Does Google Analytics Violate GDPR?
As Italy becomes the latest in a growing line of EU countries to question the use of Google Analytics due to privacy risks, Reflectiz asks the critical question: Can you use trackers, scripts and third-parties and remain compliant?
An increasing number of EU countries are speaking out against Google Analytics, attesting that the popular web analytics service, used to track and report on website traffic is actually in violation of the General Data Protection Regulations.
Most recently, Italy’s Garante, its data protection authority, has ruled that a web publisher’s use of the Google Analytics tool is non compliant, due to user data being transferred to the United States. According to the Garante, the lack of adequate privacy laws in the US mean that the data is not protected to a high enough standard to be considered compliant with GDPR.
Italy: The Latest, but Not the First
Earlier this year, other government bodies from Europe have also spoken out against Google Analytics. Most notably, Austria’s Data Protection Authority has agreed that Google Analytics does not comply with GDPR on a model complaint put forward by Noyb – the European Center for Digital Rights.
Check if your website is GDPR compliant
Noyb stands for “none of your business” and has filed 100 model complaints since the groundbreaking Schrems II ruling, that states any transfer of data to US providers which falls under FISA 702 and EO 12.333 violate the international data transfer ruling as written in the GDPR. In short, since 2020, US companies can no longer rely on the Privacy Shield framework to assume GDPR compliance.
The National Commission for Informatics and Liberty (CNIL) in France quickly followed Austria’s lead, commenting “Though Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services. There is therefore a risk for French website users who use this service and whose data is exported.”
Google Analytics is just one example. In Germany this year, a company was fined for non-compliance with GDPR just for embedding Google Fonts into their website without getting adequate permissions from the user. Google was able to be transferred the user’s IP address, which the court called a “loss of control over personal data to Google” agreeing that the user’s privacy rights had been violated.
What Exactly is Google Analytics Doing?
When a company uses a tracker like Google Analytics, or any third-party digital application or script on their website, they give this third-party a lot of control and access. Google Analytics for example may have visibility into how a user interacts with the website, which individual pages were visited, IP addresses of any devices that access your company’s website, specifics on the browser, operating system or device being used, and granular information such as screen resolution, language, or exactly when the websites have been visited and by who.
This is usually done to “tag” the user’s interests and beliefs so that these can then be used to provide customized information such as advertising or promotions that might be relevant to the end-user. As these trackers are installed in millions of websites around the world, this allows the third party to create a surveillance network, tracking the user in any activity they might do.
Even if a website visitor never clicks on anything on your website, or doesn’t make a purchase, their information could still be shared. While this is done by the third-party, in this case Google Analytics, the business is likely to be considered as a joint data controller of this information. For businesses in the EU, you may be violating GDPR just by hosting a third-party app or script on your website. For those in the US who do global business and have European customers, protecting this data is just as important, as you are the data receiver.
How Should Businesses React?
Max Schrems, Honorary Chair of Noyb commented that many companies do not take this risk seriously. “Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options.”
For US companies who are the data receiver, they may need to consider hosting EU data outside of the United States altogether, even if that means separating certain operations by where the data is coming from.
For EU companies who will be made responsible as shared data controllers or US companies who collect EU visitor data, now is the time to get more information on which third-parties you are welcoming into your website environment. This should include what data they are accessing, and where it is being sent, so that they can prove they have a legitimate reason for collecting this data, and that it is being used lawfully.
Otherwise, especially if this data is being sent to US data centers – you could be opening yourself up to compliance headaches, and penalties for violations, all of which you certainly don’t need.