The background

Due to a NOYB.EU  - a data privacy activist organisation - complaint, The Austrian Data Protection Authority (DPA) decided on 22nd December 2021 that the use of Google Analytics violates GDPR

A separate legal proceeding was initiated as per internal data processing and co-controller responsibilities.

The decision, that bans Google Analytics in Austria, refers to NetDoktor, an Austrian medical news service, and their use of Google Analytics via a cookie with the aim of, like millions of other GA integrations, tracking visits through the site.

The ban decision is now being reviewed by other EU governments, from which The Netherlands current investigation is close to conclusion. It appears very likely that other EU Data Protection authorities will follow.

Additionally, NOYB is preparing 10,000 further privacy complaints and so it can be safely assumed that regulatory measures will only pick up pace as a result of these.

This is one of many recent successes in NOYB’s privacy cases which have resulted in a wide spectrum of fines. From €6.3M to Grindr by the Norwegian Data Protection authority on the basis of personal data shared with various advertisers, to C-Planet IT Solutions’ €65K fine with regards to voters data in Malta

The stakes and the implications of a Google Analytics ban hold ramifications for millions of brands, sites and apps. It follows the 2020 ruling that Privacy Shield, the mechanism used by thousands of companies for EU-US data portability, was illegal.

The move against Google Analytics will affect thousands of Austrian sites, and millions more once it gathers momentum across Europe and other European Data Protection Authorities follow suit. Its impact though actually extends further and to any other vendor whose infrastructure and server regions operate in the US. For example, Stripe; a payment processing platform, has been already named in NOYB’s claim. More will follow.

So what does this all actually mean?

The DPA (Austrian Data Protection Authority) did not assess yet what Google does as per personal data processing but looked at the activities up to the point of data transfer to Google. 

A separate legal proceeding was initiated to unravel how Google Analytics processes personal data. Interestingly, the German Data Protection Conference (Datenschutzkonferenz or “DSK”) assumes a joint controllership role from Google Analytics.

Is Machine Learning and User Modelling impacted? GDPR states that both controllers and processors, must ensure, that (-See Articles 4(4), 9, 22 and Recitals 71, 72-):

  • Processing is fair and transparent by providing meaningful information about the logic involved, as well as the significance and the envisaged consequences.
  • Use appropriate mathematical or statistical procedures for the profiling.
  • Implement appropriate technical and organisational measures to enable inaccuracies to be corrected and minimise the risk of errors.
  • Secure personal data in a way that is proportionate to the risk to the interests and rights of the individual and prevents discriminatory effects.

The interpretation of these statements may condition user segmentation, modelling or multivariate (A/B) testing. 

However, as per Recital 162 - Processing for Statistical Purposes, the use of data to serve collective or Wisdom of the Crowd capabilities such as contextualisation or trends, is regulated and permitted, given that “the result of processing for statistical purposes is not personal data”, but aggregate data.

Are Personalisation and Hyper-Localisation impacted? Yes, since these depend on consent.

What’s more, a growing percentage of users are aware of their privacy rights and claims in order to be active when it comes to cookie management (Deloitte. The next chapter of data privacy). 

In fact if most EU cookie consent notices were not opaque and manipulative (Ruhr-University Bochum, Germany, and the University of Michigan in the US —(Un)informed Consent: Studying GDPR), only 30% of visitors would actually consent to the cookies that fuel key digital innovations such as personalisation and hyper-localisation. 

An average 30% of visitors would decline consent notices if presented with legitimacy
An average 30% of visitors would decline consent notices if presented with legitimacy

This means that if only 30% of visitors consented, only 30% would be analysable, tested, geolocated or personalised so the effect of these digital advancements is effectively reduced in value by a proportional 70%. Under this hypothesis, these capabilities are made significantly less relevant.

Conclusion and Recommendations

Consent and cookie propositions need to be reviewed and put in line with the critical eye of likeable complaints.

Treating privacy as an after-thought requires retailers to wire complex consent structures with data pipes and processes, many of which need to be integrated with external vendors whose infrastructures may reside in US territories. This must be avoided.

Empathy’s recommendation is to approach privacy as a human right. That means designing experiences in ways that respect customer’s online privacy with offline standards.

The EU law on cookie consent is clear. Web users must be presented with simple choices. However, most sites still choose to make a mockery of the law and their customers through skewed consent UIs. These approaches make your shop a complaint target.

Retailers need to take a stand, to think beyond compliance, and to give strong signs that speak trust, ethics and duty.