Google Analytics is by far the most popular analytics tool on the market. It’s free, and it allows you to analyze website traffic and gather valuable data about user behavior.
However, collecting analytics data requires compliance with data protection regulations, including GDPR.
In recent months, we’ve heard reports of some really bad privacy practices by Google. For instance, tracking users’ location regardless of privacy settings, personalizing ads in browsers set to incognito mode, and a bug exposing user data from 52.5 million Google Plus accounts. Some of them have led to legal action based on GDPR. So far, several organizations have sued Google. The list includes France’s CNIL, Austria’s NYOB, the Panoptykon Foundation in Poland, the Irish Data Protection Commission (DPC) and the European Consumer Organisation (BEUC).
For people who value the privacy of their data, this is alarming. The question thus arises: “Is Google Analytics GDPR compliant?” In this article, we’ll discuss whether and how Google Analytics allows you to process sensitive data in alignment with GDPR.
First, let’s address the positive changes to GA that have been made to meet the standards of GDPR.
If you use Google Analytics, Google is your data processor, and that’s an important role under GDPR.
Here you can read more about the duties of data processors.
Since they handle data from people all over the world, they’ve had to take measures to comply with GDPR standards. The list of new features and tweaks includes:
In Google Analytics you now have the ability to delete information about your users if they request it.
Google has also introduced data retention settings. They allow you to control how long individual user data is stored before being automatically deleted:
The default setting is 26 months.
Google has also included new GDPR terms in your contract with them, where (in respect of Analytics and Analytics 360) they define themselves as the “data processor”.
Google has made significant changes to their data processing terms in order to become GDPR compliant. These terms also act as a data processing agreement – one of the most important documents you should sign with every party that you grant access to the personal data of your visitors.
The new document lists your responsibilities, such as informing and obtaining valid consent from European residents. As GDPR requirements can apply to you no matter what your location, Google requires that you accept the updated terms if you continue to use Analytics and related products.
A side note: Updating the data processing policy so it addresses obligations under GDPR is a great move. However, asking users to check a box in order to access services forces users into an all-or-nothing choice. And that is a violation of GDPR. Max Schrems – an Austrian data privacy activist – addressed this issue in his first lawsuit against Google (he filed it on the very first day of GDPR enforcement).
Google Analytics also reminds its users of all the privacy settings that are already available in their accounts. We’re talking about tools and features like:
- Customizable cookie settings
- Data sharing settings
- Privacy controls
- Data deletion on account termination
- IP anonymization
So far, so good. All these changes are a sign that Google is getting serious about data privacy. Among other things, Analytics users now can fulfill their obligations regarding the processing of data subject rights. But there are also things that Google hasn’t addressed despite the fact that GDPR has been in force for more than a year. Namely:
In their processing terms Google forbids their users to collect all types of personal data other than:
Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers
Every other piece of information stored in your Google Analytics instance should be encrypted. Otherwise, you’re in violation of the contract.
So it seems like Google’s strategy towards GDPR is to get rid of almost all traces of personal data from their ecosystem. This might be handy for them, because it takes some GDPR-related duties off their shoulders. But from your perspective, this approach is not at all beneficial. What if you want to process more pieces of personal data and assume all the responsibilities it entails? For instance, upload CRM data or email marketing stats to your analytics instance?
Learn more here: Why First-Party Data is the Most Valuable to Marketers.
If this is the case, you’ll have to switch to another tool that allows you to do so.
And even if you don’t want to process personal data, there’s a catch.
Google Analytics is employed with the use of tracking code that is added to your website. Then every user entering your website is registered with a unique ID. Because of that Google Analytics can provide you with insight into how many people visit your site, and, for example, how many of them return.
In GDPR terms, GA stores a visitor online identifier in a cookie, which is considered personal data.
Want to learn more about PIIs and personal data? Download this:
PII, Personal Data or Both? A Helpful Cheat Sheet
Google Analytics support advises users to encrypt identifiers based on personal data by leveraging a minimum hashing requirement of SHA256. But hashing a personal identifier is not a way to work around the requirements of GDPR, since hashing is not considered a sufficient anonymization method under GDPR.
It means that you still need to collect valid consents from your visitors in order to process data containing unique identifiers.
Otherwise, you’re exposing yourself to some serious financial penalties.
The State of GDPR Consent
Overview and scoring of how websites have adapted to data privacy regulations
Frankly, consent collection under GDPR has been a challenge for Google. The Mountain View giant initially tried to assign the task to publishers and Google Analytics users, saying it considered those using its ad-serving and analytics platforms to be “co-controllers”.
They’ve also had problems with collecting GDPR consents from their own users. On 21 January 2019, the CNIL imposed a penalty of 50 million euros on Google for lack of transparency, inadequate information and lack of valid consent regarding personalization of ads.
However, a recent agreement between Google and IAB Europe on a new standard for consent mechanisms signals a shift in their approach to handling user data under GDPR. After all, it means that Google plans to apply IAB’s consent framework to their tools.
But for now, Google doesn’t offer any reliable solution for that problem. Users who want to collect data from visitors must find a separate piece of software and tailor it to their needs so it works well with Google Analytics.
There’s also a problem with data ownership, or to be more precise, the lack of it. Google uses your analytics data to improve their services. The information gathered in your tool is shared with clients of other Google products, including:
- Google Ads
- and other Google products.
Many websites and apps use Google services to improve their content and keep it free. When they integrate our services, these sites and apps share information with Google.
For example, when you visit a website that uses advertising services like AdSense, including analytics tools like Google Analytics, or embeds video content from YouTube, your web browser automatically sends certain information to Google. This includes the URL of the page you’re visiting and your IP address. We may also set cookies on your browser or read cookies that are already there. Apps that use Google advertising services also share information with Google, such as the name of the app and a unique identifier for advertising.
In practice, this means that you pay for freemium Google Analytics with data about your visitors.
The data provided by Google analytics users allows Google to engage in user profiling. As they gather data from multiple sources, they’re able to determine such user traits as gender or location and later make such data available in your reports.
Also, thanks to the fact that you have GA code on your website, advertisers in Google Ads know your visitors’ preferences based on the content they consume. That, in turn, allows them to target those users with advertising.
As the site owner, you agree to this by default in the data sharing settings:
For someone who needs full data privacy, that can be alarming. The more parties that have access to your data, the bigger the chance of its security being compromised. Also, employing user data for all those purposes requires consent. However, there is no way to make the collection of data dependent on users’ consent. Thus, the best option is to disable this functionality.
Last but not least is the issue of the location of data servers. When you’re using GA, your data is stored on a randomly selected public cloud located in the US, EU or Asia. With the freemium version of the software, you can’t really choose where your data will end up.
Although GDPR doesn’t forbid you to store your data outside the EU, it mandates very high security standards for offshore databases.
Let’s say Google decides to store your data on servers located in the US. To ensure its safety, Google Analytics applies the Privacy Shield framework – it’s a widely known privacy standard for transferring data between Europe and the United States.
Here’s a direct quote from Google’s data processing amendment:
10.2 Transfers of Data Out of the EEA and Switzerland. Google will ensure that:
(a) the parent company of the Google group, Google LLC, remains self-certified under Privacy Shield on behalf of itself and its wholly-owned U.S. subsidiaries; and
(b) the scope of Google LLC’s Privacy Shield certification includes Customer Personal Data.
However, Privacy Shield has been criticized since its inception, and many renowned organizations, including the European Parliament, warn that it doesn’t provide the adequate level of protection.
Some experts – like Patrick Lastennet of Interxion – go even further, saying that:
“If there’s a data breach and you imported data and it’s misused, I’m not sure that Privacy Shield will protect you. It’s not GDPR compliant. You can have it, but on top of that you need to complete all the GDPR privacy requirements” [source]
Want to learn more? Then dig into this extremely informative piece by David Roe of CMS Wire: Why the Privacy Shield Won’t Make You GDPR-Compliant
All this means relying on Privacy Shield as a guarantee of data security may not be the best idea. It’s probably safer to store data from EU residents within the borders of the European Union. However, this isn’t something that Google Analytics can guarantee to its users at the moment.
The State of GDPR Consent
Overview and scoring of how websites have adapted to data privacy regulations
All of the issues we’ve discussed seem to cast a shadow on GA’s compliance with GDPR. Also, it’s difficult to predict whether the announced changes will align the product with European law. So what should you do? Well, it’s not our role to dictate that you do anything. But it’s certainly one of those cases that should be discussed with your legal department.
Also, remember that there are other tools on the market that allow you to collect valuable user data while respecting their privacy. One of them is Piwik PRO. It gives you 100% data ownership, flexible data storage options (including self-hosting and private cloud with servers located in the EU), reliable data anonymization features, and additional tools for GDPR compliance (like GDPR Consent Manager), plus much more.
If you want to compare Piwik PRO with Google Analytics, here’s a helpful white paper: Piwik PRO vs. Google Analytics: The Ultimate Guide to Choosing the Right Web-Analytics Tool. And if you have any further questions, be sure to contact our team. We’ll be happy to show how we can help you do analytics AND respect privacy laws!