The (Il)legality of Google Analytics: Italy’s Recent Response

Google Analytics Italy Illegal
Estimated Reading Time: 4 minutes

**Important – This is not legal counsel, the materials provided are for informational purposes only and not for the purpose of providing legal advice. Final decisions must be made by your own legal representation.**

On June 9, 2022, Italy’s Guarantor For The Protection of Personal Data issued a ruling deeming the usage of Google Analytics on an Italian website to be illegal. The opinion follows past decisions from Austria’s DPA and France’s CNIL deciding the same. What are the facts of the Italian case and what does this mean for the usage of Google Analytics (GA) more broadly in the EU? Let’s dive in to discuss.

What was the original complaint being evaluated?

The Italian decision was the most recent ruling in response to the long list of complaints submitted by NOYB against websites across the EU in August of 2020. The complaint being evaluated in Italy raises the issue of a GDPR violation due to the transfer and processing of EU user’s personal data to an organization in the United States (Google). Further context provided by the offending organization about their usage of GA was also provided throughout 2021 and the first quarter of 2022 and considered in the decision.

What are the main findings from the case?

The Italian GDPD found that the website in question was collecting data using GA. The set of data collected did constitute personal data due to the inclusion of user IP address along with browser and device data, as well as unique IDs assigned to the user’s device by GA. As a part of processing, this data was transferred and processed in the United States. Further, the Italian SA maintained that the technical and operational measures in place by Google for the protection of EU users’ personal data were insufficient to satisfy the requirements of an international transfer. It was also found that the website did not provide sufficient disclosures on the site to notify users of the data collection by GA and transfers that occurred.

How does this differ from the previous Austrian and French DPA opinions? 

The findings in many respects mirror the findings of the previous DPA decisions—further indicating an alignment amongst EU DPAs as to the illegality of the use of GA due to the issue of international data transfers with the United States. 

Interestingly, this case helps resolve an outstanding question as to the efficacy of the use of the “Anonymize IP” functionality provided within GA. In this case, it was determined that the IP address is personal data and is not anonymized even if it were truncated (which is what happens as part of GA’s anonymization of the IP address). This was found to be the case due to the ability for Google to enrich the full dataset with the additional device and browser information it also collects as part of standard GA data collection and processing. Basically this means that no, the “Anonymize IP” feature is insufficient on its own to address the collection of personal data when using GA and remove GDPR compliance risk. 

What does this mean—is GA illegal in the EU?

Not definitively. An important consideration is that all of the DPA decisions to date (including this one) have considered GA prior to Google’s most recent GA4 privacy updates made in April of 2022. As a part of this update two critical architectural updates were made for Google Analytics 4 (GA4) specifically: 

  1. GA4 no longer logs the IP address of the user, instead doing an initial high-level location lookup which is conducted in the EU for EU users.  
  2. EU data is received and processed in the EU for EU users. 

The usage of GA (specifically GA4) has, as of July 2022, yet to be fully evaluated with these changes being in place. 

Uncertainty remains in a definitive sense as to the legality of using GA. To further cloud the landscape is the potential for an actual legal agreement for a new EU-US Data Transfer Framework on the heels of the political announcement made on March 25, 2022 that one will be put in place. For now the saga continues! Stay tuned for additional updates as the landscape becomes more clear. 

Interested in evaluating your Google Analytics architecture for compliance risk?

Contact us now to discuss best practices and strategies you should be exploring today.

Author

  • Lucas Long

    Lucas Long is co-author of the Amazon best-selling book, Crawl, Walk, Run: Becoming a Privacy-Centric Marketing Organization. He is also the Director of Privacy Strategy at InfoTrust, working with global organizations at the intersection of digital strategy, privacy regulations, and technical data collection architecture. Through these efforts, Lucas helps companies understand their limitations for data enablement due to privacy challenges and design optimal ways to accomplish core use cases in a compliant manner.

    When not discussing the intricacies of GDPR and cookie laws with clients, Lucas enjoys traveling and exploring new cultures, one bite at a time. Based in Barcelona, he is also a presenter, featured at industry events organized by Google, the Digital Analytics Association, the American Marketing Association, and the Journal of Applied Marketing Analytics.

    View all posts
Facebook
Twitter
LinkedIn
Email
Originally Published: July 15, 2022

Subscribe To Our Newsletter

January 17, 2023
Originally published on July 15, 2022

Other Articles You Will Enjoy

A South Asian First: Sri Lanka’s Personal Data Protection Act

A South Asian First: Sri Lanka’s Personal Data Protection Act

I know I covered India’s DPDPA first, but, as it turns out, Sri Lanka beat them to the punch. Sri Lanka’s Personal Data Protection…

6-minute read
Safeguarding Tomorrow: The Importance of Evaluating Compliance Risk Today

Safeguarding Tomorrow: The Importance of Evaluating Compliance Risk Today

It happens every day: marketing purchases a new platform with the promise of helping the organization meet and exceed business targets. When it comes…

7-minute read
HIPAA Legislation: What Impact Does This Have on Your Analytics Platforms?

HIPAA Legislation: What Impact Does This Have on Your Analytics Platforms?

If you are a healthcare organization operating in the United States, you are likely aware of the significant increase in the focus on the…

9-minute read
AdTech DNA Simplifies the Complex for Global Advertisers

AdTech DNA Simplifies the Complex for Global Advertisers

As a global advertiser, knowing what is happening across your organization is an endeavor wrought with complexity.  Are your advertising technologies implemented correctly?  Do…

3-minute read
Get to Know India’s Landmark Privacy Legislation: Digital Personal Data Protection Act (DPDPA)

Get to Know India’s Landmark Privacy Legislation: Digital Personal Data Protection Act (DPDPA)

The origins of India’s Digital Personal Data Protection Act (DPDPA) began in 2012 when a report from a committee headed by a former judge…

5-minute read

Get Your Assessment

Thank you! We will be in touch with your results soon.
{{ field.placeholder }}
{{ option.name }}

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.