Back to blog

Is Google Analytics GDPR-compliant? 10 things to consider [UPDATE]

Analytics GDPR

Written by

Published August 31, 2020 · Updated October 14, 2020

Is Google Analytics GDPR-compliant? 10 things to consider [UPDATE]

Google Analytics (GA) is by far the most popular analytics tool on the market. It’s free and allows you to analyze website traffic and gather valuable data about user behavior. 

However, collecting analytics data requires compliance with data protection regulations such as GDPR. 

In the past few years, we’ve heard reports of questionable privacy practices by Google. For instance, tracing users’ purchase history based on email receipts, personalizing ads in browsers set to incognito mode, and secretly buying transactional data from Visa and Mastercard. Some of them have led to legal action based on GDPR. So far, several organizations have sued Google. The list includes France’s CNIL, Austria’s NYOB, the Panoptykon Foundation in Poland, the Irish Data Protection Commission (DPC) and the European Consumer Organisation (BEUC). 

For consumers and companies who value the privacy of their data, this is alarming. The question thus arises: “Is Google Analytics GDPR-compliant?” Maybe not. But a simple yes or no is hard to give. So below are 10 factors to keep in mind when evaluating the GDPR compliance of Google Analytics.

Google Analytics & GDPR compliance: 5 key product changes

But first, let’s address the positive changes to Google Analytics that have been made to meet GDPR standards. 

If you use Google Analytics, Google is your data processor. That’s an important role under GDPR.

Here you can read more about the duties of data processors.

Since Google handles data from people all over the world, it’s had to take measures to comply with GDPR standards. The list of new features and tweaks includes:

1) Data deletion mechanism

In Google Analytics, you now have the ability to delete information about visitors if they request it. That said, you have to be aware that the mechanism has some serious limitations.

By default, it doesn’t allow you to delete records associated with a single visitor. Instead, it lets you clear all page titles, event labels, event categories, event actions, custom dimensions or user IDs you’ve collected in a given time range:

Data deletion request in Google Analytics

To delete data based on a particular cookie or user ID, you’ll have to employ the Google Analytics User Deletion API. However, you’ll need to edit some code to integrate this feature into your account.

2) Data retention settings

Google has also introduced data retention settings. This allows you to control how long individual user data is stored before being automatically deleted:

Data retention settings in Google Analytics

The default setting is 26 months.

3) New privacy policy

Google has also included new GDPR terms in the standard contract, where  it defines itself as the “data processor” with respect to Analytics and Analytics 360. In their help center, Google states that:

Google Analytics and Google Analytics for Firebase remain processors for Analytics data that is not shared and used under this setting.

But if you enable data sharing settings in your Google Analytics account to share the data with Google Ads, Google becomes a shared controller of the data:

When Google Analytics customers enable the data sharing setting for “Google products & services” (Google Analytics) and accept the “Measurement Controller-Controller Data Protection Terms” (which incorporates the EU User Consent Policy), Google is, for GDPR purposes, a controller of the data that is shared and used under this setting.

Piwik PRO vs. Google Analytics & Google Analytics 360

A product comparison that will help you choose the right web analytics software

Download your copy now

4) Updated data processing terms

Google has made significant changes to their data processing terms. These terms also act as a data processing agreement – one of the most important documents you should sign with every entity that you grant access to the personal data of your visitors.

The new document lists your responsibilities, such as informing and obtaining valid consent from European residents.

A side note: Updating the data processing policy so it addresses obligations under GDPR is a great move. However, asking users to check a box in order to access services forces users into an all-or-nothing choice. And that is a violation of GDPR. Max Schrems, an Austrian data privacy activist, addressed this issue in his first lawsuit against Google, filed on the very first day of GDPR enforcement.

5) Existing tools that help comply with GDPR

Google Analytics also reminds its users of all the privacy settings that are already available in their accounts – tools and features such as:

  • Customizable cookie settings
  • Data sharing settings
  • Privacy controls
  • Data deletion on account termination
  • IP anonymization

Google Analytics GDPR compliance: some unresolved problems

So far, so good. But there are also things that Google hasn’t addressed, despite the fact that GDPR has been in force for over two years.

1) Google Analytics doesn’t allow you to store most kinds of personal data

In its processing terms Google forbids users from collecting all types of personal data other than:

Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers

This might be handy for Google, as it takes some GDPR-related duties off their shoulders. But from your perspective, this approach is not at all beneficial. What if you want to process more personal data and assume all the responsibilities that entails? For example, maybe you want to upload CRM data or email marketing stats to your analytics instance.

If this is the case, you’ll have to switch to an analytics platform that allows you to do so.

2) You still have to collect consents even if you don’t want to process personal data

Even if you don’t want to process personal data, there’s a catch. In Google Analytics, every user is registered with a unique ID. Thanks to this ID, Google Analytics provides you with insight into how many people visit your site and, for example, how many of them return. Those online identifiers are considered personal data under GDPR.

Want to learn more about PII and personal data? Download this:
PII, Personal Data or Both? A Helpful Cheat Sheet

To avoid sending personal data to Google Analytics, Google advises you to leverage a minimum hashing requirement of SHA256. Here you can find Google’s guides on how to avoid collecting PII and anonymize IP addresses.

However, under GDPR, hashed data is still considered personal data and you need a valid visitor consent to collect and process it. That may result in some serious data loss, as  30-70% visitors don’t opt in to tracking their personal data.

Alternatively, you could switch to a product that allows you to avoid personal data and the liabilities its collection entails. The best way to do this is by using advanced anonymization methods. See how to do useful analytics without personal data.

That takes us to the next topic – managing visitor consents and data requests. 

Google initially tried to assign the task to publishers and Google Analytics users. But a recent agreement between Google and IAB Europe signals a shift in their approach. The first outcome of the collaboration is Funding Choices. Funding Choices is a consent management platform dedicated to large publishers that monetize their data inventory through Google products.

Unfortunately, while the tool integrates with Google’s Ad Manager and AdMob, it doesn’t offer any solutions for handling analytics data. This means that users who want to collect information about visitors with Google Analytics still need to find their own way of handling consents and data requests.

4) By default, Google uses visitor data for its own purposes

There’s also an issue of data ownership. Google uses data from Google Analytics to improve their services. The information users gather in the platform is shared with users of other Google products such as:

  • Google Ads 
  • YouTube
  • Google AdSense

As you can read in Google’s Privacy Policy & Terms:

Many websites and apps use Google services to improve their content and keep it free. When they integrate our services, these sites and apps share information with Google.

For example, when you visit a website that uses advertising services like AdSense, including analytics tools like Google Analytics, or embeds video content from YouTube, your web browser automatically sends certain information to Google. This includes the URL of the page you’re visiting and your IP address. We may also set cookies on your browser or read cookies that are already there. Apps that use Google advertising services also share information with Google, such as the name of the app and a unique identifier for advertising.

The data provided by Google Analytics users allows Google to engage in user profiling. As it gathers data from multiple sources, it’s able to determine such user traits as gender and location. Later it makes the data available in reports. 

Also, thanks to the fact that you have Google Analytics code on your website, advertisers in Google Ads know your visitors’ preferences based on the content they consume. That, in turn, allows it to target those users with advertising.

As the site owner, you agree to this by default in the data sharing settings:

For any organization who requires full data privacy, that can be alarming. The more entities have access to your data, the bigger the chance of its security being compromised. Also, using visitor data for all those purposes requires consent. But there is no way to make the collection of data dependent on visitor consent. 

That’s why the best option is to disable data sharing. But then you lose access to many functionalities, including integrations with Google Ads products and demographics data reports.

5) Google Analytics stores your data on remotely located servers

Finally, let’s talk about data residency. Users of Google Analytics, have their data scattered across randomly selected public cloud datacenters, most of which are located in the US.

To ensure the safety of those EU-US data transfers, Google used to rely on the Privacy Shield framework.

Update: As of July 16th 2020, Privacy Shield is no longer a valid legal framework for transferring data from the EU and Switzerland to the US. The situation is evolving fast, though. Here we’ve written about the decision and will provide updates when anything changes.

This means that to ensure your data processing with Google Analytics is lawful, you’ll need to sign a Standard Contractual Clause (SCC) with Google. Google is already adopting this solution:

[…] Google will be moving to reliance on Standard Contractual Clauses for relevant data transfers, which, as per the ruling, can continue to be a valid legal mechanism to transfer data under the GDPR. We will share more information about these updates (including timelines) as soon as possible. [source]

Piwik PRO vs. Google Analytics & Google Analytics 360

A product comparison that will help you choose the right web analytics software

Download your copy now

That said, you need to know that SCCs impose heavy obligations on you as a data controller. SCCs transfer the responsibility for maintaining data privacy standards to you, the signer of the contract. According to European Data Protection Board’s statement:

When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country .[…] 

If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.

Many European DPAs, including Dutch Autoriteit Persoonsgegevens and The Hamburg Commissioner for Data Protection are worried about transferring data to countries without strong data privacy legislations. For example, they state that in the absence of a general data privacy law in the US, the country fails to provide a level of protection comparable to what the GDPR offers.

All told, it seems that the best way to approach this issue is to keep your finger on the pulse of privacy regulations and wait for European legislators to provide a clearer opinion on the subject.

Google Analytics and GDPR: what are the alternatives? 

We hope that with this text we’ve managed to answer at least some of your questions concerning Google Analytics and GDPR. Meanwhile, if you want to compare Piwik PRO with Google Analytics, here’s a helpful white paper: Piwik PRO vs. Google Analytics: The Ultimate Guide to Choosing the Right Web-Analytics Tool

And if you have any further questions, be sure to contact our team. We’ll be happy to show how we can help you do high-quality analytics and respect privacy laws!

Author

Karolina Lubowicka

Content Marketer

Content Marketer and Social Media Specialist at Piwik PRO. An experienced copywriter who takes complex topics of data privacy & GDPR and makes them understandable for all. LinkedIn Profile

See more posts of this author
New Call-to-action
Upcoming live webinar

December 3, 2020

How to overcome performance issues and lack of flexibility in your analytics? Comparing Piwik PRO and Matomo

Choosing an analytics software that fits you in terms of performance, flexibility and usability is hard. The choice may become even harder as each analytics project has unique requirements. In this webinar our experts will help you pick an analytics software that best fits your needs, with a thorough comparison of Piwik PRO’s and Matomo’s features. Sign up and stay for a live Q&A session at the end.

Sign up for this webinar