[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"blog-slug_blog_3_1":3,"blog-slug_blog_cnil-update-google-analytics-is-still-illegal_1000_1":40},{"article":4,"articles":15,"meta":33,"languages":39},{"id":5,"title":6,"excerpt":7,"locale":8,"slug":9,"authorSlug":10,"automaticTranslated":11,"publishedAt":12,"updatedAt":13,"doFollowLinks":11,"showIndex":11,"showCallToActions":11,"articleType":14},3060,"The EU wants to kill cookie banners","The EU wants to end annoying cookie pop-ups by letting users set their consent once in their browser. If passed, websites will have to respect those choices.","en","the-eu-wants-to-kill-cookie-banners-by-moving-consent-to-your-browser","iron-brands",false,"2025-11-20T05:40:14.356Z","2025-11-20T06:13:15.812Z","blog",[4,16,26],{"id":17,"title":18,"excerpt":19,"locale":8,"slug":20,"authorSlug":10,"automaticTranslated":11,"publishedAt":21,"updatedAt":22,"ctaTitle":23,"ctaDescription":24,"doFollowLinks":11,"showIndex":25,"showCallToActions":11,"articleType":14},3019,"Google is tracking you (even when you use DuckDuckGo)","Google tracks users even on DuckDuckGo via Analytics and embeds. A new study shows how deep Google’s web tracking really goes.","google-is-tracking-you-even-when-you-use-duck-duck-go","2025-07-14T08:56:41.709Z","2025-07-14T11:26:01.386Z","If you care about privacy, you don't use Google Analytics","Ditch the tracking, keep the insights. Try Simple Analytics.",true,{"id":27,"title":28,"excerpt":29,"locale":8,"slug":30,"authorSlug":10,"automaticTranslated":11,"publishedAt":31,"updatedAt":32,"doFollowLinks":11,"showIndex":11,"showCallToActions":11,"articleType":14},3018," German court rules Meta’s tracking tech violates GDPR","German court rules Meta’s tracking tech violates GDPR, allowing lawsuits without proof of harm. Big risks ahead for sites using Meta pixels.","german-court-rules-meta-s-tracking-tech-violates-gdpr","2025-07-10T08:20:51.111Z","2025-07-10T12:16:26.327Z",{"pagination":34},{"page":35,"pageSize":36,"pageCount":37,"total":38},1,3,362,1084,{},{"article":41},{"contentHtml":42,"question":43,"content":44,"coverImageWithText":45,"coverImageWithoutText":52,"inlineMedia":57,"id":58,"title":59,"excerpt":60,"locale":8,"slug":61,"authorSlug":10,"automaticTranslated":11,"publishedAt":62,"updatedAt":63,"doFollowLinks":11,"showIndex":25,"showCallToActions":25,"articleType":14,"cover":52,"languages":64},"\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">The Q&A CNIL explicitly mentioned that using Google Analytics still violates GDPR. In addition, it stated that there are no circumstances under which this is not the case.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">In the article at hand, we break down the statements made by CNIL during the Q&A session.\u003C/ContentEditable>\n\u003Cp>\u003Cimg class=\"mx-auto rounded-lg\" src=\"https://assets.simpleanalytics.com/gifs/five-year-old.gif\" />\u003C/p>\n\u003Col class=\"counters\">\u003Cli>\u003CNuxtLink to=\"#schrems-ii-and-the-violation-of-privacy-shield-10\">Schrems II and the violation of Privacy Shield 1.0\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#privacy-shield-20-update\">Privacy Shield 2.0 update\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#conclusion-from-cnil-qa-session\">Conclusion from CNIL Q&A session\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#solutions\">Solutions\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#why-do-we-care\">Why do we care?\u003C/NuxtLink>\u003C/li>\u003C/ol>\u003CCtaTwo />\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">Let's dig in!\u003C/ContentEditable>\n\u003CContentEditable  id=\"schrems-ii-and-the-violation-of-privacy-shield-10\" parent=\"\" tag=\"h2\" :articleId=\"297\">Schrems II and the violation of Privacy Shield 1.0\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">The current situation with Google Analytics has been kicked off by the \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://www.gdprsummary.com/schrems-ii/?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">Schrems II ruling\u003C/a> that invalidated the privacy shield 1.0. According to the GDPR, data transfers outside the EU are possible only if adequate safeguards can be used. The privacy shield acted as a mechanism to safeguard these data transfers.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">Schrems II invalidated the privacy shield: In short, the EU demands privacy rights for its citizens, which are not adhered to by the U.S. government. By law, Google qualifies as an "electronic communication service provider," meaning that it must disclose data on EU citizens if the U.S. intelligence service asks for it.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">As a response, the DSB (Austrian data protection watchdog) and CNIL stated that the \u003CNuxtLink to=\"/\"  >use of Google Analytics violates GDPR\u003C/NuxtLink> and that EU businesses that continue to use Google Analytics can be fined.\u003C/ContentEditable>\n\u003CContentEditable  id=\"privacy-shield-20-update\" parent=\"\" tag=\"h2\" :articleId=\"297\">Privacy Shield 2.0 update\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">Since then, the U.S and the EU have announced a political agreement that would replace the invalidated privacy shield. We've written about it \u003CNuxtLink to=\"/\"  >here\u003C/NuxtLink> and touched upon the fact that the deal has no legal merit. It was instead a political agreement. There is still no legal document, which will take a while to finalize.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">This was also noted by CNIL during their Q&A session last week. They specifically mentioned that the joint statement is not a legal framework and cannot be relied upon. CNIL expects it may not happen until the end of the year until a deal is finalized. However, when it's finalized, it will almost certainly face fresh legal challenges to see whether it is indeed not just as flawed as Privacy Shield 1.0. To give some perspective, Privacy Shield 1.0 was declared invalid in July 2020. It took until February 2022 for the DSB & CNIL to take proactive enforcement.\u003C/ContentEditable>\n\u003Cp>\u003Cimg src=\"https://assets.simpleanalytics.com/blog/2022-french-data-protection-update-google-analytics-is-still-illegal/handcuffs-no-text.png\" alt=\"CNIL Google Analytics update\">\u003C/p>\n\u003CContentEditable  id=\"conclusion-from-cnil-qa-session\" parent=\"\" tag=\"h2\" :articleId=\"297\">Conclusion from CNIL Q&A session\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">According to the French data protection agency, the main conclusion from the Q&A session is that Google Analytics is still illegal. CNIL also confirmed to have issued formal notices to organizations between the first announcement in February and now. Businesses have one month to comply; otherwise, they will receive a fine.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">CNIL specifically claims that EU websites should make changes to their use of Google Analytics. However, they also stated that, with the information at hand, the use of Google Analytics is under no circumstances legal. Google proposed different solutions to address this. These were all thrown out of the window by CNIL.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">Google confirmed that the data is hosted on U.S. soil, and no change in the eyes of CNIL would prevent the data transfer of personal data. Google proposed two solutions:\u003C/ContentEditable>\n\u003Cul>\n\u003Cli>The anonymization of personal data.\u003C/li>\n\u003Cli>The use of unique identifiers\u003C/li>\n\u003C/ul>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">CNIL discarded both as Google could not demonstrate that data anonymization happened before data transfer to the U.S. The use of unique identifiers was also insufficient as the unique identifiers could be combined with other data.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">In addition, CNIL notes that Google is offering more solutions that track IP addresses, meaning these services allow IP addresses to be cross-checked and thus trace the users' browsing history. They also addressed that data encryption won't be sufficient as long a Google has the encryption keys, allowing them to access personal data if they want to.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">From the above, we can assume that fines will likely be stepping up. The fact that there are no circumstances under which Google Analytics can be used legally makes for straightforward guidelines. Therefore, enforcement of the ruling has never been easier.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">There is a debate going on whether this only applies to the current version of Google Analytics (universal analytics). The short answer is that is applies to every version and setup of Google Analytics, so also to the newest version Google Analytics 4. We've written about this more extensively in \u003CNuxtLink to=\"/blog/is-google-analytics-4-gdpr-compliant\"  >this blog\u003C/NuxtLink>.\u003C/ContentEditable>\n\u003CContentEditable  id=\"solutions\" parent=\"\" tag=\"h2\" :articleId=\"297\">Solutions\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">The first proposed solution was data encryption, where the key to decrypt the data should be in the hands of the data exporter (or a trusted third party based in the EU). This way, the data of EU citizens are protected from being handed to the U.S. intelligence service.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">Another alternative would be the use of a proxy server. This way, there is no direct contact between the data exporter and Google, as the proxy server would act as an intermediary.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">The last proposed option would be to ask for explicit consent from users for data transfers. However, this is not a viable fix as it would be a horror to request this to every visitor on every visit. So this might only work under exceptional circumstances.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">However, implementing the above solutions might be costly, and the question arises whether these will also meet the operational needs.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">If all of this seems subpar to you and you don't want to deal with GDPR hassle anymore, there are privacy-friendly alternatives to Google Analytics. \u003CNuxtLink to=\"https://simpleanalytics.com/\"  referrerpolicy=\"unsafe-url\" rel=\"\">Simple Analytics\u003C/NuxtLink> is one of them. Before shamelessly plugging our solutions as the best solution, we've reviewed all the \u003CNuxtLink to=\"/\"  >privacy-friendly alternatives\u003C/NuxtLink> and found four solutions you might want to check out.\u003C/ContentEditable>\n\u003CContentEditable  id=\"why-do-we-care\" parent=\"\" tag=\"h2\" :articleId=\"297\">Why do we care?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"297\">We are an independent team of two that care about privacy and believe the future of web analytics is \u003CNuxtLink to=\"/\"  >cookieless by design\u003C/NuxtLink>. If you are ready to ditch Google Analytics and want to check out what we've built, feel free to \u003CNuxtLink to=\"/signup\"  >give us a try\u003C/NuxtLink>.\u003C/ContentEditable>\n","Is Google Analytics illegal in France?","The Q&A CNIL explicitly mentioned that using Google Analytics still violates GDPR. In addition, it stated that there are no circumstances under which this is not the case.\n\nIn the article at hand, we break down the statements made by CNIL during the Q&A session.\n\n{% include gif.html slug=\"five-year-old\" alt=\"five year old\" width=\"480\" height=\"400\" color=\"#574840\" %}\n\n{{tableofcontents}}\n\nLet's dig in!\n\n## Schrems II and the violation of Privacy Shield 1.0\n\nThe current situation with Google Analytics has been kicked off by the [Schrems II ruling](https://www.gdprsummary.com/schrems-ii/) that invalidated the privacy shield 1.0. According to the GDPR, data transfers outside the EU are possible only if adequate safeguards can be used. The privacy shield acted as a mechanism to safeguard these data transfers.\n\nSchrems II invalidated the privacy shield: In short, the EU demands privacy rights for its citizens, which are not adhered to by the U.S. government. By law, Google qualifies as an \"electronic communication service provider,\" meaning that it must disclose data on EU citizens if the U.S. intelligence service asks for it.\n\nAs a response, the DSB (Austrian data protection watchdog) and CNIL stated that the [use of Google Analytics violates GDPR](/blog/france-rules-google-analytics-to-be-in-conflict-with-gdpr-ruling) and that EU businesses that continue to use Google Analytics can be fined.\n\n## Privacy Shield 2.0 update\n\nSince then, the U.S and the EU have announced a political agreement that would replace the invalidated privacy shield. We've written about it [here](/blog/eu-us-privacy-shield-2-0-is-again-a-political-show) and touched upon the fact that the deal has no legal merit. It was instead a political agreement. There is still no legal document, which will take a while to finalize.\n\nThis was also noted by CNIL during their Q&A session last week. They specifically mentioned that the joint statement is not a legal framework and cannot be relied upon. CNIL expects it may not happen until the end of the year until a deal is finalized. However, when it's finalized, it will almost certainly face fresh legal challenges to see whether it is indeed not just as flawed as Privacy Shield 1.0. To give some perspective, Privacy Shield 1.0 was declared invalid in July 2020. It took until February 2022 for the DSB & CNIL to take proactive enforcement.\n\n![CNIL Google Analytics update](https://assets.simpleanalytics.com/blog/2022-french-data-protection-update-google-analytics-is-still-illegal/handcuffs-no-text.png)\n\n## Conclusion from CNIL Q&A session\n\nAccording to the French data protection agency, the main conclusion from the Q&A session is that Google Analytics is still illegal. CNIL also confirmed to have issued formal notices to organizations between the first announcement in February and now. Businesses have one month to comply; otherwise, they will receive a fine.\n\nCNIL specifically claims that EU websites should make changes to their use of Google Analytics. However, they also stated that, with the information at hand, the use of Google Analytics is under no circumstances legal. Google proposed different solutions to address this. These were all thrown out of the window by CNIL.\n\nGoogle confirmed that the data is hosted on U.S. soil, and no change in the eyes of CNIL would prevent the data transfer of personal data. Google proposed two solutions:\n\n- The anonymization of personal data.\n- The use of unique identifiers\n\nCNIL discarded both as Google could not demonstrate that data anonymization happened before data transfer to the U.S. The use of unique identifiers was also insufficient as the unique identifiers could be combined with other data.\n\nIn addition, CNIL notes that Google is offering more solutions that track IP addresses, meaning these services allow IP addresses to be cross-checked and thus trace the users' browsing history. They also addressed that data encryption won't be sufficient as long a Google has the encryption keys, allowing them to access personal data if they want to.\n\nFrom the above, we can assume that fines will likely be stepping up. The fact that there are no circumstances under which Google Analytics can be used legally makes for straightforward guidelines. Therefore, enforcement of the ruling has never been easier.\n\nThere is a debate going on whether this only applies to the current version of Google Analytics (universal analytics). The short answer is that is applies to every version and setup of Google Analytics, so also to the newest version Google Analytics 4. We've written about this more extensively in [this blog](https://www.simpleanalytics.com/blog/is-google-analytics-4-gdpr-compliant).\n\n## Solutions\n\nThe first proposed solution was data encryption, where the key to decrypt the data should be in the hands of the data exporter (or a trusted third party based in the EU). This way, the data of EU citizens are protected from being handed to the U.S. intelligence service.\n\nAnother alternative would be the use of a proxy server. This way, there is no direct contact between the data exporter and Google, as the proxy server would act as an intermediary.\n\nThe last proposed option would be to ask for explicit consent from users for data transfers. However, this is not a viable fix as it would be a horror to request this to every visitor on every visit. So this might only work under exceptional circumstances.\n\nHowever, implementing the above solutions might be costly, and the question arises whether these will also meet the operational needs.\n\nIf all of this seems subpar to you and you don't want to deal with GDPR hassle anymore, there are privacy-friendly alternatives to Google Analytics. [Simple Analytics](https://simpleanalytics.com/) is one of them. Before shamelessly plugging our solutions as the best solution, we've reviewed all the [privacy-friendly alternatives](/blog/4-privacy-friendly-google-analytics-alternatives) and found four solutions you might want to check out.\n\n## Why do we care?\n\nWe are an independent team of two that care about privacy and believe the future of web analytics is [cookieless by design](/blog/website-analytics-without-cookies). If you are ready to ditch Google Analytics and want to check out what we've built, feel free to [give us a try](https://www.simpleanalytics.com/signup).\n",{"alt":46,"caption":47,"small":48,"medium":49,"large":50,"original":51,"averageColorHex":-1,"isDark":11},"Google Analytics Illegal In Fance.png",null,"https://cms-assets.simpleanalytics.com/small_google_analytics_illegal_in_fance_text_d9db9ce6ba.png","https://cms-assets.simpleanalytics.com/medium_google_analytics_illegal_in_fance_text_d9db9ce6ba.png","https://cms-assets.simpleanalytics.com/large_google_analytics_illegal_in_fance_text_d9db9ce6ba.png","https://cms-assets.simpleanalytics.com/google_analytics_illegal_in_fance_text_d9db9ce6ba.png",{"alt":46,"caption":47,"small":53,"medium":54,"large":55,"original":56,"averageColorHex":-1,"isDark":11},"https://cms-assets.simpleanalytics.com/small_google_analytics_illegal_in_fance_no_text_99240f67a4.png","https://cms-assets.simpleanalytics.com/medium_google_analytics_illegal_in_fance_no_text_99240f67a4.png","https://cms-assets.simpleanalytics.com/large_google_analytics_illegal_in_fance_no_text_99240f67a4.png","https://cms-assets.simpleanalytics.com/google_analytics_illegal_in_fance_no_text_99240f67a4.png",{"data":47},297,"CNIL Update: Google Analytics is (still) illegal","CNIL provided a Q&A on the statement made that Google Analytics violates GDPR","cnil-update-google-analytics-is-still-illegal","2022-06-16T00:00:00.000Z","2025-02-13T12:09:23.737Z",{"en":65,"de":66,"fr":68,"it":70,"es":72,"nl":74},{"slug":61},{"slug":67},"cnil-update-google-analytics-ist-noch-illegal",{"slug":69},"mise-a-jour-de-la-cnil-google-analytics-est-toujours-illegal",{"slug":71},"aggiornamento-cnil-google-analytics-e-ancora-illegale",{"slug":73},"actualizacion-de-la-cnil-google-analytics-es-todavia-ilegal",{"slug":75},"cnil-update-google-analytics-is-nog-steeds-illegaal"]