What’s up with Google Analytics’ GDPR?

There’s no denying that Google Analytics and their (lack of) compliance with the General Data Protection Regulation (GDPR) has become the subject of heated discussion of late. Mid January, things took a highly-publicised turn when the Austrian Data Protection Authority ruled that NetDoktor’s use of Google Analytics violated key aspects of the regulation and was therefore illegal. So, Google Analytics now has a (new) GDPR problem - and it’s potentially a whopper.

Since the news came out, issues surrounding data compliance, a possible ban of Google Analytics, and the issue of whether Google Analytics is somehow exempt or skirting its GDPR responsibilities have been - quite rightly - on people’s minds. But what exactly is the problem? Might similar non-European based systems, like Chartbeat, Parse.ly or Piano analytics face a similar issue? And, even more importantly, what are the possible consequences and solutions if they do? There are lots of pressing questions, so let’s get you some answers, shall we?

Questions you might have:

1. Where does Google Analytics get its data from?
2. How is Google violating GDPR?
3. Does this mean I can’t use Google Analytics anymore?
4. What can Google do to fix this problem?
5. How can I be GDPR compliant?
6. Is it time to switch to a different data provider?

Where does Google Analytics get its data from?

If you are using Google Analytics on your website you are probably familiar with their workflow. But hang on, let’s back up a little: where does Google Analytics get its data from again?

You’re right to pause on that one. Here’s a quick reminder.

When a user loads your website, several different Google Analytics cookies are placed on the device and track everything that user does during their visit, with the purpose of distinguishing and remembering that user over time and upon repeated visits. This happens for all website visitors, which makes it possible for Google Analytics users to collect data about visitors, based on pages they read, time they spend on your website, information about the device they are searching on, their cookie data and more.

Only ‘necessary cookies’ (those which are strictly necessary for the basic functions of your domain) are allowed to be placed on your website without user consent. As you might have guessed, Google Analytics cookies do not fall into this category. So, strict rules need to apply to these cookies and the collection of data using these cookies.

How is Google Analytics violating GDPR?

So, Google Analytics cookies collect data from your web-users. No biggie. But here’s the problem: personal data (like IP addresses) collected through Google Analytics cookies is shipped through Google servers and ends up in the United States. Within European companies, and under the GDPR rules, data must be protected against unauthorised and unlawful processing, as outlined by the European Union’s General Data Protection Regulation. It has now come to light that this overseas transmitted data is not protected, since US intelligence agencies can potentially access huge amounts of it, all because data held on people living outside the US isn’t protected as well as data of those living in The Land of The Free.

Our data protection officer, Darko, explains how this problem came to light: “It all started when the Privacy Shield was declared invalid thanks to Schrems II, a decision of the Court of Justice of the European Union (CJEU). The ruling stated that cloud services hosted in the US are incapable of complying with the GDPR and EU privacy laws, because of the US surveillance law. Following this, NOYB (a non-profit organisation called None of Your Business) filed 101 complaints regarding data transfers from EU-based websites to Google and Facebook in the US. Instead of adapting to the GDPR and EU laws, most US companies ignored the EU Court of Justice and relied on “Standard Contract Clauses” to continue data transfers between the Atlantic. So, the fallout from the Austrian ruling is an indication that GDPR is working in practice.”

Does this mean I can't use Google Analytics anymore?

The use of Google Analytics hasn’t been made illegal (though time may tell on this one) and no fines have been sanctioned at this moment. For now, it is unclear if Google Analytics will be banned, at least in its current form. Of course, Google is an absolute giant and banning them will have huge consequences and result in countless lawsuits. So, this could mean that all the different European countries are looking at each other and waiting for the first one to ban Google Analytics, so the rest can follow using that court decision. That said, it could also mean that they are investigating what the (financial) consequences would be once they start banning Google Analytics in their (digital) countries or it might mean that behind the scenes lots of negotiations take place with Google Analytics to make them become GDPR-proof without the escalation that will inevitably occur once lawsuits ppl start.

Darko, however, strongly advises that Austrian citizens start removing Google Analytics - though clearly this decision is relevant to almost all EU websites. There are already examples of German and Dutch DPAs who have started investigating this topic, and it’s a good idea for all EU members to start investigating their own cases. Darko recommends that all businesses in EU Member states start taking action, because the local DPAs can identify you as a potential threat if you continue to make use of Google Analytics.

What can Google do to fix the problem?

We’d like to think that a company as big as Google must surely be willing to fix a problem of this scale. Initially, Google reacted to the NOYB complaint by referring to the encryption of Google Analytics data, but the Austrian regulator concluded that the encryption is insufficient to exclude any threat of espionage from the US. Despite the judges’ statements, internal documents reveal that Facebook, that other tech titan, is convinced there aren’t any privacy protection problems when shipping data from the EU to the US.

Darko: “I think that if this continues, Google Analytics will eventually be banned in Europe, but in the long run, US companies will simply have to adapt, or US providers will have to host foreign data outside of the United States.”

So, the most obvious solution for Google would be to move data storage centres to Europe where Google Analytics can store all data from European citizens, which would mean that Atlantic transmission of data would cease to be an issue. In that scenario, the data would then be automatically protected against possible access from US intelligence agencies.

However, when asked if Google intends to open a European data storage, a spokesperson told Wired the company has no plans to share. And even if that were the case, it is unclear if core GA services (account management, quality control, data science, etc.) would still be situated in the US, and if they were, the net result would remain unchanged: they’d still be able to access your data.

An alternative solution would be to replace the Privacy Shield that was declared invalid back in 2020, but as yet no concrete proposals for doing so have been made. Besides, reforming the late Privacy Shield is in long talks by the EU-US department of commerce and in Darko’s opinion, will not do any good, because the bigger issue here is that the EU-US data schism will not go away and will stay with us for a while. If US surveillance law remains in effect, this ping-pong issue will be with us for a long time.

Another fix for Google could be to change Google Analytics’ data collection, so they would stop trespassing on European privacy laws. Darko thinks of all the solutions, this seems the most workable: “I think that Google needs to comply 100% with the GDPR and EU laws, and stop ignoring the EU Supervisory Authority and European Court of Justice. But instead, Google has responded by insisting that local and regional authorities should be held responsible for their problem and are lobbying US and European lawmakers to come up with new regulations that secures data transmission across the Atlantic. The hope for a quick-fix like this seems to be more of an illusion than reality.

How can I be GDPR compliant?

First of all, it is important to check if the way you are collecting data right now is GDPR compliant. You’re probably on that. Well done.

But the more worrying issue here is whether there’s a GDPR compliant way to use Google Analytics. Here’s Darko again: “There are some settings in Google Analytics you can adjust to be more compliant. You can turn off data sharing, anonymise IPs, disable sharing data for ad purposes and disable the user ID function. But all these settings are pretty irrelevant now, since the user can still be identified by Google Analytics anyway.”

So, simply put: all European companies need to follow and implement all measures according to GDPR and follow the EU Supervisory authority and CJEU. Because of the Privacy Shield, you need to be aware that if you’re operating in the EU, data providers and servers need to be in the EU also. Following the 7 principles of GDPR should be the goal for proper compliance.

To get into action right away, you can check off these few things:

1. Make sure you use the knowledge of your data protection officer to raise awareness about privacy laws
2. Start mandatory training or audits for your staff on the subject
3. Keep key figures in the company updated on privacy laws at all times (this really is crucial)
4. Also, develop a set of personal data protection measures in the software development process that aim to facilitate the effective enforcement of Privacy Regulation

The Google Analytics GDPR breach is the perfect opportunity to start thinking about how privacy-oriented we all are. We should all start implementing GDPR measures in our daily lives. Social engineering is always around and malware on the internet is constantly lurking and waiting for a simple misstep. So, Darko’s golden tip: always read the privacy policies and get informed about using a new tool at work or installing a new app on your mobile, and don’t hesitate to inform local DPA if there are some issues. It’s your and their obligation too.

Is it time to switch to a different data provider?

Of course the problem with transmitting data from Europe to the United States is not a problem just Google is facing. All non-European data systems, like Parse.ly, Adobe analytics, Piano analytics, IO technologies, Chartbeat to name a few are all likely to be grappling with repercussions of the Austrian ruling.

We don’t have a crystal ball saying what the future of Google Analytics or non-European data transmissions will look like. Of course, as there is no clear conclusion yet, you can sit it out and wait for a solution or verdict to pop up. However, if you are using Google Analytics (or any non-European data service for that matter) right now and they are not storing their data in Europe, you could be (unwittingly) breaking the law, so take a critical look at where your data provider stores data and take some time to look at European alternatives. Switching analytics is time consuming and expensive, but to go European gives you a bit of a solid base. After all, there are a lot of European companies who can do exactly the same, or even more, as Google Analytics (take a look at our comparison sheet).

Take smartocto for example. All our data is stored in Europe and we can connect our smartocto editorial analytics system to any source, so there is absolutely no need to use Google Analytics anymore. Besides, we offer much more in-depth analytics than Google Analytics anyway - we’re talking historical reports in your mailbox, realtime data and smart notifications!

Are you ready to discover an alternative?