Share on facebook
Share on twitter
Share on linkedin
Share on email

Is Google Analytics Illegal? Part Deux

Is Google Analytics Illegal? Part Deux

**Important – This is not legal counsel, the materials provided are for informational purposes only and not for the purpose of providing legal advice. Final decisions must be made by your own legal representation.**

A couple of weeks ago, we discussed the implications and recommendations following the Austrian DPA’s released opinion that the use of Google Analytics (GA) was illegal in the context of a complaint filed in September of 2020. The question of “does the use of GA violate General Data Protection Regulation (GDPR)?” at the time had a bit of a complicated answer. Much of this murkiness has been cleared up due to the recent release by France’s CNIL which very clearly states that the use of GA in its current form is a violation of GDPR.

The CNIL’s statement is in response to their review of similar complaints to those from the Austrian case. Specifically at question are the protections in place for personal data by GA as it relates to international transfers. It is the opinion of both the Austrian and French DPA that the protections in place are not sufficient to satisfy the requirements of Article 44 of GDPR. Therefore, the use of GA is a violation. 

How does this differ from the Austrian opinion?

The Austrian DPA’s opinion issued spoke to a specific set of circumstances and configuration of GA. The circumstances considered in that case were also from September 2020—some of the nuance had changed in the past two years. France’s CNIL statement is based upon a current review of GA and the protections in place for the international transfer of French user’s personal data. The statement is not in reference to a specific set of configurations but rather default, always-happening behavior of GA. This makes the opinion much more broad in applicability and explicit in its position.

So, what is specifically at issue?

Specifically cited in both of these instances is the international transfer of personal data by GA not having sufficient protections to satisfy GDPR requirements. The CNIL has issued the opinion that any unique identifier for a user would fall under this definition of “personal data” and therefore would put GA in scope of GDPR. GA, by default, will always send at minimum a client ID and the IP address of the user. The client ID is a unique identifier specific to a user on a specific domain. The IP address, while potentially obfuscated based upon settings applied, is still collected and initially processed. Due to Google’s storage of GA data in the United States, and no satisfactory lawful transfer agreement in place following the invalidation of the EU-US Privacy Shield in 2020, this architecture violates GDPR. This is regardless of any additional configuration a business may have which could also put GA data in scope of GDPR (such as a user ID). 

What next?

Absent a major architectural change from Google (which has been hinted at), this is the second EU market to explicitly state the usage of GA is illegal. Considering the issues at question, more EU DPAs are likely to follow suit. Unless Google provides a technical mechanism to either not collect any personal data (therefore removing GA from the scope of GDPR—also significantly reducing the use cases which GA could address) or to process and store data collected from EU users only in the EU, the usage of GA would present a compliance risk for organizations using the platform.

Anything else relevant to know?

In the background, there are ongoing discussions between US and EU regulators on the creation of a new standard legal mechanism organizations could use to certify international data transfers to replace the EU-US Privacy Shield. Just last week Google and Meta issued some strong statements in response to similar issues. With the vast business implications of the impact of not just being able to use GA but also any platform which stores or processes personal data in the United States, regulators should be very motivated to get something in place. We will see over the coming months if this motivation brings about a new standard transfer agreement.

We said “more to come” in response to the Austrian DPA’s opinion, this is certain to be just one of the first of many additional opinions from EU DPAs that will be made on this topic in the coming weeks. Stay tuned as the plot continues to thicken.

Interested in discussing a privacy-centric first party data strategy?

We’d love to chat. Reach out to our team of data governance experts!
Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on email
Email

Other Articles You Will Enjoy

All About Firebase Dynamic Links – Manage Your Mobile App Campaigns Better

All About Firebase Dynamic Links – Manage Your Mobile App Campaigns Better

The Challenge: Why Do We Need Dynamic Links? With hardware and technology advancement, our leads and customers are consuming content faster with each passing…

Google Analytics 4 Privacy Updates: What They Mean For Your Business

Google Analytics 4 Privacy Updates: What They Mean For Your Business

2022 has been a busy year for Google Analytics (GA) in the domain of privacy. In February, the Austrian DPA announced the use of…

Don’t Just Measure Data … Understand Your Consumers: Top Things to Know from InfoTrust + Google’s Virtual Retail Summit

Don’t Just Measure Data … Understand Your Consumers: Top Things to Know from InfoTrust + Google’s Virtual Retail Summit

Retail marketers and analytics professionals across the globe face a unique set of daily challenges. As a leader in the retail/eCommerce space (with partnerships…

Why Your Healthcare Org Should Upgrade to Google Analytics 4 Right Now

Why Your Healthcare Org Should Upgrade to Google Analytics 4 Right Now

You probably saw the news, but in case you’ve been blissfully unaware, Google just announced that their beloved Universal Analytics (UA) will sunset on…

Current Version of Google Analytics (Universal Analytics) to Sunset in 2023 | What You Need to Know

Current Version of Google Analytics (Universal Analytics) to Sunset in 2023 | What You Need to Know

Summary Google recently announced that Universal Analytics (UA; the current iteration of Google Analytics) will stop processing data in the second half of 2023,…

Google Analytics 4 Update: February 2022 – InfoTrust’s Strategic Approach & Recommendations

Google Analytics 4 Update: February 2022 – InfoTrust’s Strategic Approach & Recommendations

Introduction Google Analytics 4 (GA4) is a new iteration not only of Google Analytics (GA) as a tool, but also as a way of…

What I Learned about Digital Analytics from Buying a House

What I Learned about Digital Analytics from Buying a House

I honestly wasn’t sure if I could even buy a house, especially since I didn’t know where to begin—but to my surprise, my career…

Cookieless Tracking: What It Is and How It Will Optimize Your Marketing Analytics Strategy

Cookieless Tracking: What It Is and How It Will Optimize Your Marketing Analytics Strategy

Get the full infographic In today’s increasingly privacy-centric marketing environment, first-party data has never been more important nor more difficult to collect. A recent…

Google Analytics 4 Reporting: Locating Reports

Google Analytics 4 Reporting: Locating Reports

If you’re thinking the Google Analytics 4 (GA4) reporting interface has changed quite a bit, you are not alone. Upon initial login the interface…

Get Your Assessment

  • This field is for validation purposes and should be left unchanged.

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Our website uses cookies and may collect user information to provide a good experience. Read our Privacy Policy here.

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.