Google Analytics (GA) is reportedly installed on more than half of all websites. Its popularity comes as no surprise – it’s developed by one of the most recognizable brands in the world, it’s easy to get started with and it’s “free”. But the tool is useful not only for business owners, it’s also a powerful source of information for Google itself.
In the pre-GDPR era this seemed to alarm mainly privacy advocates. Then GDPR happened, and now all website owners operating in Europe need to carefully examine if the software allows them to live up to the new regulatory standards and respect users’ privacy. A whopping 200,000 lawsuits against companies using Google Analytics across Germany seem to speak against it.
In this situation, as a Google Analytics user, you may wonder if there is a way to “sanitize” the tool and escape hefty fines.
One way to avoid problems is to base your data collection on explicit consent rather than legitimate interest. Another, lesser-known option is to run a data processing impact assessment (DPIA) for Google Analytics. In this article, we’ll tell you why and how you should carry out this kind of analysis.
First, let’s address the most common risks involved in using Google Analytics, especially in the context of compliance with privacy laws.
When you’re using GA, your data is stored on a randomly selected public cloud located in the US, the EU or Asia. With the freemium version of the software, you can’t really choose where your data will end up.
Let’s say Google decides to store your data on servers in the US. To ensure its safety, Google Analytics applies the Privacy Shield framework – a widely known privacy standard for transferring data between Europe and the United States.
Here’s a direct quote from Google’s data processing terms:
10.2 Transfers of Data Out of the EEA and Switzerland. Google will ensure that:
(a) the parent company of the Google group, Google LLC, remains self-certified under Privacy Shield on behalf of itself and its wholly-owned U.S. subsidiaries; and
(b) the scope of Google LLC’s Privacy Shield certification includes Customer Personal Data.
Although GDPR doesn’t forbid you from storing data outside the EU, it mandates very high security standards for offshore databases. Privacy Shield, in turn, has been criticized since its inception and many renowned organizations, including the European Parliament, warn that it doesn’t provide an adequate level of protection.
Despite the doubts raised over Privacy Shield, Google doesn’t give you any control over the location of your data.
Update: As of July 16th 2020, Privacy Shield is no longer a valid legal framework for transferring data from the EU and Switzerland to the US. The situation is evolving fast, though. Here we’ve written about the decision and will provide updates when anything changes. And here we’ve written about how such limitations affect users of Google Analytics.
There’s also a problem with data ownership, or to be more precise, the lack of it. Google uses your analytics data to improve their services, and the information you collect in your tool is then shared with clients of other Google products, including:
- Double Click
- Google Ads
- and other Google products
As we can read in Google’s Privacy & Terms:
Many websites and apps use Google services to improve their content and keep it free. When they integrate our services, these sites and apps share information with Google.
For example, when you visit a website that uses advertising services like AdSense, including analytics tools like Google Analytics, or embeds video content from YouTube, your web browser automatically sends certain information to Google. This includes the URL of the page you’re visiting and your IP address. We may also set cookies on your browser or read cookies that are already there. Apps that use Google advertising services also share information with Google, such as the name of the app and a unique identifier for advertising.
This allows Google to employ user profiling. With data from multiple sources, it’s able to determine such user characteristics as gender or location and then make this data available in your reports.
Also, because you have GA code on your website, advertisers in Google Ads get to know your visitors’ preferences based on the content they consume. That allows them to target those users with advertising.
As the site owner, you agree to this by default in the GA data sharing settings. For someone who needs full data privacy, that can be alarming. The more parties that have access to your data, the bigger the chance of its privacy and security being compromised.
And frankly speaking, this is only the tip of the iceberg. In Brave’s Inside the black box: a glimpse of Google’s internal data free-for-all you’ll find an even longer (and more chilling) list of ways in which Google uses data about your visitors.
The next issue concerns personal data. In its processing terms, Google forbids its users from collecting all types of personally identifiable information other than:
Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers.
Remember, however, that PII and personal data are not the same thing, as the scope of the latter is much broader. In GDPR terms, GA still collects personal data, in the form of visitors online identifiers saved in a cookie.
This means that you still need to obtain valid consents from your visitors in order to process data containing unique identifiers, even if you don’t collect any other type of personal data (e.g. email addresses or names of your clients).
Another thing is combining Google Analytics data with the first-party data you collect, e.g. information from CRM, offline databases or payment systems.
To act in line with the law, you’ll need to ask your website visitors if they allow you to do so. According to GDPR, each new purpose for processing analytics data requires a separate consent of the user, specified in a consent form.
Compare 37 the most important traits of Piwik PRO, Google Analytics 360, Adobe Analytics, etracker Analytics and Countly Enterprise
For these and other reasons, Google’s approach to data privacy has been widely discussed among European data protection authorities. On November 14, 2019, seven German DPAs issued statements on third-party tracking mechanisms. They agreed that consent is required if a third-party service provider uses personal data for its own purposes (which Google Analytics does). As we can read in a press release by the Hamburg Commissioner for Data Protection and Freedom of Information:
When integrating Google Analytics, many website operators often refer to old, outdated and withdrawn publications. The product Google Analytics changed over the past years so it no longer qualifies as a controller processor situation. Rather, the provider grants itself the right to use the data for its own purposes.
The DPAs announced that they would start website inspections and called on data controllers to immediately check and review the third-party trackers installed on their websites in order to avoid fines.
Now the German Data Protection Authorities (DSK) are buried under a mountain of complaints – approximately 200,000 – about websites that use Google Analytics.
The first and obvious way to protect yourself against the consequences of using Google Analytics is to apply consent mechanisms on your site. If you want to learn more about doing this, be sure to visit our Consent Manager website and read A practical guide to acquiring consent in the age of GDPR.
However, consent is just one of the things you should do to sanitize the use of the tool. In the wake of lawsuits against Google Analytics users, the German DSK suggests going a step further and conducting a data processing impact assessment.
If your business runs a DPIA, you’ll be able to prove to the authorities that you understand the underlying data processing concept for click-stream data, and that you’ve done your part to weigh its impact on the privacy of people visiting your website.
Thanks to this, you’ll also be able to decide if you’re ready to accept the liabilities involved in partnering with Google.
A DPIA is a process created to help you analyze, identify and minimize the data protection risks of a project. When done properly, it helps you evaluate and demonstrate how you comply with your obligations under GDPR.
Conducting a DPIA is a legal requirement for any type of processing, especially types that could pose a threat to people’s rights and freedoms. It doesn’t have to eliminate all risks, but it should help you minimize them and determine if they’re acceptable in a given context.
Running a DPIA doesn’t always have to be difficult or time consuming, but it must show the effort you’ve put into the assessment. Also, there are no arbitrary rules you have to follow when writing your DPIA. We encourage you to take a cue from the best and most reliable examples. Here’s a DPIA template prepared by ICO.
Learn about the ins and outs of DPIA from this helpful guide by ICO.
If, after performing a DPIA, you evaluate that the risk associated with using Google Analytics is too great – remember, there are other options. Tools that will give you full control and ownership of the data you process. For example, Piwik PRO, which you can keep on your own infrastructure and certified cloud servers in the location of your choice.
If you want to learn more about how Piwik PRO can help you operate in line with GDPR and other data privacy laws, visit this page.
We hope that the information we’ve given you here will help you determine if the benefits of working with Google Analytics outweigh the potential threats to user privacy. If you’d like to learn more about this topic or about our platform, be sure to contact us. Our team will be happy to answer your questions.