Google Analytics is the most popular analytics tool on the market. It’s free and allows you to analyze website traffic and gather valuable data about user behavior.
But at the same time, the way Google Analytics collects and processes data has been a concern for privacy-conscious businesses and regulators.
The Austrian, French, Italian, Norwegian and Swedish data protection authorities (DPA) have recently ruled that the use of the tool is illegal under the General Data Protection Regulation (GDPR). The mother company of Google Analytics, Google LLC, has also been hit with multimillion-dollar fines by several European data protection authorities, including France’s CNIL, Sweden’s IMY and Belgium’s APD.
The newly introduced EU-US Data Privacy Framework solves the legal issues around data transfers through Google Analytics. However, many privacy experts question whether the framework will provide enough protection for EU residents and survive a potential complaint before the Court of Justice of the European Union (CJEU).
Also, there are many other reasons for switching from Google Analytics and making your data collection more privacy-friendly, future-proof and effective.
Keep reading to learn more about the underlying privacy issues of Google Analytics and the consequences they might have for companies handling EU residents’ data.
The key compliance issue with Google Analytics is that it stores user data, including personal information about EU residents, on US-based cloud servers. Google LLC is also a US-owned company, meaning the data it collects becomes subject to US surveillance laws.
American citizens are protected by the Fourth Amendment, which gives them the right to be secure from unreasonable searches and seizures. However, individuals from other locations, including Europe, don’t get the same treatment. The US government authorizes its agencies to conduct mass surveillance on non-Americans through laws like the Foreign Intelligence Surveillance Act of 1978 (FISA 702) and Executive Order 12.333.
Anytime EU residents’ personal data leaves Europe and gets transferred to the US, there’s a chance US security agencies might investigate it. This creates a conflict between American law and the privacy rights provided to Europeans by legislations such as GDPR and the Charter of Fundamental Rights of the European Union (CFR).
Because of that, data transfers between the EU and the US must be governed by a special agreement attesting that information about Europeans is as safe in the US as it would be within the EU.
However, the history of the two previous deals – Safe Harbor and Privacy Shield – shows that the frameworks alone are not enough to protect Europeans’ data from US surveillance.
To give you a better context, let’s discuss the history of the two invalidated frameworks in more detail.
The International Safe Harbor Privacy Principles (Safe Harbor) from 2000 were the first legal framework regulating data transfers between the EU and the US.
With Safe Harbor, US companies could operate on the basis of self-certification. The list of firms relying on the agreement was over 5,000 names long and included technology giants such as Facebook and Google.
In 2015, Max Schrems, founder of privacy watchdog organization NOYB, complained to the Irish Data Protection Commission (DPC) about Facebook’s data-sharing practices. He accused the tech giant of gathering personal information from EU citizens and sending it to the US, making it available to the NSA. The case was then brought before the CJEU. The jury found that Safe Harbor didn’t adequately protect personal data from interference by the US government. The ruling known as Schrems I led to the invalidation of the agreement on October 6, 2015.
Privacy Shield was meant to fix issues with Safe Harbor. It came into effect on July 12, 2016, a few months after the invalidation of Safe Harbor.
With the new deal, the European Commission strengthened the requirements of the self-certification program, but the framework had issues.
Max Schrems once again brought the complaint before the CJEU. He argued that data transfers from the EU to the US performed by the likes of Facebook still violate Europeans’ privacy rights under the new deal. In July 2020, the Court invalidated the Privacy Shield framework in the ruling known as Schrems II.
According to the General Data Protection Regulation (GDPR), contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries. This includes model contract clauses – so-called standard contractual clauses (SCCs) – that have been “pre-approved” by the European Commission.
On 4 June 2021, the Commission issued modernized standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).
These modernized SCCs replace the three sets of SCCs adopted under the previous Data Protection Directive 95/46.
In the absence of an adequacy decision regulating this data flow, sending user information to the US with tools such as Google Analytics became risky, especially since Google continued to rely on the same set of SCCs it used before the deal’s strike-down. Companies that used Google’s platform could face severe fines and damage to their reputation.
Right after the invalidation of the framework, the privacy watchdog organization NOYB, led by Schrems, filed 101 complaints against companies that collect visitor data through Google Analytics and Facebook Connect. This triggered a chain reaction in Europe:
- On January 12, 2022, the Austrian DSB released its ruling in the case of an unnamed German web publisher. The regulator stated that using Google Analytics to collect data on EU residents is unlawful under GDPR.
- In April 2022, CNIL ordered three French websites to stop using Google Analytics. In the following months, the Italian, Danish, Norwegian, and Swedish DPAs released similar statements concerning companies from their regions.
- In 2020, the European Data Protection Board (EDPB) formed a task force to help European authorities adopt a consensual approach to complaints. As a result, all verdicts by EU authorities have followed the same guidelines, speaking against the use of Google Analytics in Europe.
- The Dutch data protection authority, the AP, author of a manual on how to use Google Analytics in a privacy-compliant way, has declared that the usage of Google Analytics “may not be permitted.” Liechtenstein’s Datenschutzstelle has released a similar opinion to the one issued by the AP.
- The Austrian DPA has issued a second decision, which declares that GA’s IP anonymization is an insufficient protection measure for data transfers from the EU to the US.
- Following their earlier decision, France’s CNIL has issued revised guidance on the use of Google Analytics. Their FAQ suggested that EU-based organizations couldn’t use the tool without applying additional safeguards. The French authority has also stated that their view on Google Analytics has been a coordinated position of all European DPAs.
Meanwhile, the European Commission and US President Joe Biden’s office were developing a new framework to re-legalize data transfers between Europe and the United States.
On July 10, 2023, the European Commission adopted a new EU-US Data Privacy Framework, also known as Privacy Shield 2.0. The new agreement addresses some concerns raised by Schrems II, restricting how US spy agencies can gather intelligence and introducing new conditions for collecting individuals’ data.
US companies can enter the program by self-certifying and committing to comply with a specific set of privacy obligations. Google LLC has already joined the Data Privacy Framework Program.
This means that for now, organizations that follow the rules of GDPR can again use Google Analytics to collect data about EU residents. However, they need to be aware that the deal might not put an end to the EU-US data problem, considering that privacy watchdogs point out striking similarities between the new and the previous agreements.
The European Data Protection Board (EDPB) and the European Parliament (EP) criticize the deal for not going far enough in addressing the underlying issue of bulk data collection by US law enforcement. The EP has even called on the European Commission to renegotiate or challenge the deal before the CJEU:
“[The European Parliament] calls on the Commission to act in the interest of EU businesses and citizens by ensuring that the proposed framework provides a solid, sufficient and future-oriented legal basis for EU-US data transfers; expects any adequacy decision, if adopted, to be challenged before the CJEU; highlights the Commission’s responsibility for failure to protect EU citizens rights in the scenario where the adequacy decision is again invalidated by the CJEU.“
The privacy watchdog organization NOYB has also called out the critical issues with the framework, including:
According to NOYB, the main issue around the deal stems from the fact that the US hasn’t softened its surveillance laws despite the CJEU’s opinion that they’re not “proportionate” and still allow US intelligence to monitor EU residents’ data. As the deal is already in force and European regulators have little leverage over the US government, Schrems doubts such reform will ever occur.
“We had ‘Harbors,’ ‘Umbrellas,’ ‘Shields,’ and ‘Frameworks’ – but no substantial change in US surveillance law. The press statements today are almost a literal copy of the ones from the past 23 years. Just announcing that something is ‘new,’ ‘robust,’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work – and we simply don’t have them.” sums up Schrems.
NOYB also criticizes the extent of the redress options available to EU residents and the secrecy of the decision process, citing the following problems:
- The institutions of DPRC and Civil Liberties Protection Officer are only partially independent from the US government and share many similarities with the concept of Ombudsperson introduced by the Privacy Shield. It’s especially important because the Ombudsperson mechanism was one of the reasons why the CJEU invalidated the previous framework. In the verdict, we can read that the Privacy Shield Ombudsperson is not a tribunal within the meaning of Article 47 of the Charter. US law does not afford EU citizens a level of protection essentially equivalent to that guaranteed by the fundamental right enshrined in that article.
- Individuals won’t have any direct interaction with the Court that will revise their complaints. Instead, the procedure will be initiated on their behalf by their local DPA and is supervised by an appointed special advocate.
- The justification behind each decision will be classified and unavailable to the complainant, which directly opposes the standards afforded by the EU juridical system.
Considering the heated debate around the new framework, we might expect new complaints to pop up within the next few months. NOYB has already announced its next steps:
“We have various options for a challenge already in the drawer […]. We currently expect this to be back in the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it,” says Schrems.
French parliament member Philippe Latombe has also shared his plans to challenge the EU-US data transfer agreement before the CJEU:
“The text resulting from these negotiations violates the Union’s Charter of Fundamental Rights, due to insufficient guarantees of respect for private and family life with regard to bulk collection of personal data, and the General Data Protection Regulation”, explains Latombe.
Transatlantic transfers of personal data were the most pressing issue with Google Analytics regarding GDPR, but they’re not the only ones. Norway’s DPA, Datatilsynet, points it out in the statement released right after the introduction of the new framework:
“What until now had been a major problem with Google Analytics seems to have been solved. That said, we do not rule out that there may be other privacy challenges with the tool. Anyone who chooses to use an analysis tool on their website is also responsible for ensuring that the use of the tool complies with privacy rules. The transfer of personal data to countries outside the EEA is just one element that must be checked.”
Organizations that want to collect data through Google Analytics still need to carefully assess how it will impact their compliance. Below, we list a few factors to keep in mind.
“Google uses the information shared by sites and apps to deliver our services, maintain and improve them, develop new services, measure the effectiveness of advertising, protect against fraud and abuse, and personalize content and ads you see on Google and on our partners’ sites and apps.”
If you have Google Analytics code on your website and enable data sharing, advertisers in Google Ads know your visitors’ preferences based on the content they consume. That, in turn, allows Google to target those users with advertising.
For any organization that requires full data privacy, this is alarming. The most privacy-friendly option is to disable data sharing. The downside is losing access to many functionalities, including personalized retargeting of Google Ads products and demographic data reports.
As we mentioned earlier, Google Analytics collects unique user identifiers by default. Using such identifiable data requires the user’s consent. That takes us to the last topic – managing visitor consent and data requests with Google Analytics.
IAB’s transparency and consent framework
Google initially tried to assign the task of collecting visitors’ consent to publishers and Google Analytics users. They had to implement a third-party consent management platform or devise their own way of satisfying the demands of EU law.
An agreement between Google and IAB Europe has signaled a shift in this approach.
That said, the integration is very limited in the types of consent it allows you to obtain. It covers only data collection purposes related to the advertising features of Google Analytics.
Moreover, the IAB’s consent framework is considered unlawful in some European countries.
In November 2021, the Belgian data protection authority ruled that the framework violates GDPR. IAB Consent Framework saves users’ preferences in the form of a unique Transparency and Consent (TC) String, which can be linked to an individual.
According to Belgium’s DPA, the IAB failed to establish a valid legal basis for processing such data. It also doesn’t provide users with the information necessary to understand how IAB uses the collected information.
In March 2022, IAB Europe appealed the decision before Belgium’s Market Court. We’re still waiting for the final verdict on the case.
Read more about the decision of Belgium’s DPA here:
The second option proposed by Google is the consent mode. The consent mode is Google’s response to data losses resulting from the consent requirements imposed by GDPR and other data privacy laws.
It’s a feature that interacts with your third-party or custom-made consent management platform. In the case of Universal Analytics, it employs cookieless pings instead of cookies whenever visitors opt out of tracking. In Google Analytics 4, it fills the data collection gaps with conversion models, which estimate the “lost” online conversions using an AI-based algorithm.
Replacing cookies with cookieless pings, although helpful, raises further privacy concerns. With the default settings recommended by Google, the platform continues to collect user data without the user’s permission. The hit sent to Google still contains the user’s IP address and potentially other unique identifiers, such as device information and user_id and transaction_id. As gathering this information is not strictly necessary and involves collecting personal data, you can do it only with visitors’ consent.
According to Brian Clifton, Ph.D., privacy and data analytics expert: “If a visitor explicitly states they don’t want to be tracked or have their data processed – beyond the category of what is “strictly necessary” for the functioning of the site or app – and you as the data processor ignore that request, you have just deliberately broken the rules of GDPR and the ePrivacy Directive. In fact, most likely any privacy law regardless of jurisdiction.“
You can prevent sending users’ details to Google by changing the settings of the consent mode. However, users unaware of this functionality will still share data with GA, compromising the compliance of their consent collection.
To learn more about the privacy issues of Google consent mode and ways to overcome them, read this informative piece by Brian Clifton: Google Consent Mode – Why it breaks privacy laws.
It does. In its processing terms, Google Analytics forbids users from collecting all types of personal data other than:
Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers
On top of that, GA anonymizes certain pieces of data about visitors, including IP addresses. However, it still uses identifiers that qualify as personal data. According to Austria’s DBS:
The “anonymization function of the IP address” is not effective, since the data – as explained in more detail above – is processed by the second respondent for at least a certain period of time. Even assuming that the IP address was only processed in servers in the EEA within the period of time, it should be noted that the second respondent can nevertheless be obliged by US intelligence services to hand over the IP address under the relevant law of the USA
This means that data collected with Google Analytics is subject to GDPR.
Does Google Analytics 4 share the same GDPR compliance issues as Universal Analytics?
The short answer is: yes. Despite changes in privacy settings, Google Analytics 4 still collects personal data (unique user identifiers) and processes it outside the EU. Finally, Google Analytics 4 is still a product developed and maintained by Google – a US entity subject to US data surveillance laws such as FISA and the EO 12.333.
According to some data protection authorities, including Datatilsynet and CNIL, additional privacy measures might solve some privacy issues with GA. A lawful implementation of the platform involves:
- Making sure Google Analytics fires scripts only after the user’s consent.
- Setting up analytics server-side and deploying it on EU-based and -owned servers.
- Getting rid of all personal identifiers (such as user identifiers, IPs, user-agent, cross-side identifiers, referrer URL, full page URL including data in UTM tags and custom dimensions that may hold personal data) before sending data to the US.
This setup is pricey and difficult to maintain. On top of that, it limits your analytics capabilities drastically. Among other things, you won’t be able to:
- Measure the performance of marketing channels – you won’t know which sites, channels or campaigns bring sales and which don’t. You’ll lose a foundation on which budget optimization can be performed.
- Track the customer journey and funnels on the site – for example, where the customer drops off before making the purchase. So there’s no data on how to optimize the onsite conversions.
- Geolocation – you won’t know where your visitors/conversions are coming from (the information is derived from the IP address).
If this configuration is impossible or unfeasible in your case, consider replacing Google Analytics with software satisfying EU privacy standards.
Using a proxy server gives you better control over the pieces of data you send to Google. Among other things, it allows you to delete user unique identifiers before they reach US data centers and become subject to surveillance laws.
That said, maintaining this configuration involves serious costs. On top of that, without unique user identifiers, GA won’t be able to connect events into sessions. This makes it impossible to analyze the customer journey, funnels or attribute conversions.
Considering these offsets, it might be more effective to do analytics with a privacy-friendly platform that doesn’t require such sacrifices.
The list of Google Analytics settings designed to help you comply with GDPR involves:
- Data deletion mechanism – In Google Analytics, you may delete information about visitors if they request it. That said, this functionality works only for whole categories of data. The list includes all page titles, event labels, event categories, event actions, custom dimensions or user IDs you’ve collected in a given time range. To delete data based on a cookie or user ID, you must employ the Google Analytics User Deletion API, which requires some coding skills.
- Data retention settings – Google has introduced new data retention settings. This allows you to control how long user data is stored before being automatically deleted. In Google Analytics 4, you can choose between 2 and 14 months of data retention.
- Updated data processing terms – Google has significantly changed its data processing terms. These terms also act as a data processing agreement. The new document lists your responsibilities, such as informing and obtaining valid consent from European residents.
- Privacy settings – These include cookies, data sharing, privacy controls, data deletion on account termination and IP anonymization.
- No data sharing with third parties by default – Some features of Google Analytics 4 that require sharing data with the Google ecosystem are now turned off by default. This includes, for example, signals – session data from sites and apps concerning logged-in users used for personalized advertising and remarketing.
- Google consent mode – Google Analytics now has a special consent mode that allows you to employ AI-based conversion modeling whenever visitors decline consent to tracking.
Companies concerned that the new complaints will lead to Schrems III or those unsatisfied with Google Analytics’ approach to user privacy should consider more future-proof options for collecting data under GDPR.
Since verdicts such as Schrems II work retroactively and don’t include any grace period, it makes sense to prepare for any scenario before the potential ruling hits the headlines.
Here are some of the possible choices:
- Transfer limitations/exclusions and data anonymization. Big tech software relies heavily on user identification and data transfers. Limiting the transfers or stripping the data of personal information helps overcome this issue, but it comes at a price. For example, when Google Analytics is configured to meet GDPR standards (for example, according to France’s CNIL guidelines), it loses most of its capabilities.
- Updating the technology stack with EU alternatives. Schrems II opened the market for EU companies offering business and marketing software with local EU hosting. These alternatives allow organizations to become completely independent of the transatlantic data transfer ordeal.
- The less privacy-focused option is to choose an analytics platform with fewer privacy features and mitigate compliance risk by applying additional security measures. However, these solutions will still send the data to servers based in the US or owned by US companies, to which US surveillance laws apply.
If you’d like to learn more about Google Analytics alternatives, check out our detailed product comparisons:
To get more information on how Piwik PRO Analytics Suite helps you follow GDPR, reach out to us. We’ll be happy to answer your questions.