires user consent to be informed, which is what the privacy policy is intended to enable. To help craft a GDPR-compliant privacy policy, extensive information on the requirements can be found in Articles 12, 13 and 14 GDPR.

Also as part of the website’s privacy policy, detailed information about the Google Analytics cookies and other tracking technologies used on the domain should be included, because the information collected by the types of cookies that Google Analytics uses are classified as personal data under the GDPR. Additionally, the specific personal data that is collected by these cookies should be included. The same goes for other services in use on the website as well.

Many organizations use Google Analytics on their websites because it provides extensive data and powerful tools to help lower bounce rates, visualize data, optimize web rankings, learn about and segment visitors, and more. It also integrates well with other Google tools.

Google Analytics helps companies pursue growth and revenue goals, so understandably, businesses are caught between not wanting to give that up, but also not wanting to risk GDPR violation penalties or the ire of their users over lax privacy or data protection.

At the same time, Google’s track record to date has been to fight complaints and decisions against it in the European Union. And, indeed, capitulating to EU data protection authorities and/or hamstringing the functions of their services doesn’t serve Google’s traditional business interests or revenue streams. However, as the regulatory landscape continues to change and evolve, and as more countries get on board with decisions against Google, or stop using its services entirely, something will have to change.

Consumers are changing and evolving as well, making greater demands for their online privacy. This is something that businesses need to keep in mind for their operations and growth as well.

Day to day, it is up to website operators to keep up with current regulations and requirements, and do what is necessary to achieve and maintain privacy compliance to protect users. Aside from legal necessity, taking these steps also helps build trust and long-term relationships with users.

The Usercentrics team closely monitors regulatory changes and legal rulings, makes updates to our services and posts recommendations and guidance as appropriate. However, website operators should always get relevant legal advice from qualified counsel regarding data privacy, particularly in jurisdictions relevant to them. This includes circumstances where there could be data transfers outside of the EU to countries without adequacy agreements for data privacy protection.

As the regulatory landscape and privacy compliance requirements for companies are complex and ever-changing, we’re here to help.

Book a demo and see how the Usercentrics CMP can help with your company’s data privacy goals.

Or contact one of our experts today. We’re happy to answer all of your questions.