I must begin with the obligatory disclaimer: despite spending a considerable amount of time watching the suspiciously attractive experts on the CSI and JAG television franchises (which I highly recommend if you have yet to see them), I am not a legal expert. As such, keep in mind that every organisation’s circumstances are different, and expert consultation is always a good idea.
Whilst I can only draw on the knowledge of my expert colleagues when it comes to the specific application of the law, I can draw upon the 5 years I have spent as a technical consultant for legal teams, helping them understand the underlying mechanisms used by marketing technologies to collect, store, and process data collected on and offline.
I’ve been asked frequently over the past two years, “How compliant is Google Analytics with the GDPR?” and the tempting answer is “it depends on how compliant your data collection practices are”. This answer, however convenient, is not exactly true, though I hear it as a response from marketing agencies over and over.
The reality is that, even with the strongest safeguards in place, it is very difficult for an organisation to completely insulate the end-user from being exposed to some degree of extraterritorial data transfer. And this is true not just for Google Analytics but other technologies as well, including Meta (formally Facebook), TikTok, and so on.
Why is everyone so focused on Google Analytics and its GDPR compliance? Because, as of December 2022, it is one of the most used web technologies, with 36 million sites using it (source: BuiltWith). Given its data collection surface, it’s hardly surprising that there have been some compliance issues already surfaced in European courts, with several multimillion-dollar fines from data protection authorities in several European countries, including France, Sweden, and Belgium.
Setting the Scene
In 2015, Max Schrems, an Austrian privacy advocate, initiated a significant milestone in the argument regarding extraterritorial data transfer compliance by filing a complaint with the Irish Data Protection Commissioner (Irish DPC). In his complaint, Schrems alleged that the transfer of his personal data from Facebook Ireland to their US-based infrastructure did not protect his fundamental rights under EU law.
The basis for his argument is that US public authorities such as the FBI or CIA can subpoena the data from Facebook, essentially enabling US authorities to carry out surveillance on EU individuals without adequate judicial controls. Whilst the idea may appear harmless, we only need to consider Edward Snowden and Chelsea Manning to understand the real threat to civil liberties.
The Court of Justice of the European Union stated in the ruling known as Schrems II that sending personal data from the EU to the US is illegal if companies cannot guarantee its safety from US intelligence, acknowledging the risk to user privacy that this kind of access could have. Whilst Mr Schrems’ complaint was specific to Facebook, the essence of the agreement applied to any instance where an EU subject’s data is transferred outside of the EU.
The issue of data sharing between the EU and the US has been on lawmakers’ agendas for a while, as US-to-EU commercial trade is a multi-trillion-dollar industry. Several frameworks have been proposed since the GDPR, such as the now-invalid ‘Privacy Shield’ and the Trans-Atlantic Data Privacy Framework from the Biden government. However, EU lawmakers have not been satisfied with these frameworks; the Schrems II ruling ultimately proved to be the death knell for the Privacy Shield framework.
With EU governing law yet to be finalized, EU member-states have taken it upon themselves to decide how the GDPR applies to their citizens. Austria, France, Italy, and the Netherlands have all ruled that Google Analytics is illegal under the GDPR, reiterating the core issue that were raised by many complaints to EU litigators: Google Analytics is unable to sufficiently protect EU subjects from US surveillance.
The Problem With Google Analytics and the GDPR
Ok, I think we can all agree that loads of exciting legal stuff happened (queue Perry Mason). Let’s take a step back from the legal side for a moment and look at the underlying technology to better understand the root concerns that EU lawmakers have.
When you add the Google Analytics code snippet to your site, several processes occur behind the scenes. Depending on your implementation, such as cookie throttling (e.g. an opt-in banner) or a server-side endpoint for Google resources, the snippet requests a JavaScript library. This library contains the collection logic Google uses to gather and package data on your user’s behaviour, then send it to Google’s servers.
This commences the four-part lifecycle of data captured by Google Analytics:
- Collection
- Processing
- Configuration
- Reporting
Whenever a page is loaded or a user action, such as a button click or purchase, is executed, a ‘hit’ (a packet of data, such as an event) is sent to Google Analytics servers. This data egress is part of the Collection step of the lifecycle. Every time a request is sent to Google servers, the user’s IP address is included. As an analyst, you cannot access these IP addresses, but they are sent to Google. Google collects IP addresses for processing purposes, such as excluding users from a certain location (e.g. your office or your agency).
Google uses cookies to persist data between pages and sessions, enabling Google Analytics to recognise when the same user visits your home page and then your contact us page, all within the same session. These cookies don’t contain any data that could conventionally identify a person, such as a name or address, however, they do store an automatically generated ID and, depending on your Configuration, a user ID from your CRM.
These IDs are mainly used during the Processing stage of the data lifecycle. However, analysts can view them (in the Reporting stage) if they choose, and can also export and manually deanonymize users by joining a table using data from Google Analytics and the CRM.
The core of the issue with the above is that Google Analytics stores this data, including information about EU residents, on US-based cloud servers. To add fuel to the legal dumpster fire, Google LLC is a US-owned company and is subject to US surveillance laws, including the Clarifying Lawful Overseas Use of Data (CLOUD) Act.
Now, you might be wondering: “Why are regulators concerned if no identifiable information is sent?”, and that is a fair question. The ‘information’ of concern to regulators is any datum that can identify an individual, such as ClientID, UserID, and IP Address, as well as the use of cookies to achieve this.
Google Analytics and Personal Information
So this brings us to the big question: does Google Analytics collect personal information? According to many regulatory authorities, the answer is a resounding YES. While Google forbids users of its Analytics product from collecting any personal data (in the traditional sense), other than online identifiers such as cookie identifiers, internet protocol addresses, and device identifiers, many of the signals that Google is collecting qualify as personal data.
You can obscure or anonymize some of the signals using Google’s own technologies, such as the IP anonymization feature. However, anonymization only happens after the data has already been transferred to Google, and this (according to Austria’s DBS) makes it subject to GDPR.
Google has made progress in addressing some of these issues with Google Analytics 4, introducing changes to privacy settings. However, GA4 still collects the same or similar data as Universal Analytics (e.g. as described above) and processes it outside the EU.
This point has been made explicitly by Denmark’s Data Protection Authority:
“In regard to Google Analytics 4, it is apparent from Google’s documentation that IP addresses are used to determine the approximate location of the visitor, after which the address is discarded before the data is logged to a server. As with Universal Analytics, the same issue is also relevant for Google Analytics 4, as – depending on the location of the data subject – there can be a direct connection to, among others, American servers before the address is discarded.”
Why Is All This My Problem?
While this seems like an issue Google needs to address, the reality is that the GDPR puts web publishers (e.g. anyone with a website) at risk if they do not comply, even if the source of the issue is with technology that itself does not comply.
To be more specific, there is a concept of a Data Controller and a Data Processor in the GDPR, each of whom has different responsibilities. A Data Controller is an entity responsible for deciding why and how personal data is processed. A Data Processor on the other hand simply processes any data that the data controller gives them. in many cases, your organisation might be a Data Controller, and Google Analytics is your Data Processor.
It is your responsibility as a Data Controller to only collect the information you have the legal authority to collect. Generally, it is not the responsibility of the data processor to decide if the information you collect is legal, although they may have policies that dictate this. You are responsible for ensuring any subprocessors adhere to your legal requirements, as you are the responsible party if a regulatory authority identifies a breach of the GDPR.
Indeed, the organisation that Max Schrems (who the Schrems II ruling is named after), Mind Your Own Business, has filed 101 complaints to various European supervisory authorities, none of which target Facebook or Google directly, but rather they target organisations using either Meta or Google as data processors.
Many people think that using a cookie opt-in is enough to avoid the effects of the recent rulings on Google Analytics. However, this is not true. Even if a user agrees to their data being sent to Google, this does not make cross-border data transfers compliant with GDPR.
“[…] users’ consent to the storing of cookies during their visit to the website cannot be considered as equivalent to their having “explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards” within the meaning of Article 49.1.a of the Regulation.”
Commission Nationale de l’Informatique et des Libertes (CNIL)
This is not about the user accepting that their data may be seen by US legal authorities, but rather that there is no current legislation to protect and enforce data transfers outside of the country.
What Can I Do?
There are a few options to reduce your exposure to risk. These should be considered specific to your use case, as there is no one-size-fits-all solution to completely eliminate risk. This is especially true in the ever-changing world of data privacy in Europe. However, any mitigation is better than none. I recommend investigating the following:
Server-side Tagging
Server-side implementation of Google Analytics is a requirement for a CNIL-compliant setup, and may become recognises as a solution throughout the EEA. It can be a very robust way to ensure the data you collect is pre-checked before you transmit it to an external source, such as Google Analytics. In addition to that, you are able to enrich your data in ways available to your reporting without undermining the privacy of end users (such as rendering your own look-up logic for locations).
With that said, there are some important considerations to factor in, including the location of your server; if you provision a server in the US, then you are back to square one. It is essential to consider that if you remove unique user identifiers, Google Analytics will not be able to link events to sessions. This will reduce your ability to measure linear user behaviour and get meaningful insights on attribution.
1P Encryption and Pseudonymization
There have been proposals made by several data protection authorities (including Datatilsynet and the CNIL) that additional pre-processing measures taken prior to the transmission of data may overcome some privacy shortfalls that come with data collection in the EU with Google Analytics. These include (but are not limited to the following):
- Ensuring Google Analytics executes its resources only after a user has explicitly provided their consent.
- Using a server-side implementation of Google Analytics and deploying it on a server that is EU-based.
- Remove all identifiers that could identify a user, such as IP addresses, user-agent, cross-site identifiers, referrer URL, full page URL including UTM tags and custom dimensions containing personal data, before sending data to Google Analytics.
Choosing a Different Platform
Many of the issues which EU regulators have identified as problematic are present in other analytics tools, including those based outside of the US (such as Yandex Metrica, Adobe Analytics Amplitude). The most privacy-friendly method is to completely move to a platform that is owned and operated out of Europe, though this option is pretty drastic and should be thoughtfully considered before being undertaken. After all, it’s still early days in the conversations, and Google and other platforms have submitted some mitigations that are still being considered by regulators, including ‘Google consent mode’.
In addition, the frameworks currently being proposed in place of Privacy Shield may yield positive outcomes in the EU courts. If you are in the business of getting ahead of the game and planning for the worst (as I am), then I recommend you take a look at the following platforms:
Please note that, while these platforms are considered reliable Google Analytics alternatives for EU organisations, I cannot guarantee their compliance with the GDPR. At the time of writing, I have worked with organisations to set up Matomo, and it has proved to be a solid choice. In fact, some Government organisations in the EU have even used it. With that said, it is important to understand how your configuration of any of these platforms will affect your regulatory obligations, especially if you are also collecting data outside the EU.
Final Thoughts
In summary, it is very difficult for an organisation to completely insulate the end-user from being exposed to some degree of extraterritorial data transfer. This means that, even with the strongest safeguards in place, EU citizens’ data may be exposed to US surveillance. Google Analytics 4 has added changes to privacy settings, but still collects the same or similar data as Universal Analytics.
Data Controllers are responsible for ensuring any subprocessors adhere to their legal requirements, as they are the responsible party if a regulatory authority identifies a breach of the GDPR. Solutions to reduce the risk of non-compliance with the GDPR include server-side tagging and 1P encryption and pseudonymization. Additionally, organisations can switch to a different analytics platform that is owned and operated out of Europe. Ultimately, it is important to stay up to date with the ever-changing world of data privacy in Europe.