Google Analytics is by far the most popular analytics tool on the market. It’s free and allows you to analyze website traffic and gather valuable data about user behavior.
Google Analytics and its parent company, Google LLC, have been on the radar of European privacy activists for some time now. In the past few years we’ve heard reports of questionable privacy practices by Google, which led to legal action based on GDPR. This includes complaints filed by activist organizations such as Austria’s NOYB and the Panoptykon Foundation in Poland.
At the same time, the Schrems II ruling and invalidation of Privacy Shield brought people’s attention to platforms like Google Analytics that store EU residents’ data on US-based cloud servers.
Up until now, the answer to the question “Is Google Analytics GDPR-compliant?” remained ambiguous. Some EU-based organizations were alarmed by the controversies around Google Analytics and turned to more privacy-friendly alternatives. Others continued to use the tool.
Yet, the Austrian, French, Italian and Dutch data protection authorities (DPA) have unambiguously ruled that the use of a default setup of Google Analytics is illegal under GDPR. Keep reading to learn more about the backstory behind those decisions and the consequences they will have for companies handling EU residents’ data.
First, let’s address the positive changes to Google Analytics that have been made to meet GDPR standards. The list of new features and tweaks include:
- Data deletion mechanism – In Google Analytics, you may delete information about visitors if they request it. That said, this functionality works only for full categories of data. The list includes all page titles, event labels, event categories, event actions, custom dimensions or user IDs you’ve collected in a given time range. To delete data based on a cookie or user ID, you’ll have to employ the Google Analytics User Deletion API, which requires some coding skills.
- Data retention settings – Google has introduced new data retention settings. This allows you to control how long user data is stored before being automatically deleted. In Google Analytics 4, you can choose between 2 and 14 months of data retention.
- Updated data processing terms – Google has made significant changes to its data processing terms. These terms also act as a data processing agreement. The new document lists your responsibilities, such as informing and obtaining valid consent from European residents. On top of that, Google relies on standard contractual clauses (SCC) to ensure the security of its cross-border data transfers.
- Existing tools that help obey GDPR – Google Analytics also reminds users of all the privacy settings that are already available in their accounts. These settings involve cookies, data sharing, privacy controls, data deletion on account termination and IP anonymization.
- Some parts of data collection moved to the EU – The new version of Google Analytics, Google Analytics 4, collects data from EU users through Google’s EU-based servers before forwarding it to Analytics servers for processing.
- Data is no longer shared with third parties by default – Some features of Google Analytics 4 that require sharing data with the Google ecosystem are now turned off by default. This includes, for example, signals – session data from sites and apps concerning logged-in users used for personalized advertising and remarketing.
- The introduction of Google consent mode – Google Analytics now has a special consent mode that allows you to employ an AI-based conversion modeling whenever visitors decline consent to tracking.
These changes, and the guides on the lawful use of GA by France’s CNIL and the Dutch AP, implied that the platform can now be used in line with the EU law. But the reality is not that bright for website owners who work with Google Analytics.
The key compliance issue with Google Analytics is that it stores user data, including information about EU residents, on US-based cloud servers. On top of that, Google LLC is a US-owned company and subject to US surveillance laws, such as the Cloud Act.
In July 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework. The framework set the rules for the transfer of data between the EU and the US. In the judgment known as Schrems II, the court stated that sending personal data from the EU to the US is illegal if companies can’t guarantee it will be safe from US intelligence.
Without an adequacy agreement in place, some companies, including Google, resorted to standard contractual clauses (SCC) to safeguard data sent to the US.
Since the verdict, the privacy watchdog organization NOYB has filed 101 complaints against companies that collect visitor data with Google Analytics and Facebook Connect. The list of sued companies includes businesses from multiple sectors, with significant representation of publishers and finance.
On January 12, 2022, the Austrian DSB released its ruling in the case of an unnamed German web publisher. The regulator stated that using Google Analytics to collect data on EU residents is unlawful under GDPR.
According to the DSB, it’s possible to link the information collected with Google Analytics to a natural person. At the same time, SCCs introduced by Google can’t protect EU residents’ data from US surveillance. Because of that, organizations that collect analytics data about EU residents shouldn’t use Google Analytics.
In April 2022, CNIL issued a decision ordering three French websites to stop using Google Analytics. In the following months, the Italian and Danish DPAs released similar statements. Other data protection authorities might follow suit. Here’s why:
- In 2020, the European Data Protection Board (EDPB) formed a taskforce. Its goal is to coordinate communication between all European data protection authorities after the Schrems II ruling and to help them manage complaints arising from the ruling. As a result, each decision released by European authorities adopts a consensual approach worked out in coordination with the EDPB. Ultimately, any new verdict by EU authorities will follow the same guidelines.
- The Dutch data protection authority, the AP, author of a manual on how to use Google Analytics in a privacy-compliant way, has now declared that the usage of Google Analytics “may not be permitted.”
- The Norwegian data protection authority, the EDPS, as well as Liechtenstein’s Datenschutzstelle have both released a similar opinion to the one issued by the AP.
- The Austrian DPA has now issued a second decision, which declared that GA’s IP anonymization is an insufficient protection measure in the case of data transfers from the EU to the US. The DSB further rejected the notion of a “risk-based approach” that had been argued by Google.
- Following their earlier decision, France’s CNIL has issued revised guidance on the use of Google Analytics. Their FAQ suggests that EU-based organizations can’t use the tool without applying additional safeguards. The French authority has also stated that their view on Google Analytics is a coordinated position of all European DPAs.
The decisions of EU authorities may be unclear without proper context and explanation. Below, we answer the most important questions that arise from these verdicts.
It does. In its processing terms, Google Analytics forbids users from collecting all types of personal data other than:
Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers
On top of that, GA anonymizes certain pieces of data about visitors, including IP addresses. But it still uses identifiers that qualify as personal data. According to Austria’s DBS:
“[In Google Analytics] IP anonymization only concerns the IP address. Other kinds of data, such as online identifiers, which are set via cookies or device data, are still transmitted by Google in plain text. IP anonymization takes place only after the data has been transferred to Google.”
This means that data collected with Google Analytics is subject to GDPR.
Most of these decisions refer to Universal Analytics. Does it mean Google Analytics 4 is GDPR-compliant?
The short answer is: no. Despite some changes in privacy settings, Google Analytics 4 still collects personal data (unique user identifiers) and processes it outside the EU. Finally, Google Analytics 4 is still a product developed and maintained by Google – a US entity subject to US data surveillance laws such as FISA and the Cloud Act.
According to Denmark’s DPA:
“In regard to Google Analytics 4, it is apparent from Google’s documentation that IP addresses are used to determine the approximate location of the visitor, after which the address is discarded before the data is logged to a server. As with Universal Analytics, the same issue is also relevant for Google Analytics 4, as – depending on the location of the data subject – there can be a direct connection to, among others, American servers before the address is discarded.”
This means that neither version of Google Analytics meets the privacy standards set by GDPR.
Google Analytics (GA) for Firebase has the same issues as the regular version of the platform. It collects personal data (unique device IDs) and sends it outside the European privacy jurisdiction. Because of that, the recent decisions declaring GA illegal in the EU also apply to GA for Firebase.
It doesn’t, as consent doesn’t legitimize cross-border data transfers under GDPR. The French DPA explicitly stated that:
“[…] users’ consent to the storing of cookies during their visit to the website cannot be considered as equivalent to their having “explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards” within the meaning of Article 49.1.a of the Regulation.”
Because of that, the regular data transfers based on the users’ consent cannot be justified. They need to be regulated by a separate piece of legislation, which is not currently in place when it comes to EU-US data transfers.
According to some data protection authorities, including Datatilsynet and CNIL, additional privacy measures might solve some privacy issues with GA. A lawful implementation of the platform involves:
- Making sure Google Analytics fires scripts only after the user’s consent.
- Setting up analytics server-side and deploying it on EU-based and -owned servers.
- Getting rid of all personal identifiers (such as user identifiers, IPs, user-agent, cross-side identifiers, referrer URL, full page URL including data in UTM tags and custom dimensions that may hold personal data) before sending data to the US.
This setup is pricey and difficult to maintain. On top of that, it limits your analytics capabilities drastically. Among other things, you won’t be able to:
- Measure the performance of marketing channels – you won’t know which sites, channels or campaigns bring sales and which don’t. You’ll lose a foundation on which budget optimization can be performed.
- Track the customer journey and funnels on the site – for example, where the customer drops off before making the purchase. So there’s no data on how to optimize the onsite conversions.
- Geolocation – you won’t know where your visitors/conversions are coming from (the information is derived from the IP address).
If this configuration is impossible or unfeasible in your case, you should replace Google Analytics with software satisfying EU privacy standards.
The answer is: yes and no. Server-side implementation of Google Analytics is one of the requirements for a lawful setup of the platform presented by CNIL. Using a proxy server gives you better control over the pieces of data you send to Google. Among other things, it allows you to delete user unique identifiers before they reach US data centers and become subject to surveillance laws.
That said, maintaining this configuration involves serious costs. On top of that, without unique user identifiers, GA won’t be able to connect events into sessions. This makes it impossible to analyze the customer journey, funnels or attribute conversions.
Considering these offsets, it might be more effective to do analytics with a privacy-friendly platform that doesn’t require such sacrifices.
The new piece of legislation might legalize the use of Google Analytics under GDPR, but we don’t know how and when this will happen. Currently, there’s no such framework, not even in the draft stage. We still need to wait till March 2023 to see what the proposed solution will look like.
NOYB, the organization behind the complaints that led to the Schrems I and II rulings and the invalidation of both previous data transfer agreements, already confirmed it will challenge the new rules in the EU courts. In their open letter to EU legislative bodies, the organization stresses that the underlying problem with EU-US data transfers remains the same – the US law still fails to ensure an adequate level of privacy for EU residents’ data:
“[…] we understand that the US has rejected any material protections for non-US persons and is continuing to discriminate against non-US persons by refusing baseline protections, such as judicial approval of individual surveillance measures.
We understand that the envisioned deal will largely rely on US executive orders. Having worked on this matter with US surveillance experts and lawyers, such executive orders seem to be structurally insufficient to meet the requirements of the CJEU.“
Meanwhile, organizations that continue to use Google Analytics make themselves a potential subject of DPA investigations.
Here you can read more on Privacy Shield 2.0 and how it will affect your business
Though the decisions mentioned only Google Analytics, it will affect all platforms that store data on servers located in the US. But companies may be able to mitigate their risks by relying on other analytics products. One of the options is to introduce security measures that will prevent US intelligence agencies from accessing user data under the Cloud Act, such as encryption of the data using the customer’s key.
Transatlantic transfers of personal data are the most pressing issue with Google Analytics in terms of GDPR. But they’re not the only ones. Below we list a few factors to keep in mind when evaluating the compliance of Google Analytics
“Google uses the information shared by sites and apps to deliver our services, maintain and improve them, develop new services, measure the effectiveness of advertising, protect against fraud and abuse, and personalize content and ads you see on Google and on our partners’ sites and apps.“
If you have Google Analytics code on your website and enable data sharing, advertisers in Google Ads know your visitors’ preferences based on the content they consume. That, in turn, allows Google to target those users with advertising.
For any organization that requires full data privacy, this is alarming. The more entities have access to your data, the bigger the chance of its security being compromised.
The most privacy-friendly option is to disable data sharing. But then you lose access to many functionalities, personalized retargeting of Google Ads products and demographic data reports.
As we’ve mentioned earlier, Google Analytics collects unique user identifiers by default. Using such identifiable data requires the user’s consent. That takes us to the last topic – managing visitor consents and data requests with Google Analytics.
Google initially tried to assign the task of collecting visitors’ consent to publishers and Google Analytics users. They had to implement a third-party consent management platform or come up with their own way of satisfying the demands of EU law.
An agreement between Google and IAB Europe has signaled a shift in this approach.
That said, the integration is very limited in the types of consent it allows you to obtain. It covers only data collection purposes related to the advertising features of Google Analytics.
What’s more, the IAB’s consent framework is considered unlawful in some European countries. In November 2021, the Belgian data protection authority ruled that the framework violates GDPR. IAB Consent Framework saves users’ preferences in the form of a unique Transparency and Consent (TC) String, which can be linked to an individual.
According to Belgium’s DPA, the bureau failed to establish a valid legal basis for processing such data. It also doesn’t provide users with the information necessary to understand how IAB uses the collected information.
In March 2022, IAB Europe appealed the decision before Belgium’s Market Court. We’re still waiting for the final verdict on the case.
The second option proposed by Google is the consent mode. The consent mode is Google’s response to the loss of data resulting from the consent requirements imposed by GDPR and other data privacy laws.
It’s a feature that interacts with your third-party or custom-made consent management platform. It employs cookieless pings instead of cookies whenever visitors opt out of tracking in the case of Universal Analytics. In Google Analytics 4, it fills the data collection gaps with conversion models, which estimate the “lost” online conversions using an AI-based algorithm.
Replacing cookies with cookieless pings, although helpful, raises further privacy concerns. With the default settings recommended by Google, the platform continues to collect user data without the user’s permission. The hit sent to Google still contains the user’s IP address and potentially other unique identifiers, such as device information and user_id and transaction_id. As gathering this information is not strictly necessary, you can do it only with visitors’ consent.
If a visitor explicitly states they don’t want to be tracked or have their data processed – beyond the category of what is “strictly necessary” for the functioning of the site or app – and you as the data processor ignore that request, you have just deliberately broken the rules of the GDPR and the ePrivacy Directive. In fact, most likely any privacy law regardless of jurisdiction.
Brian Clifton, Ph.D., privacy and data analytics expert.
You can prevent sending users’ details to Google by changing the settings of the consent mode. But users unaware of this issue will still share data with GA, compromising the compliance of their consent collection.
To learn more about the privacy issues of Google consent mode and ways to overcome them, read this informative piece by Brian Clifton: Google Consent Mode – Why it breaks privacy laws
We don’t know the outcome of the Google Analytics saga just yet, as we’re still waiting for other data protection authorities to voice their opinions.
That said, companies that collect data on EU residents need to rethink their choices, to prepare for any scenario. There are also many good reasons why they could turn to different analytics platforms, even if the verdicts of data protection authorities won’t effectively ban the use of Google Analytics in Europe.
The most privacy-friendly approach would be to switch to an EU-based analytics platform that protects user data and offers secure hosting, ideally in an EU-owned data center. This will guarantee that you collect, store and process data in line with GDPR.
The less privacy-focused option is to choose an analytics platform with fewer privacy features and mitigate the compliance risk by applying additional security measures. However, this might be only a temporary fix if your analytics still sends the data to servers based in the US or owned by US companies, to which US surveillance laws apply.
If you’d like to learn more about Google Analytics alternatives, check out our detailed product comparisons:
- Google Analytics alternatives – free and paid
- Compare 7 free web analytics platforms (product analytics included)
- Piwik PRO vs. Google Analytics & Google Analytics 360
To get more information on how Piwik PRO Analytics Suite helps you follow GDPR, reach out to us. We’ll be happy to answer your questions.