The (Il)legality of Google Analytics: Italy’s Recent Response

Google Analytics Italy Illegal
Estimated Reading Time: 4 minutes

**Important – This is not legal counsel, the materials provided are for informational purposes only and not for the purpose of providing legal advice. Final decisions must be made by your own legal representation.**

On June 9, 2022, Italy’s Guarantor For The Protection of Personal Data issued a ruling deeming the usage of Google Analytics on an Italian website to be illegal. The opinion follows past decisions from Austria’s DPA and France’s CNIL deciding the same. What are the facts of the Italian case and what does this mean for the usage of Google Analytics (GA) more broadly in the EU? Let’s dive in to discuss.

What was the original complaint being evaluated?

The Italian decision was the most recent ruling in response to the long list of complaints submitted by NOYB against websites across the EU in August of 2020. The complaint being evaluated in Italy raises the issue of a GDPR violation due to the transfer and processing of EU user’s personal data to an organization in the United States (Google). Further context provided by the offending organization about their usage of GA was also provided throughout 2021 and the first quarter of 2022 and considered in the decision.

What are the main findings from the case?

The Italian GDPD found that the website in question was collecting data using GA. The set of data collected did constitute personal data due to the inclusion of user IP address along with browser and device data, as well as unique IDs assigned to the user’s device by GA. As a part of processing, this data was transferred and processed in the United States. Further, the Italian SA maintained that the technical and operational measures in place by Google for the protection of EU users’ personal data were insufficient to satisfy the requirements of an international transfer. It was also found that the website did not provide sufficient disclosures on the site to notify users of the data collection by GA and transfers that occurred.

How does this differ from the previous Austrian and French DPA opinions? 

The findings in many respects mirror the findings of the previous DPA decisions—further indicating an alignment amongst EU DPAs as to the illegality of the use of GA due to the issue of international data transfers with the United States. 

Interestingly, this case helps resolve an outstanding question as to the efficacy of the use of the “Anonymize IP” functionality provided within GA. In this case, it was determined that the IP address is personal data and is not anonymized even if it were truncated (which is what happens as part of GA’s anonymization of the IP address). This was found to be the case due to the ability for Google to enrich the full dataset with the additional device and browser information it also collects as part of standard GA data collection and processing. Basically this means that no, the “Anonymize IP” feature is insufficient on its own to address the collection of personal data when using GA and remove GDPR compliance risk. 

What does this mean—is GA illegal in the EU?

Not definitively. An important consideration is that all of the DPA decisions to date (including this one) have considered GA prior to Google’s most recent GA4 privacy updates made in April of 2022. As a part of this update two critical architectural updates were made for Google Analytics 4 (GA4) specifically: 

  1. GA4 no longer logs the IP address of the user, instead doing an initial high-level location lookup which is conducted in the EU for EU users.  
  2. EU data is received and processed in the EU for EU users. 

The usage of GA (specifically GA4) has, as of July 2022, yet to be fully evaluated with these changes being in place. 

Uncertainty remains in a definitive sense as to the legality of using GA. To further cloud the landscape is the potential for an actual legal agreement for a new EU-US Data Transfer Framework on the heels of the political announcement made on March 25, 2022 that one will be put in place. For now the saga continues! Stay tuned for additional updates as the landscape becomes more clear. 

Interested in evaluating your Google Analytics architecture for compliance risk?

Contact us now to discuss best practices and strategies you should be exploring today.
Facebook
Twitter
LinkedIn
Email
Last Updated: July 27, 2022

Other Articles You Will Enjoy

Patchwork Privacy: U.S. State Legislation Roundup

Patchwork Privacy: U.S. State Legislation Roundup

Privacy protections in the United States take a big leap forward in 2023 with five states having new privacy laws going into effect. This…

16-minute read
U.S. Privacy Enforcement Heats Up: 1.2 Million Reasons to Respect Privacy Rights

U.S. Privacy Enforcement Heats Up: 1.2 Million Reasons to Respect Privacy Rights

On Aug. 24, California’s Attorney General announced a settlement for $1.2 million with a powerhouse beauty retailer (Sephora) due to a violation of consumer…

7-minute read
The Future of U.S. State Consumer Privacy Bills

The Future of U.S. State Consumer Privacy Bills

In an age where technology and data are ubiquitous, it is more important than ever to protect the information of individuals. Personal data can…

7-minute read
GDPR Compliance & Google Analytics: The Danish DPA Weighs In

GDPR Compliance & Google Analytics: The Danish DPA Weighs In

The plight of Google Analytics in the EU continues as the Danish DPA issued a press release regarding the use of Google Analytics for…

10-minute read
How to Respect Consumers and Keep Them Coming Back

How to Respect Consumers and Keep Them Coming Back

You’ve seen the statistics. It’s no secret that in today’s marketing environment users expect a higher level of personalized communication while at the same…

6-minute read
The Latest on the EU – US Data Sharing Agreement

The Latest on the EU – US Data Sharing Agreement

On October 7, the White House announced an “Executive Order: On Enhancing Safeguards For United States (US) Signals Intelligence Activities.” President Biden did this…

8-minute read
The Latest on the UK Data Reform Bill

The Latest on the UK Data Reform Bill

On June 17, 2022 a press release from the United Kingdom (UK) Government’s Department for Digital, Culture, Media & Sport (DCMS) and The Rt…

7-minute read
Ohio Personal Privacy Act: What Marketers and Advertisers Need to Know

Ohio Personal Privacy Act: What Marketers and Advertisers Need to Know

Much has been made about 2023 being the year of reckoning for privacy regulations in the United States, with five states having new regulations…

10-minute read

Get Your Assessment

Thank you! We will be in touch with your results soon.
{{ field.placeholder }}
{{ option.name }}

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.