Back to blog

Is Google Analytics (3 & 4) GDPR-compliant? [UPDATE]

Analytics GDPR

Written by

Published February 4, 2022 · Updated June 28, 2022

Is Google Analytics (3 & 4) GDPR-compliant? [UPDATE]

Google Analytics and its mother company, Google LLC, have been on the radar of European privacy activists for some time now. In the past few years, we’ve heard reports of questionable privacy practices by Google, which led to legal action based on GDPR. This includes complaints filed by activist organizations such as Austria’s NOYB and the Panoptykon Foundation in Poland. 

At the same time, the Schrems II ruling of the Court of Justice of the European Union (CJEU) and invalidation of Privacy Shield brought people’s attention to platforms like Google Analytics that store EU residents’ data on US-based cloud servers.

Up until now, the answer to the question “Is Google Analytics GDPR-compliant?” remained ambiguous. Some EU-based organizations were alarmed by the controversies around Google Analytics and turned to more privacy-friendly alternatives. Others continued to use the tool.

Yet, the Austrian, French and Italian data protection authorities (DPA) have unambiguously ruled that the use of Google Analytics is illegal under GDPR. Keep reading to learn more about the backstory behind those decisions and the consequences they will have for companies handling EU residents’ data.

Google Analytics and GDPR compliance: 6 key product changes

First, let’s address the positive changes to Google Analytics that have been made to meet GDPR standards. The list of new features and tweaks include:

1) Data deletion mechanism – In Google Analytics, you may delete information about visitors if they request it. That said, this functionality works only for full categories of data such as all page titles, event labels, event categories, event actions, custom dimensions or user IDs you’ve collected in a given time range. To delete data based on a particular cookie or user ID, you’ll have to employ the Google Analytics User Deletion API, which requires some coding skills.

2) Data retention settings – Google has introduced new data retention settings. This allows you to control how long individual user data is stored before being automatically deleted. In Google Analytics 4, you can choose between 2 and 14 months of data retention.

3) New privacy policy – Google has also included new GDPR terms in the standard contract, where it defines itself as the “data processor” with respect to Analytics and Analytics 360. 

4) Updated data processing terms – Google has made significant changes to their data processing terms. These terms also act as a data processing agreement. The new document lists your responsibilities, such as informing and obtaining valid consent from European residents. What’s more, Google relies on standard contractual clauses (SCCs) to ensure the security of its cross-border data transfers.

5) Existing tools that help comply with GDPR – Google Analytics also reminds users of all the privacy settings that are already available in their accounts. These settings involve cookies, data sharing, privacy controls, data deletion on account termination and IP anonymization.

6) Some part of data collection moved to the EUThe new version of Google Analytics, Google Analytics 4, collects data from EU users through Google’s EU-based servers before forwarding it to Analytics servers for processing.

These changes, paired with countless guides on how to make Google Analytics GDPR-compliant, have created an impression that it’s possible to use the platform without violating EU law. But the reality is not that bright for website owners who employ Google Analytics.

Google Analytics and GDPR: how the platform violates European law 

The key compliance issue with Google Analytics stems from the fact that it stores user data, including information about EU residents, on US-based cloud servers. On top of that, Google LLC is a US-owned company, and is therefore subject to US surveillance laws, such as the Cloud Act.

Why is this a problem?

In July 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework, which set the rules for the transfer of data between the EU and US. In the judgment known as Schrems II, the European court ruled that sending personal data from the EU to the US is illegal if companies can’t guarantee this data will be safe from US intelligence. 

In the absence of an adequacy agreement, some companies, including Google, resorted to standard contractual clauses (SCCs) as the way to safeguard data sent to the US.

Since the verdict, the privacy watchdog organization NYOB has filed 101 complaints against companies that collect visitor data with Google Analytics and Facebook Connect. The list of sued companies includes businesses from different sectors, with prominent representation of publishers and finance. 

So far, data protection authorities have evaluated only one complaint. On January 12, 2022, the Austrian DSB released its ruling in the case of an unnamed German web publisher. The regulator stated that using Google Analytics to collect data of EU residents is unlawful under GDPR

According to the DSB, it’s possible to link the information collected with Google Analytics to a natural person. At the same time, SCCs introduced by Google can’t protect EU residents’ data from US surveillance. Because of that, organizations that collect analytics data about EU residents shouldn’t use Google Analytics.

In April 2022, CNIL issued a decision ordering three French websites to stop using Google Analytics. Two months later, the Italian DPA released a similar statement. Other data protection authorities might follow suit. Here’s why:

  • In 2020, the European Data Protection Board (EDPB) formed a taskforce to coordinate the communication between all European data protection authorities after the Schrems II ruling and to help them manage complaints arising from the ruling.
  • The Dutch data protection authority, the AP, the author of a manual on how to use Google Analytics in a privacy-compliant way, has now declared that the usage of Google Analytics “may be not permitted”.
  • The Norwegian data protection authority, the EDPS, as well as Liechtenstein’s Datenschutzstelle have both released a similar opinion to the one issued by the AP.
  • Denmark’s authority has announced that it will react to the ruling of the Austrian DPA by releasing its own guidance on the use of Google Analytics. At the same time, it emphasized the importance of the common interpretation of these rules across all European regulators.
  • The Austrian DPA has now issued a second decision, which declared the use of Google’s IP anonymization an insufficient protection measure for data transfers from the EU to the US. The DSB further rejected the notion of a “risk based approach” that had been argued by Google.
  • Following their earlier decision, France’s CNIL has issued revised guidance on the use of Google Analytics. Their FAQ suggests that EU-based organizations can’t use the tool without applying additional safeguards. The French authority has also stated that their view on Google Analytics is a coordinated position of all European DPAs.

Though the decisions mentioned only Google Analytics, it will affect all platforms that store data on servers located in the US. But it’s possible that companies will be able to mitigate their risks by relying on other analytics products. One of the options is to introduce security measures that will prevent US intelligence agencies from accessing user data under the Cloud Act.

Is Google Analytics 4 GDPR compliant?

The short answer is: no. Despite some changes in privacy settings, Google Analytics 4 still collects personal data (unique user IDs) and processes it outside the EU. Finally, Google Analytics 4 is still a product developed and maintained by Google, a US entity and subject to the US data surveillance laws such as FISA and the Cloud Act.

Is Google Analytics for Firebase SDK GDPR compliant?

Google Analytics (GA) for Firebase has the same compliance issues as the regular version of the platform. It collects personal data (unique device IDs) and sends it outside the European privacy jurisdiction. Because of that, the recent decisions declaring GA illegal in the EU also apply to GA for Firebase.

Google Analytics and GDPR: other unresolved issues

Transatlantic transfers of personal data are the most pressing issue with Google Analytics in terms of GDPR. But they are not the only ones. Below are four factors to keep in mind when evaluating the compliance of Google Analytics:

By default, Google uses visitor data for its own purposes

Google uses data from Google Analytics to improve its services. The information users gather in the platform is shared with other Google products, such as:

  • Google Ads 
  • YouTube
  • Google AdSense

As you can read in Google’s Privacy Policy & Terms:

Many websites and apps use Google services to improve their content and keep it free. When they integrate our services, these sites and apps share information with Google.

For example, when you visit a website that uses advertising services like AdSense, including analytics tools like Google Analytics, or embeds video content from YouTube, your web browser automatically sends certain information to Google. This includes the URL of the page you’re visiting and your IP address. We may also set cookies on your browser or read cookies that are already there. Apps that use Google advertising services also share information with Google, such as the name of the app and a unique identifier for advertising.

The data provided by Google Analytics users allows Google to engage in user profiling. As it gathers data from multiple sources, it’s able to determine such user traits as gender and location. Later it makes the data available in reports. 

Also, thanks to the fact that you have Google Analytics code on your website, advertisers in Google Ads know your visitors’ preferences based on the content they consume. That, in turn, allows Google to target those users with advertising.

For any organization that requires full data privacy, this is alarming. The more entities have access to your data, the bigger the chance of its security being compromised. Also, using visitor data for all those purposes requires consent. But there is no way to make the collection of data dependent on visitor consent. 

That’s why the best option is to disable data sharing. But then you lose access to many functionalities, including integrations with Google Ads products and demographics data reports. 

Google Analytics doesn’t allow you to store most kinds of personal data

In its processing terms, Google Analytics forbids users from collecting all types of personal data other than:

Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers

This might come in handy for Google, as it takes some GDPR-related duties off their shoulders. But from your perspective, this approach is disadvantageous. What if you want to process more personal data and assume all the responsibilities it entails? For example, maybe you want to upload CRM data or email marketing stats to your analytics instance.

If this is the case, you’ll have to switch to an analytics platform that allows personal data collection.

You still have to collect consents even if you don’t want to process personal data

In its processing terms, Google Analytics forbids users from collecting all types of personal data other than:

Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers

This might come in handy for Google, as it takes some GDPR-related duties off their shoulders. But from your perspective, this approach is disadvantageous. What if you want to process more personal data and assume all the responsibilities it entails? For example, maybe you want to upload CRM data or email marketing stats to your analytics instance.

If this is the case, you’ll have to switch to an analytics platform that allows personal data collection.

Even if you don’t want to process personal data, there’s a catch. Google Analytics registers every user with a unique ID. Thanks to this ID, Google Analytics provides you with insight into how many people visit your site and, for example, how many of them return. GDPR considers those online identifiers as personal data.

Google advises you to leverage a minimum hashing requirement of SHA256, to avoid sending personal data to Google Analytics. Here you can find Google’s guides on how to avoid collecting PII and anonymize IP addresses.

However, GDPR, still considers hashed data as personal data. You need a valid visitor consent to collect and process it. That may result in some serious data loss, as 30-70% of visitors don’t opt in to tracking their personal data.

pro tip

Alternatively, you could switch to a product that allows you to avoid personal data and the liabilities that come with collecting it. The best way to do this is by using advanced anonymization methods. See how to do useful analytics without personal data.

That takes us to the last topic – managing visitor consents and data requests. 

Google initially tried to assign the task to publishers and Google Analytics users. But a recent agreement between Google and IAB Europe signals a shift in their approach. The first outcome of the collaboration has been Funding Choices. Funding Choices is a consent management platform dedicated to large publishers that monetize their data inventory through Google products, but not the users of Google Analytics.

This means that users who want to collect information about visitors with Google Analytics still need to find their own way of handling consents and data requests.

In November 2021, the Belgian data protection authority ruled that the IAB Consent Framework violates GDPR. Read more about their decision here.

Google Analytics and GDPR: what are the alternatives?  

We don’t know the final outcome of the Google Analytics saga just yet, as we’re still waiting for other data protection authorities to voice their opinions. 

That said, companies that collect data of EU residents need to rethink their choices now, to prepare for any scenario. There are also many good reasons why they could turn to different analytics platforms, even if the verdicts of data protection authorities won’t effectively ban the use of Google Analytics in Europe. 

The most privacy-friendly approach would be to switch to an EU-based analytics platform that protects user data and offers secure hosting, ideally in an EU-owned data center. It will guarantee that you collect, store and process data in line with GDPR.

The less privacy-focused option is to choose an analytics platform with fewer privacy features and mitigate the compliance risk by applying additional security measures. However, this might be only a temporary fix if your analytics still sends the data to the US-based or owned servers, to which the US surveillance laws apply.

If you’d like to learn more about Google Analytics alternatives, check out our detailed product comparisons:

To get more information on how Piwik PRO Analytics Suite helps you comply with GDPR, reach out to us. We’ll be happy to answer your questions.

Author

Karolina Lubowicka

Senior Content Marketer and Social Media Specialist

An experienced copywriter who takes complex topics of data privacy & GDPR and makes them understandable for all. LinkedIn Profile

See more posts by this author