In recent months, we’ve seen a domino effect of decisions by European data protection authorities (DPA) concerning Google Analytics (GA).
On January 12, 2022, the Austrian DSB released its ruling in the case of an unnamed German web publisher. The regulator stated that working with Google Analytics to collect data on EU residents is unlawful under GDPR. In April 2022, the French CNIL ordered three websites to stop using Google Analytics. Two months later, the Italian DPA released a similar statement.
Now Danish DPA (Datatilsynet) has followed suit. Makar Juhl Holst, a senior legal advisor at Datatilsynet, sheds some light on the factors that affected the ruling:
“Since the decisions by our European colleagues, we have looked into the tool and the specific settings available to you when you intend to use Google Analytics. This has been particularly relevant as Google, following the first Austrian decision, has begun to provide additional settings in relation to what data can be collected by the tool. However, the conclusion is still that the tool cannot be used legally.”
The decision of the Danish authority effectively prohibits the use of Google Analytics in Denmark, at least in the platform’s standard setup.
According to Datatilsynet, lawful application of the platform requires additional privacy measures, supplementary to the settings provided by Google. Companies are left with the following options:
- If they want to continue using GA, they have to employ data pseudonymization with the use of reverse proxy, as proposed in the guide by France’s CNIL. Implementing it involves:
- Making sure Google Analytics fires scripts only after the user’s consent.
- Setting up analytics server-side and deploying it on EU-based and -owned servers.
- Getting rid of all personal identifiers (such as user identifiers, IPs, cross-side identifiers and custom dimensions that may hold personal data) before sending data to the US.
Consequently, companies will lose data on their campaigns, referrers, cross-domain user journeys and more. They will also take on the cost and effort of maintaining such a configuration.
- If pseudonymizing data isn’t an option, they must refrain from using Google Analytics and replace it with software satisfying the EU privacy standards. The compliant alternative shouldn’t, for example, transfer data to countries unable to ensure sufficient protection of EU citizens’ personal data, such as the US.
The short answer is: yes. As we can read in the FAQ prepared by Datatilsynet:
“In regard to Google Analytics 4, it is apparent from Google’s documentation that IP addresses are used to determine the approximate location of the visitor, after which the address is discarded before the data is logged to a server. As with Universal Analytics, the same issue is also relevant for Google Analytics 4, as – depending on the location of the data subject – there can be direct connection to, among others, American servers before the address is discarded.”
This means that the verdict applies to both versions of Google Analytics.
The opinion of Datatilsynet resolves one of 101 complaints issued by NOYB across the EU after the invalidation of the Privacy Shield. In them, the Austrian non-profit organization argued that using Google Analytics is unlawful without a framework regulating the EU-US transfers of personal data.
Following that, the European Data Protection Board (EDPB) set up a taskforce to support DPAs in responding to the flood of lawsuits concerning GA. As a result, each decision released by European authorities, including Datatilsynet, adopts a consensual approach worked out in coordination with EDPB. What’s more, any new verdict by EU authorities will be based on the same guidelines.
This means that, with each new ruling, a complete ban on the use of Google Analytics in Europe is becoming a more realistic scenario.
The statement by Datatilsynet is also a more decisive and explicit follow-up to last year’s opinion by the Danish Business Authority (DBA). The authority declared it would allow the use of traffic measurement cookies without consent, provided that the solutions:
- Would be for the website owner’s use only.
- Wouldn’t build user profiles of the visitors.
- Wouldn’t pass data to a third party.
With this move, the DBA signaled that Danish businesses should consider choosing privacy-friendly analytics platforms over GA, which doesn’t fit this bill. The new decision goes one step further, mandating companies to completely abandon the Google product.
Danish and other European companies that collect data with Google Analytics must now rethink their choices. There are many good reasons for turning to different analytics platforms anyway. Read about them in this post: 6 key Google Analytics limitations.
The most privacy-friendly option would be to switch to an EU-owned analytics platform that offers secure hosting in the European Union. To learn more about Google Analytics alternatives, check out our detailed product comparisons:
- Google Analytics alternatives – free and paid
- Piwik PRO vs. Google Universal Analytics & Google Analytics 360 & Google Analytics 4 & Google Analytics 4 360
To get more information on how Piwik PRO Analytics Suite helps you abide by GDPR, reach out to us. We’ll be happy to answer your questions.