The (Il)legality of Google Analytics: Italy’s Recent Response

Google Analytics Italy Illegal

**Important – This is not legal counsel, the materials provided are for informational purposes only and not for the purpose of providing legal advice. Final decisions must be made by your own legal representation.**

On June 9, 2022, Italy’s Guarantor For The Protection of Personal Data issued a ruling deeming the usage of Google Analytics on an Italian website to be illegal. The opinion follows past decisions from Austria’s DPA and France’s CNIL deciding the same. What are the facts of the Italian case and what does this mean for the usage of Google Analytics (GA) more broadly in the EU? Let’s dive in to discuss.

What was the original complaint being evaluated?

The Italian decision was the most recent ruling in response to the long list of complaints submitted by NOYB against websites across the EU in August of 2020. The complaint being evaluated in Italy raises the issue of a GDPR violation due to the transfer and processing of EU user’s personal data to an organization in the United States (Google). Further context provided by the offending organization about their usage of GA was also provided throughout 2021 and the first quarter of 2022 and considered in the decision.

What are the main findings from the case?

The Italian GDPD found that the website in question was collecting data using GA. The set of data collected did constitute personal data due to the inclusion of user IP address along with browser and device data, as well as unique IDs assigned to the user’s device by GA. As a part of processing, this data was transferred and processed in the United States. Further, the Italian SA maintained that the technical and operational measures in place by Google for the protection of EU users’ personal data were insufficient to satisfy the requirements of an international transfer. It was also found that the website did not provide sufficient disclosures on the site to notify users of the data collection by GA and transfers that occurred.

How does this differ from the previous Austrian and French DPA opinions? 

The findings in many respects mirror the findings of the previous DPA decisions—further indicating an alignment amongst EU DPAs as to the illegality of the use of GA due to the issue of international data transfers with the United States. 

Interestingly, this case helps resolve an outstanding question as to the efficacy of the use of the “Anonymize IP” functionality provided within GA. In this case, it was determined that the IP address is personal data and is not anonymized even if it were truncated (which is what happens as part of GA’s anonymization of the IP address). This was found to be the case due to the ability for Google to enrich the full dataset with the additional device and browser information it also collects as part of standard GA data collection and processing. Basically this means that no, the “Anonymize IP” feature is insufficient on its own to address the collection of personal data when using GA and remove GDPR compliance risk. 

What does this mean—is GA illegal in the EU?

Not definitively. An important consideration is that all of the DPA decisions to date (including this one) have considered GA prior to Google’s most recent GA4 privacy updates made in April of 2022. As a part of this update two critical architectural updates were made for Google Analytics 4 (GA4) specifically: 

  1. GA4 no longer logs the IP address of the user, instead doing an initial high-level location lookup which is conducted in the EU for EU users.  
  2. EU data is received and processed in the EU for EU users. 

The usage of GA (specifically GA4) has, as of July 2022, yet to be fully evaluated with these changes being in place. 

Uncertainty remains in a definitive sense as to the legality of using GA. To further cloud the landscape is the potential for an actual legal agreement for a new EU-US Data Transfer Framework on the heels of the political announcement made on March 25, 2022 that one will be put in place. For now the saga continues! Stay tuned for additional updates as the landscape becomes more clear. 

Interested in evaluating your Google Analytics architecture for compliance risk?

Contact us now to discuss best practices and strategies you should be exploring today.
Facebook
Twitter
LinkedIn
Email

Other Articles You Will Enjoy

Utah Consumer Privacy Act: What Marketers and Advertisers Need to Know

Utah Consumer Privacy Act: What Marketers and Advertisers Need to Know

As always, this is meant to be general guidance and should not be viewed as legal advice. Please consult with your legal counsel to…

The Future of State Consumer Privacy Bills

The Future of State Consumer Privacy Bills

In an age where technology and data are ubiquitous, it is more important than ever to protect the information of individuals. Personal data can…

Google Analytics and GDPR: Mitigating Risk With GA4

Google Analytics and GDPR: Mitigating Risk With GA4

**Important – This is not legal counsel, the materials provided are for informational purposes only and not for the purpose of providing legal advice….

Connecticut Data Privacy Act: What Marketers and Advertisers Need to Know

Connecticut Data Privacy Act: What Marketers and Advertisers Need to Know

As always, this is meant to be general guidance and should not be viewed as legal advice. Please consult with your legal counsel to…

Get Your Assessment

  • This field is for validation purposes and should be left unchanged.

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Our website uses cookies and may collect user information to provide a good experience. Read our Privacy Policy here.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.