**Important – This is not legal counsel, the materials provided are for informational purposes only and not for the purpose of providing legal advice. Final decisions must be made by your own legal representation.**
Can I legally use Google Analytics in Europe?
In light of the flurry of Data Protection Authority decisions throughout the first half of 2022, this is a very common question we hear from our clients in the EU.
Naturally, the discussion of this question turns into legal nuance and a lot of “maybe”. (If that’s what you came here for—don’t worry—we have write-ups on the Austria, France, and Italy DPA rulings). Ultimately, there isn’t a clear definitive answer given several factors and considerations. Unfortunately what this means for practitioners is that we’re left in a middle ground of indecision with no clear direction for what we should do. Fear not, we’re here to help! Let’s take a look at the things that are in your control today and best practices to reduce the potential compliance risk while we wait for a definitive answer from legal teams.
Interested in discussing best practices and a review of your current architecture?
Accelerate your organization’s transition to Google Analytics 4 (GA4)
There is really no way around it—the legacy Universal Analytics (UA) platform is a compliance risk for EU organizations. All of the EU decisions to date have evaluated websites’ use of Google Universal Analytics and all configurations have been deemed inefficient. At the center of all decisions of illegality is the question of the processing of personal data by Google LLC in the United States. There are no sufficient settings to not process personal data with UA and data collected is processed and stored in the United States. In the absence of a major architectural update from Google for UA (not happening as all updates are only for the new version of GA4) or a new EU-US Data Transfer Agreement (announced but not completed) these conditions will hold true.
While UA is a definitive compliance risk, Google has recognized this and gone all-in with their focus on GA4. Already, Google has announced and implemented new privacy-focused safeguards and settings specifically for GA4. While there is still uncertainty if these additional settings and safeguards will be considered compliant, they are the only hope for the possibility of compliance in the absence of a larger political framework being enacted.
Just getting started with GA4?
Consider the compliance risks associated with the enabling of Signals in GA4
There are significant business benefits to the enabling of Google Signals within GA4—the feature is what enables audience creation, additional user analysis, and cross-device reporting. But you must weigh the compliance risk against the business benefit (and document your balance assessment!).
Core to the compliance concern with Signals is the collection of an additional user identifier by Google Analytics when the user is logged in to a Google service (gmail, Chrome, etc.) in the same browser with which they are accessing your website. This identifier (Google ID), and the association of this ID with the first-party ID (Client ID) always collected by GA, is what enables all of the additional advertising and analysis value Signals provides. The condition of the Google ID being collected is a consistent condition in all of the complaints raised in the EU to date. It is still unclear if the additional processing activity Google is undertaking when this ID is linked is covered by the more recent architectural changes to provide more privacy protections with GA4. As such, it still represents a potential compliance risk in line with the illegality decisions to date.
This does not mean explicitly that you can not enable Signals in the EU. If you do, ensure your compliance teams have properly vetted the feature, have conducted a balance test to weigh risks to the user against business benefit, and that the usage (and implications of usage) are clearly disclosed to users.
Consider ways to mitigate compliance risk when using GA4
Google has introduced a number of new privacy-focused features and controls in GA4. A few specifically to be aware of and consider:
- GA4 does not log IP addresses – IP addresses have been consistently at the center of the concerns for re-identification of users. Initially, many organizations pointed to the use of the “IP Anonymization” feature to help address this concern (the feature is automatically enabled in GA4). Unfortunately, in the Italian DPA decision, the usage of GA “IP Anonymization” was found to be insufficient to address this concern. Specifically it was found that due to the collection of additional device and browser information, even a truncated IP address still constituted the processing of personal data. GA4 now takes this one step further by never logging the IP address of the user. The IP is only used initially for standard internet communication functioning and a high-level geo-lookup is conducted (on EU servers for EU users). The only thing logged is this high-level location information and the IP address is discarded.
- EU data is received and processed in the EU – This update could address the concern of international transfers which all DPA decisions of illegality have centered upon. There is still an outstanding question if this will be the case but as of now no cases have been considered with this architectural modification in place.
- Regional controls for Google Signals – As mentioned above, Google Signals is a compliance risk at the very least in countries where decisions have been issued (Austria, France, and Italy). There are simple ways to enable/disable Signals for defined regions (countries) within GA4. This can allow an organization to enable the functionality in markets with a lesser compliance risk while disabling in those where it is a concern.
- Additional controls for the collection of granular location and device data – Previously device and location data was automatically collected. It is now possible to stop the collection of these data points at the regional (country) level. By not collecting this data you can remove many of the data points which have been cited as potentially enabling user identification by Google in EU compliance decisions. Be aware, if you do disable the collection of this data there will be significant implications to reporting, removing the ability to do any kind of location or device analysis.
- Make sure you have privacy/legal teams review disclosures to users. These need to include what exact personal data is being collected, how it is used, and if it is being processed outside the EU (and/or by international organizations). This level of transparency around GA4 and data collection must be included as part of the user consent experience.
Make sure a Data Protection Assessment has been completed and documented for GA4
It is critical that the usage of GA4 has been fully vetted by privacy and compliance teams. This includes the evaluation of technical and operational safeguards related to the data processing both by your organization and Google. In a “worst case” scenario of a complaint being brought against your organization, this documentation will be critical to establishing a defensible position for compliance. This needs to document what data is being collected and processed, what classifications of personal data are included, how the data is used, balance test considering risk to users, and protections being put in place to reduce said risk.
Begin initial assessments of alternative architectural options
There is really no way to sugar coat it—the possibility exists that in the absence of a new EU-US Data Transfer Agreement, the usage of Google Analytics could be deemed broadly illegal. If this scenario comes to bear, you need to have at least the foundations of an alternative plan in place. There are two different ways to approach this:
- Evaluate other analytics platforms – While the vast majority of organizations are taking the stance that it is too soon to migrate away from Google Analytics, one way of mitigating risk is to at least know what other options may be available. The vetting of other analytics platforms should include considerations about international data transfers, as well as the viability of addressing business use cases. Understand first what options can meet both requirements, as well as what the architectural lift would be to migrate. This option would be a major organizational change for many businesses. If nothing else, the fact that alternatives have been considered can go a long way towards establishing a defensible position in the event of a complaint.
- Due to the potential lift involved with a platform change, for many the strategic and operational hurdles of replacing the analytics platform is going to be untenable. Fortunately, there is the potential for a migration to server-side tag management and the streaming of first-party interaction data (in the same structure and format as is used for GA4) to your own owned data warehouse. From here, you can stand up your own dashboarding and reporting for core KPIs. You can also leverage many of the advanced analysis capabilities within cloud platforms.
We are living in a state of “in-between” as it relates to the legality of Google Analytics in the EU. Privacy updates released for GA4 provide the potential promise of addressing these concerns, as does the potential of a new EU-US Data Transfer Agreement. In the meantime, it’s not enough to just do nothing. Take control by implementing the above risk mitigation strategies for GA4 and give yourself as strong of a foundation as possible as we move into the privacy-centric future.