Is Google Analytics GDPR compliant?

Image of Carlo Cilento

Published on Feb 15, 2023 and edited on Apr 16, 2024 by Carlo Cilento

You probably heard about Google Analytics' legal issues with the GDPR. Privacy watchdogs are taking a hard stance on Google Analytics, marketers all over Europe are panicking, and Google is telling everyone that everything will be ok. The Internet is filled to the brim with information on how to make your website GDPR-compliant. It can all be confusing, so here’s an overview of what’s going on with Google Analytics.

  1. What is the deal with Google Analytics?
  2. What did the decisions say about Google Analytics exactly?
  3. What about IP anonymization?
  4. What about Google Analytics 4?
  5. What about Google Analytics for Firebase?
  6. Will Google solve the issue?
  7. What about the new data transfer agreement?
  8. What can I do to make Google Analytics compliant?
  9. Are there other privacy risks related to Google Analytics?
  10. Google Analytics alternatives
  11. Decide to stick with Google Analytics?
  12. Final Thoughts
Logo of MichelinMichelin chose Simple AnalyticsJoin them

What is the deal with Google Analytics?

Google Analytics needs personal data to work. Here is how: when you consent to a cookie banner, your personal data are collected and sent to Google Ireland. Then, Google Ireland sends the data to Google in the US for processing. Lastly, the parent company works its algorithmic magic and provides the website with insights into user behavior.

So we have an extra-EU data transfers involving three actors: the website, Google Ireland, and Google.

The GDPR laid out strict data transfer rules to ensure that personal data can only leave the EU safely. Unfortunately, this cannot be done in the case of Google Analytics. This is independent of Google: the company is subject to US legislation allowing extensive surveillance over foreign data, including the data of European users.

biden.png

Surveillance is at the center of the legal issues surrounding data transfers. US surveillance law is why the EU Court of Justice invalidated two data transfer frameworks between the EU and the US in the famous Schrems I and II rulings. And more recently, privacy NGO noyb started a legal battle against both Google Analytics and Facebook Connect over data transfers by filing 101 identical complaints to many European authorities.

The strategy has been paying off so far. Authorities coordinated their response at a European level. As a result, the supervisory authorities of Austria, France, Italy, and Finland ruled against Google Analytics. Additionally, the Norwegian authority also found the use of Google Analytics to be illegal in a preliminary conclusion (the case is yet pending), and Denmark endorsed the same position in a press release. With coordination at a European level, and the influential French and Italian authorities leading the way, other decisions are likely to follow.

Last but not least, Facebook's data transfers were suspended (and Meta Ireland was hit by a record €1.2 billion fine, too). This happened for the same exact legal issues that plague Google Analytics: the impossibility of complying with Schrems II. You can learn more about this important decision on our blog.

US_EU_Cables.png

What did the decisions say about Google Analytics exactly?

Many websites and news outlets report that Google Analytics has been banned or declared illegal in certain countries. Is this true?

In every decision, an authority ordered a specific website to stop using Google Analytics because it found that its data transfers lacked sufficient safeguards for personal data. In theory, a different website could implement stronger safeguards for personal data and use Google Analytics lawfully and securely. But theory is the keyword here. In practice, implementing safeguards is difficult for many services and impossible for Google Analytics.

Google Analytics uses cookies to track users. Those cookies contain unique IDs to identify each user and qualify as personal data. So the only way to use Google Analytics in a GDPR-compliant manner is anonymizing that data- but that’s precisely the data Google Analytics needs the most! You could use Google Analytics lawfully by running it server-side and anonymizing all personal data, but that would cripple Google Analytics’s performance. It’s an expensive solution that yields poor results.

So, for all practical purposes, decisions against Google Analytics amount to a nationwide ban. And we already have such decisions for several countries, including France and Italy- two key national markets in the EU.

google-lawsuit.png

What about IP anonymization?

Universal Analytics includes an option to anonymize IP addresses, but this is not the default option. Google Analytics 4 is better in this regard and anonymizes IP addresses automatically.

Unfortunately, Google Analytics’ IP anonymization option does not make Google Analytics GDPR compliant. European authorities found that Google’s IP masking technique is rather weak and does not meet the GDPR’s standards for anonymization. Besides, Google Analytics cookies are still personal data under the GDPR regardless of IP anonymization. So anonymizing IP addresses does not solve the core legal issue of the transfer of personal data.

What about Google Analytics 4?

Is it more privacy-friendly than Universal Analytics? Yes. Is it GDPR compliant? Probably not. We don’t have any decisions on Google Analytics 4, but the new version does not solve the crucial legal issues with data transfers.

Google Analytics 4 shows some improvements compared to Universal Analytics. Google Analytics 4 revolves around first-party cookies, which are less invasive than third-party cookies. Additionally, IP anonymization is always enabled, and IP is not collected by Google. But upon close examination, Google Analytics 4 suffers from the same compliance issues because it still relies on cookies, and cookies are personal data. The changes are welcome but do not solve the legal issue.

What about Google Analytics for Firebase?

It’s a safe bet that Firebase suffers from the same legal issues as Google Analytics. Much like Google Analytics, Google Analytics for Firebase uses cookies with unique identifiers, which are personal data under the GDPR. It also processes other personal data, including invasive identifiers for mobile devices. All these data are processed on Google’s infrastructure because Google owns Firebase.

Will Google solve the issue?

They won’t because there is no easy fix. Google cannot solve this by tweaking its processing terms. If intelligence agencies request the data, Google must hand them over under US legislation.

At the moment, the only solution is moving the processing of European data to the EU directly, like Microsoft is starting to do with its EU Data Boundary Program. Of course this is an expensive solution that requires some beefy infrastructure in Europe. Google never announced a similar program and likely has no intention to invest in data localization.

What about the new data transfer agreement?

After long negotiations, the US and the EU agreed on a new data transfer framework (the Trans Atlantic Data Privacy Framework). The European Commission is in the process of implementing it in EU law through an adequacy decision: an act that examines the privacy framework of another country and essentially “greenlights” the country as a safe destination for data transfers.

The adequacy decision will likely pass the vote, but that won’t be the end of the story. The Commission can only issue an adequacy decision when a country’s privacy framework can ensure that the data are safe. It cannot issue an adequacy decision for the US just because it likes them or because Europe badly needs its service providers. The new adequacy decision will surely be challenged in the EU Court of Justice because US law does not ensure a sufficient level of protection for European data.

The Court already invalidated two data transfer frameworks for this reason and might do it again in the upcoming Schrems III case. The new framework is complex and it’s hard to say how things will play out, but for the moment, the future of data transfers remains uncertain.

What can I do to make Google Analytics compliant?

You can’t really do anything to protect personal data from US surveillance. You either switch to a different tool for web analytics or accept some degree of compliance risk.

More than we can count. Google is one of the least privacy-friendly companies out there. It makes a fortune from tracking Internet users, collecting enormous amounts of personal data about them, and building behavioral profiles for targeted advertisement.

Google Analytics is a crucial part of Google’s business, but it’s not the only way it extracts data. Popular services such as Search, Maps, and Youtube provide Google with enormous amounts of data. Every mail sent or received through Gmail is processed for profiling, and users who log into their Gmail account on their browser are tracked across websites. Even Android tracks users. This unimaginable amount of personal data is pooled together and used for profiling and prediction to infer even more personal data without needing to collect them.

Of course, Google swears it takes your privacy seriously and promises it is working to offer you more and more privacy in the future. But things will not change because the invasion of your privacy is not a side effect of their business model- it is their business model.

Google Analytics alternatives

You can stick to Google Analytics and hope you don’t get in trouble, or you can move to a privacy-friendly, EU-based alternative like Simple Analytics (Yes, I know that’s us).

We are definitely not the only ones in the space. There are many alternatives to Google Analytics, such as Matomo, Pirsch & Fathom. They are all more privacy-friendly than Google.

The same goes for us (Simple Analytics). We designed Simple Analytics in a way that provides all the insights you need without collecting any personal data at all. This makes our tool 100% compliant with any privacy regulation, including the GDPR. We are based in the Netherlands and don’t transfer data outside the EU. Also, you can import your historical data from Google Analytics too! If this sounds good to you, feel free to check us out!

Decide to stick with Google Analytics?

If you decide to stick to Google Analytics, things are not looking great. Universal Analytics will be phased out by 2024, so if you are using it, you will need to switch to Google Analytics 4 as soon as possible. You will lose your Universal Analytics historical data in the process, as Google Analytics 4 offers no import function for most of the data collected by Universal Analytics (Simple Analytics does).

To minimize risk, your website should include a clear, comprehensive cookie policy. This is easier said than done. A good cookie policy must provide a lot of information while being short and readable. We have some suggestions on our blog, but of course, you need to find something that works for you and considers the data you collect and the policies you have in place.

Finally, you should be careful with your cookie banners. There are signs of a possible EU-wide crackdown on non-compliant cookie banners (we wrote about this on our blog). Ensure your cookie banners are transparent and present users with a visible and easily accessible “reject all” button (or a clearly-worded option to that effect). This will likely lead to more users rejecting cookies and impact the performance of Google Analytics on your website. People don’t like being tracked and will often say “no thanks” when presented with a transparent choice.

Final Thoughts

Google Analytics is a compliance risk for your business (ethics aside). In theory, it’s still debatable whether or not it's considered illegal in the EU, but continuing to use Google Analytics (even GA4) is a risk. Even if you decide to take this risk, you must ensure your cookie banners are 100% compliant. You need a good cookie policy, which is easier said than done. In addition, you need to familiarize yourself with Google Analytics 4 and switch to it as soon as possible, as Google is sunsetting Universal Analytics.

You can also choose to ditch Google Analytics altogether. Multiple tools provide the insights you need to track your website performance without taking any compliance risks. Deleting Google Analytics is easy, as is switching to a privacy-friendly solution. Don't know where to start? Let the guys at New Metrics help you out for independent advice or give Simple Analytics a spin too see if you like it.

The choice is yours!

GA4 is complex. Try Simple Analytics

GA4 is like sitting in an airplane cockpit without a pilot license

Start 14-day trial