The world of data privacy regulations and rulings have been storming recently. Following a similar ruling in Austria in mid-January, the French privacy watchdog has echoed the concern of Google Analytics sending data relating to European Union internet users, deeming its use illegal under GDPR. The focus in both these cases centres around the sending of personal data by sites using Google Analytics to US-hosted servers and the potential accessibility of that data to American intelligence services due to US legislation. A breach of privacy of EU internet users under GDPR.
The Commission Nationale de l’Informatique et des Libertés (CNIL), France’s data privacy watchdog, ruled that the transfer of Google Analytics data which includes assigned unique identifiers to site visitors and “constitutes personal data”, to be unlawful, citing that Google’s additional efforts to regulate the transfer of this GA data and meet the requirements of GDPR for data transfer are insufficient “to exclude the accessibility of this data for US intelligence services”. The ruling relates to an unnamed French website that has been given a month to make amends, which may include ceasing the utilisation of Google Analytics to bring the processing of users’ data into compliance with GDPR.
In early February, following the similar ruling in Austria, Google posted an update on the Google Analytics support site, relating to the transfer of data, reiterating its conviction of their efforts to comply with GDPR to date but also acknowledging (through seemingly gritted teeth) the need for more customisable controls of data collection by GA customers with more details of those controls to surface in the coming weeks.
At this point, these rulings are pertinent to Austria and France but spell a need to be prepared for an inevitable European-wide following of suit. Max Schrems, the notable European privacy campaigner is confident, following more than 100 privacy filings via None of Your Business across EU member states, that “We expect similar decisions to now drop gradually in most EU member states.”
Importantly the onus is on the organisations using Google Analytics with an expectation to leverage such services in a way that is compliant with GDPR.
So, what to do?
In the wake of these rulings and while Google works on revealing the details of the additional data transfer controls, there are a few actions to consider.
- Implement IP anonymisation if using Universal (pre-GA4) Analytics. If not implemented already, send Google Analytics the IP anonymisation flag either through GTM by including anonymizeIP as a field name with the value true in your GA settings variable or, if tracking is implemented directly on-site without a tag manager, through the tracking code https://support.google.com/analytics/answer/2763052?hl=en itself.
- Leverage server-side container, hosted in Europe, to take more control of the how and to where Analytics data is transferred.
Need advice or support with your Google Analytics set-up? Looking to migrate to GA4? Want support on better measuring the impact of your media investment?
Speak with us at [email protected] to learn how we can help.