GDPR and Google Analytics: What you need to know
GDPR and Google Analytics: What you need to know
A guest post from Simple Analytics, Empathy.co Partner
August 1 2022
For a long time, it seemed that Google had an almost tyrannous grip on how we work. Organising our calendar, sending emails, or analysing website data: the only solution appeared to be the features of Google Workspace. But that monopoly is slowly crumbling. The technology giant is losing terrain as countries are ensuring that it respects the law.
News agencies report on new sanctions almost weekly, but the underlying problems are often not addressed clearly. Businesses looking to make the necessary changes to comply with the rules are often in the dark about how and where to start. We’re here to help by answering these questions today:
- What is the GDPR in simple terms?
- What’s the problem with Google Analytics and the GDPR?
- Which countries have taken action against Google Analytics?
- What does the future hold for transatlantic data transfer?
- What can you do as a merchandiser to guarantee online privacy?
Let’s delve deeper.
What is the GDPR in simple terms?
The EU has its famous General Data Protection Regulation (GDPR) or EU Regulation 2016/679 since 25 May 2018.
The law applies to any company that processes or intends to process the data of individuals in the EU, regardless of where the organisation is based.
With the GDPR, the EU made an ambitious and comprehensive attempt to protect its citizens’ online privacy built upon four main principles:
- Privacy by design
- Fair data collection
The law ensures merchandisers meet the requirements to implement and maintain online security measures. Apart from setting obligations for businesses, it also stipulates the consumers’ rights to data protection.
As data is becoming increasingly handled and purchased for commercial and political purposes, these regulations safeguard individuals’ actions in the online world. From searching for a new pair of trousers to booking a hotel online, the GDPR outlines how your data should be collected, stored and processed.
What’s the problem with Google Analytics and the GDPR?
The story of Google Analytics started in July 2020, with a lawsuit against the tech giant by the NOYB.
This nonprofit organisation’s full name is the European Center for Digital Rights, but due to their snappy tagline, ‘My privacy is None of Your Business’, they are more commonly known as NOYB.
Founded in 2017 to fight for the right to privacy, they have plenty of experience in filing lawsuits against companies not complying with the GDPR.
The NOYB’s lawsuit against Google Analytics argued that the tech company violates the GDPR because of its data transfer to the US.
Google, and many tech companies, qualify as an ‘electronic communication service provider’ in the US. So if Google is asked for disclosure of its data by the US intelligence service, they are obliged to hand it over. One of the principles of the GDPR, however, states the importance of security in data protection.
NOYB stated that the personal data of EU citizens were insufficiently protected when transferred across the pond. They won the case, and the lawsuit and ruling that followed became known as Schrems II.
Which countries have taken action against Google Analytics?
It took until the beginning of this year for Data Protection Agencies of EU member states to take action. Austria (DSB) was the first country to rule the use of Google Analytics in violation of the GDPR. The ruling in Austria has led to a chain reaction of investigations by other Data Protection Agencies across EU member states. It is expected that most of them will reach the same conclusion.
So far, the French (CNIL) were the first to follow suit, and Italy (Garante) banned Google Analytics only a month ago. In addition, Denmark (Datatilsynet) stopped using Google Workspace for schools, such as Gmail, Google Calendar, Google Drive, and lightweight Chromebooks. This measure was taken after a negative risk assessment of Google’s personal data protection processes. It is unclear if a ban for businesses, in general, will follow, but it’s a first step towards having Google’s powerful grip on data broken.
What does the future hold for transatlantic data transfer?
After France (CNIL) banned Google Analytics, the EU and US announced an agreement regarding transferring personal data between both continents, coined Privacy Shield 2.0. However, it became quickly apparent that a ‘real’ agreement was still far away.
The announcement was merely a political one with no legal merit. An official legal document hasn’t yet been published.
First, a legal document needs to be drafted and analysed by lawyers. Then, the EDPD (European Data Protection) will also need to review it, and the European Commission has to make an ‘adequacy decision’ on it.
In addition, US President Biden needs to sign an executive order. This procedure can only begin when there is a legal document to analyse first. After everything is signed, the agreement must be formally passed before it applies to organisations.
The announcement made it seem that an agreement concerning data transfer across the Atlantic was very close, but we’re still far away from one that is valid. In the meantime, continuing to use Google Analytics is against EU law.
What are the alternatives to Google Analytics?
The next Google Analytics: Google Analytics 4
Countries are coming down hard on Google Analytics, and the tech giant faces an uncertain future. Even though it is slowly phasing out Universal Analytics in favour of Google Analytics 4, it doesn’t have a permanent solution yet.
In their statement, Google noted that a changing business environment and a demand for more privacy are the main drivers behind the choice for Google Analytics 4. However, Google acknowledges that how they track website visitors across the internet is not sustainable.
If you dig deeper, Google Analytics 4 will still face the same problems as Universal Analytics as data is transferred from Europe to the US. The main difference is that Google Analytics 4 will anonymise IP addresses. This does not solve the problem as Google can enrich anonymised IP addresses with other metrics to single out individual users.
Ethical data collection: Simple Analytics
Simple Analytics, an Empathy.co partner, takes a different approach. It does not collect any personal data (not even anonymised) and is cookieless-by-design (so no need for an annoying cookie banner on your website). They can still provide businesses with the website data they need while being 100% GDPR compliant.
The biggest difference is that Simple Analytics takes a helicopter view. You can still see everything happening on your website, but not on an individual level. To evaluate if Simple Analytics might be a solution, you could ask yourself the question: ‘What data is crucial for me to run my business?’
Did you know that 9 out of 10 companies can navigate their business without tracking individual website visitors? This means you probably can too. If we all want to take privacy seriously, we need a mind shift from ‘collecting everything possible’ to ‘only collecting what we need, in an ethical way’.