[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"blog-slug_blog_3_1":3,"blog-slug_blog_is-google-analytics-gdpr-compliant_1000_1":40},{"article":4,"articles":15,"meta":33,"languages":39},{"id":5,"title":6,"excerpt":7,"locale":8,"slug":9,"authorSlug":10,"automaticTranslated":11,"publishedAt":12,"updatedAt":13,"doFollowLinks":11,"showIndex":11,"showCallToActions":11,"articleType":14},3060,"The EU wants to kill cookie banners","The EU wants to end annoying cookie pop-ups by letting users set their consent once in their browser. If passed, websites will have to respect those choices.","en","the-eu-wants-to-kill-cookie-banners-by-moving-consent-to-your-browser","iron-brands",false,"2025-11-20T05:40:14.356Z","2025-11-20T06:13:15.812Z","blog",[4,16,26],{"id":17,"title":18,"excerpt":19,"locale":8,"slug":20,"authorSlug":10,"automaticTranslated":11,"publishedAt":21,"updatedAt":22,"ctaTitle":23,"ctaDescription":24,"doFollowLinks":11,"showIndex":25,"showCallToActions":11,"articleType":14},3019,"Google is tracking you (even when you use DuckDuckGo)","Google tracks users even on DuckDuckGo via Analytics and embeds. A new study shows how deep Google’s web tracking really goes.","google-is-tracking-you-even-when-you-use-duck-duck-go","2025-07-14T08:56:41.709Z","2025-07-14T11:26:01.386Z","If you care about privacy, you don't use Google Analytics","Ditch the tracking, keep the insights. Try Simple Analytics.",true,{"id":27,"title":28,"excerpt":29,"locale":8,"slug":30,"authorSlug":10,"automaticTranslated":11,"publishedAt":31,"updatedAt":32,"doFollowLinks":11,"showIndex":11,"showCallToActions":11,"articleType":14},3018," German court rules Meta’s tracking tech violates GDPR","German court rules Meta’s tracking tech violates GDPR, allowing lawsuits without proof of harm. Big risks ahead for sites using Meta pixels.","german-court-rules-meta-s-tracking-tech-violates-gdpr","2025-07-10T08:20:51.111Z","2025-07-10T12:16:26.327Z",{"pagination":34},{"page":35,"pageSize":36,"pageCount":37,"total":38},1,3,362,1084,{},{"article":41},{"contentHtml":42,"question":43,"content":44,"coverImageWithoutText":45,"inlineMedia":53,"id":210,"title":211,"excerpt":212,"locale":8,"slug":213,"authorSlug":214,"automaticTranslated":25,"publishedAt":215,"updatedAt":216,"doFollowLinks":25,"showIndex":25,"showCallToActions":25,"articleType":14,"cover":45,"languages":217},"\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">You probably heard about Google Analytics' legal issues with the GDPR. Privacy watchdogs are taking a hard stance on Google Analytics, marketers all over Europe are panicking, and Google is telling everyone that everything will be ok. The Internet is filled to the brim with information on how to make your website GDPR-compliant. It can all be confusing, so here’s an overview of \u003Cstrong>what’s going on with Google Analytics\u003C/strong>.\u003C/ContentEditable>\n\u003Col class=\"counters\">\u003Cli>\u003CNuxtLink to=\"#what-is-the-deal-with-google-analytics\">What is the deal with Google Analytics?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#what-did-the-decisions-say-about-google-analytics-exactly\">What did the decisions say about Google Analytics exactly?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#what-about-ip-anonymization\">What about IP anonymization?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#what-about-google-analytics-4\">What about Google Analytics 4?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#what-about-google-analytics-for-firebase\">What about Google Analytics for Firebase?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#will-google-solve-the-issue\">Will Google solve the issue?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#what-about-the-new-data-transfer-agreement\">What about the new data transfer agreement?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#what-can-i-do-to-make-google-analytics-compliant\">What can I do to make Google Analytics compliant?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#are-there-other-privacy-risks-related-to-google-analytics\">Are there other privacy risks related to Google Analytics?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#google-analytics-alternatives\">Google Analytics alternatives\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#decide-to-stick-with-google-analytics\">Decide to stick with Google Analytics?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#final-thoughts\">Final Thoughts\u003C/NuxtLink>\u003C/li>\u003C/ol>\u003CCtaOne />\u003CContentEditable  id=\"what-is-the-deal-with-google-analytics\" parent=\"\" tag=\"h2\" :articleId=\"410\">What is the deal with Google Analytics?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">\u003Cstrong>Google Analytics needs personal data to work\u003C/strong>. Here is how: when you consent to a cookie banner, your personal data are collected and sent to Google Ireland. Then, Google Ireland sends the data to Google in the US for processing. Lastly, the parent company works its algorithmic magic and provides the website with insights into user behavior.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">So we have an extra-EU data transfers involving three actors: the website, Google Ireland, and Google.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">The GDPR laid out strict data transfer rules to ensure that personal data can only leave the EU safely. Unfortunately, this cannot be done in the case of Google Analytics. This is independent of Google: the company is subject to US legislation allowing \u003Cstrong>extensive surveillance over foreign data\u003C/strong>, including the data of European users.\u003C/ContentEditable>\n\u003Cp>\u003Cimg src=\"https://cms-assets.simpleanalytics.com/biden_26b5b4a62c.png\" alt=\"biden.png\">\u003C/p>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">Surveillance is at the center of the legal issues surrounding data transfers. US surveillance law is why the EU Court of Justice \u003Cstrong>invalidated two data transfer frameworks\u003C/strong> between the EU and the US in the famous Schrems I and II rulings. And more recently, privacy NGO noyb started a legal battle against both Google Analytics and Facebook Connect over data transfers by filing 101 identical complaints to many European authorities.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">The strategy has been paying off so far. Authorities \u003Cstrong>coordinated their response at a European level\u003C/strong>. As a result, the supervisory authorities of \u003Ca referrerpolicy=\"unsafe-url\" href=\"https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-analytics-illegal?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener\">Austria\u003C/a>, \u003CNuxtLink to=\"/blog/france-rules-google-analytics-to-be-in-conflict-with-gdpr-ruling\"  >France\u003C/NuxtLink>, \u003CNuxtLink to=\"/blog/italy-declares-google-analytics-illegal\"  >Italy\u003C/NuxtLink>, and \u003CNuxtLink to=\"/blog/finland-is-latest-eu-country-to-crack-down-on-google-analytics\"  >Finland\u003C/NuxtLink> \u003Cstrong>ruled against Google Analytics\u003C/strong>. Additionally, the Norwegian authority also found the use of Google Analytics to be illegal \u003CNuxtLink to=\"/blog/norway-takes-a-stance-against-google-analytics\"  >in a preliminary conclusion\u003C/NuxtLink> (the case is yet pending), and \u003Ca referrerpolicy=\"unsafe-url\" href=\"https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2022/sep/brug-af-google-analytics-til-webstatistik?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener\">Denmark endorsed the same position\u003C/a> in a press release. With coordination at a European level, and the influential French and Italian authorities leading the way, \u003Cstrong>other decisions are likely to follow\u003C/strong>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">Last but not least, Facebook's data transfers were suspended (and Meta Ireland was hit by a record €1.2 \u003Cem>billion\u003C/em> fine, too). This happened for the same exact legal issues that plague Google Analytics: \u003Cstrong>the impossibility of complying with Schrems II\u003C/strong>. You can learn more about this important decision \u003CNuxtLink to=\"/blog/meta-hit-with-record-breaking-1-3-billion-fine-over-facebook-data-transfers-to-the-us#the-decision\"  >on our blog\u003C/NuxtLink>.\u003C/ContentEditable>\n\u003Cp>\u003Cimg src=\"https://cms-assets.simpleanalytics.com/US_EU_Cables_82cac8c34d.png\" alt=\"US_EU_Cables.png\">\u003C/p>\n\u003CContentEditable  id=\"what-did-the-decisions-say-about-google-analytics-exactly\" parent=\"\" tag=\"h2\" :articleId=\"410\">What did the decisions say about Google Analytics exactly?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">Many websites and news outlets report that Google Analytics has been banned or declared illegal in certain countries. Is this true?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">In every decision, an authority ordered a specific website to stop using Google Analytics because it found that its data transfers lacked sufficient \u003Cstrong>safeguards\u003C/strong> for personal data. In theory, a different website could implement stronger safeguards for personal data and use Google Analytics lawfully and securely. But \u003Cstrong>theory\u003C/strong> is the keyword here. In practice, implementing safeguards is difficult for many services and \u003Cstrong>impossible\u003C/strong> for Google Analytics.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">Google Analytics uses cookies to track users. Those cookies contain \u003Cstrong>unique IDs\u003C/strong> to identify each user and qualify as personal data. So the only way to use Google Analytics in a GDPR-compliant manner is anonymizing that data- but that’s precisely the data Google Analytics needs the most! You could use Google Analytics lawfully by running it server-side and anonymizing all personal data, but that would cripple Google Analytics’s performance. \u003Cstrong>It’s an expensive solution that yields poor results\u003C/strong>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">So, for all practical purposes, decisions against Google Analytics amount to \u003Cstrong>a nationwide ban\u003C/strong>. And we already have such decisions for several countries, including France and Italy- two \u003Cstrong>key national markets\u003C/strong> in the EU.\u003C/ContentEditable>\n\u003Cp>\u003Cimg src=\"https://cms-assets.simpleanalytics.com/google_lawsuit_b974536c37.png\" alt=\"google-lawsuit.png\">\u003C/p>\n\u003CContentEditable  id=\"what-about-ip-anonymization\" parent=\"\" tag=\"h2\" :articleId=\"410\">What about IP anonymization?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">Universal Analytics includes an option to anonymize IP addresses, but this is not the default option. Google Analytics 4 is better in this regard and anonymizes IP addresses automatically.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">Unfortunately, \u003Cstrong>Google Analytics’ IP anonymization option does not make Google Analytics GDPR compliant\u003C/strong>. European authorities found that Google’s IP masking technique is rather weak and does not meet the GDPR’s standards for anonymization. Besides, Google Analytics cookies are still personal data under the GDPR regardless of IP anonymization. So anonymizing IP addresses does not solve the core legal issue of the transfer of personal data.\u003C/ContentEditable>\n\u003CContentEditable  id=\"what-about-google-analytics-4\" parent=\"\" tag=\"h2\" :articleId=\"410\">What about Google Analytics 4?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">Is it more privacy-friendly than Universal Analytics? Yes. Is it GDPR compliant? Probably not. We don’t have any decisions on Google Analytics 4, but the new version does not solve the crucial legal issues with data transfers.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">Google Analytics 4 shows some improvements compared to Universal Analytics. Google Analytics 4 revolves around first-party cookies, which are less invasive than third-party cookies. Additionally, IP anonymization is always enabled, and IP is not collected by Google. But upon close examination, Google Analytics 4 suffers from the \u003Cstrong>same compliance issues\u003C/strong> because it still relies on cookies, and cookies \u003Cstrong>are personal data\u003C/strong>. The changes are welcome but do not solve the legal issue.\u003C/ContentEditable>\n\u003CContentEditable  id=\"what-about-google-analytics-for-firebase\" parent=\"\" tag=\"h2\" :articleId=\"410\">What about Google Analytics for Firebase?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">It’s a safe bet that Firebase suffers from \u003Cstrong>the same legal issues\u003C/strong> as Google Analytics. Much like Google Analytics, Google Analytics for Firebase uses cookies with unique identifiers, which are personal data under the GDPR. It also processes other personal data, including invasive \u003Cstrong>identifiers for mobile devices\u003C/strong>. All these data are \u003Cstrong>processed on Google’s infrastructure\u003C/strong> because Google owns Firebase.\u003C/ContentEditable>\n\u003CContentEditable  id=\"will-google-solve-the-issue\" parent=\"\" tag=\"h2\" :articleId=\"410\">Will Google solve the issue?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">\u003Cstrong>They won’t because there is no easy fix\u003C/strong>. Google cannot solve this by tweaking its processing terms. If intelligence agencies request the data, Google must hand them over under US legislation.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">At the moment, the only solution is moving the processing of European data to the EU directly, like Microsoft is starting to do with its EU Data Boundary Program. Of course this is an expensive solution that requires some beefy infrastructure in Europe. Google never announced a similar program and likely has no intention to invest in data localization.\u003C/ContentEditable>\n\u003CContentEditable  id=\"what-about-the-new-data-transfer-agreement\" parent=\"\" tag=\"h2\" :articleId=\"410\">What about the new data transfer agreement?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">After long negotiations, the US and the EU agreed on a \u003Cstrong>new data transfer framework\u003C/strong> (the Trans Atlantic Data Privacy Framework). The European Commission is in the process of implementing it in EU law through an \u003Cstrong>adequacy decision\u003C/strong>: an act that examines the privacy framework of another country and essentially “greenlights” the country as a safe destination for data transfers.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">The adequacy decision will likely pass the vote, but that won’t be the end of the story. The Commission can only issue an adequacy decision when a country’s privacy framework can ensure that the data are safe. It cannot issue an adequacy decision for the US just because it likes them or because Europe badly needs its service providers. The new adequacy decision will surely be \u003Cstrong>challenged in the EU Court of Justice\u003C/strong> because US law does not ensure a sufficient level of protection for European data.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">The Court already invalidated two data transfer frameworks for this reason and might do it again in the upcoming Schrems III case. The new framework is complex and it’s hard to say how things will play out, but for the moment, the future of data transfers remains uncertain.\u003C/ContentEditable>\n\u003CContentEditable  id=\"what-can-i-do-to-make-google-analytics-compliant\" parent=\"\" tag=\"h2\" :articleId=\"410\">What can I do to make Google Analytics compliant?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">You can’t really do anything to protect personal data from US surveillance. You either switch to a different tool for web analytics or accept some degree of \u003Cstrong>compliance risk\u003C/strong>.\u003C/ContentEditable>\n\u003CContentEditable  id=\"are-there-other-privacy-risks-related-to-google-analytics\" parent=\"\" tag=\"h2\" :articleId=\"410\">Are there other privacy risks related to Google Analytics?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">More than we can count. Google is one of the least privacy-friendly companies out there. It makes a fortune from tracking Internet users, collecting enormous amounts of personal data about them, and building behavioral profiles for targeted advertisement.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">Google Analytics is a crucial part of Google’s business, but it’s not the only way it extracts data. Popular services such as Search, Maps, and Youtube provide Google with enormous amounts of data. Every mail sent or received through Gmail is processed for profiling, and users who log into their Gmail account on their browser are tracked across websites. Even Android tracks users. This unimaginable amount of personal data is pooled together and used for profiling and prediction to infer even more personal data without needing to collect them.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">Of course, Google swears it takes your privacy seriously and promises it is working to offer you more and more privacy in the future. But things will not change because the invasion of your privacy is not a side effect of their business model- \u003Cstrong>it\u003C/strong> \u003Cstrong>is\u003C/strong> \u003Cstrong>their business model.\u003C/strong>\u003C/ContentEditable>\n\u003CContentEditable  id=\"google-analytics-alternatives\" parent=\"\" tag=\"h2\" :articleId=\"410\">Google Analytics alternatives\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">You can stick to Google Analytics and hope you don’t get in trouble, or you can move to a privacy-friendly, EU-based alternative like Simple Analytics (Yes, I know that’s us).\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">We are definitely not the only ones in the space. T\u003Cstrong>here are many alternatives to Google Analytics,\u003C/strong> such as Matomo, Pirsch & Fathom. They are all more privacy-friendly than Google.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">The same goes for us (Simple Analytics). We designed Simple Analytics in a way that provides all the insights you need without collecting any personal data at all. This makes our tool 100% compliant with any privacy regulation, including the GDPR. We are based in the Netherlands and don’t transfer data outside the EU. Also, you can import your historical data from Google Analytics too! If this sounds good to you, feel free to \u003CNuxtLink to=\"https://simpleanalytics.com/simpleanalytics.com\"  referrerpolicy=\"unsafe-url\" rel=\"\">check us out!\u003C/NuxtLink>\u003C/ContentEditable>\n\u003CContentEditable  id=\"decide-to-stick-with-google-analytics\" parent=\"\" tag=\"h2\" :articleId=\"410\">Decide to stick with Google Analytics?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">If you decide to stick to Google Analytics, things are not looking great. Universal Analytics will be phased out by 2024, so if you are using it, you will need to switch to Google Analytics 4 as soon as possible. \u003Cstrong>You will lose your Universal Analytics historical data in the process\u003C/strong>, as Google Analytics 4 offers no import function for most of the data collected by Universal Analytics (Simple Analytics does).\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">To minimize risk, your website should include a \u003Cstrong>clear, comprehensive cookie policy\u003C/strong>. This is easier said than done. A good cookie policy must provide a lot of information while being short and readable. We have some suggestions on our blog, but of course, you need to find something that works for you and considers the data you collect and the policies you have in place.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">Finally, you should be careful with your cookie banners. There are signs of a possible \u003Cstrong>EU-wide crackdown on non-compliant cookie banners\u003C/strong> (\u003CNuxtLink to=\"/blog/eu-task-force-cracks-down-on-cookie-banners\"  >we wrote about this on our blog\u003C/NuxtLink>). Ensure your cookie banners are transparent and present users with a visible and easily accessible “reject all” button (or a clearly-worded option to that effect). This will likely lead to \u003Cstrong>more users rejecting cookies\u003C/strong> and impact the performance of Google Analytics on your website. People don’t like being tracked and will often say “no thanks” when presented with a transparent choice.\u003C/ContentEditable>\n\u003CContentEditable  id=\"final-thoughts\" parent=\"\" tag=\"h2\" :articleId=\"410\">Final Thoughts\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">Google Analytics is a compliance risk for your business (ethics aside). In theory, it’s still debatable whether or not it's considered illegal in the EU, but continuing to use Google Analytics (even GA4) is a risk. Even if you decide to take this risk, you must ensure your cookie banners are 100% compliant. You need a good cookie policy, which is easier said than done. In addition, you need to familiarize yourself with Google Analytics 4 and switch to it as soon as possible, as Google is sunsetting Universal Analytics.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">You can also choose to ditch Google Analytics altogether. Multiple tools provide the insights you need to track your website performance without taking any compliance risks. \u003CNuxtLink to=\"/blog/how-to-delete-google-analytics-in-4-steps\"  >Deleting Google Analytics\u003C/NuxtLink> is easy, as is switching to a privacy-friendly solution. Don't know where to start? Let the guys at \u003Ca referrerpolicy=\"unsafe-url\" href=\"https://newmetrics.io/?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener\">New Metrics\u003C/a> help you out for independent advice or give Simple Analytics a spin too see if you like it.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"410\">The choice is yours!\u003C/ContentEditable>\n","Is Google Analytics GDPR compliant?","You probably heard about Google Analytics' legal issues with the GDPR. Privacy watchdogs are taking a hard stance on Google Analytics, marketers all over Europe are panicking, and Google is telling everyone that everything will be ok. The Internet is filled to the brim with information on how to make your website GDPR-compliant. It can all be confusing, so here’s an overview of **what’s going on with Google Analytics**.\n\n## What is the deal with Google Analytics?\n\n**Google Analytics needs personal data to work**. Here is how: when you consent to a cookie banner, your personal data are collected and sent to Google Ireland. Then, Google Ireland sends the data to Google in the US for processing. Lastly, the parent company works its algorithmic magic and provides the website with insights into user behavior.\n\nSo we have an extra-EU data transfers involving three actors: the website, Google Ireland, and Google.\n\nThe GDPR laid out strict data transfer rules to ensure that personal data can only leave the EU safely. Unfortunately, this cannot be done in the case of Google Analytics. This is independent of Google: the company is subject to US legislation allowing **extensive surveillance over foreign data**, including the data of European users.\n\n![biden.png](https://cms-assets.simpleanalytics.com/biden_26b5b4a62c.png)\n\nSurveillance is at the center of the legal issues surrounding data transfers. US surveillance law is why the EU Court of Justice **invalidated two data transfer frameworks** between the EU and the US in the famous Schrems I and II rulings. And more recently, privacy NGO noyb started a legal battle against both Google Analytics and Facebook Connect over data transfers by filing 101 identical complaints to many European authorities.\n\nThe strategy has been paying off so far. Authorities **coordinated their response at a European level**. As a result, the supervisory authorities of [Austria](https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-analytics-illegal), [France](https://www.simpleanalytics.com/blog/france-rules-google-analytics-to-be-in-conflict-with-gdpr-ruling), [Italy](https://www.simpleanalytics.com/blog/italy-declares-google-analytics-illegal), and [Finland](https://www.simpleanalytics.com/blog/finland-is-latest-eu-country-to-crack-down-on-google-analytics) **ruled against Google Analytics**. Additionally, the Norwegian authority also found the use of Google Analytics to be illegal [in a preliminary conclusion](https://www.simpleanalytics.com/blog/norway-takes-a-stance-against-google-analytics) (the case is yet pending), and [Denmark endorsed the same position](https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2022/sep/brug-af-google-analytics-til-webstatistik) in a press release. With coordination at a European level, and the influential French and Italian authorities leading the way, **other decisions are likely to follow**.\n\nLast but not least, Facebook's data transfers were suspended (and Meta Ireland was hit by a record €1.2 _billion_ fine, too). This happened for the same exact legal issues that plague Google Analytics: **the impossibility of complying with Schrems II**. You can learn more about this important decision [on our blog](https://www.simpleanalytics.com/blog/meta-hit-with-record-breaking-1-3-billion-fine-over-facebook-data-transfers-to-the-us#the-decision).\n\n![US_EU_Cables.png](https://cms-assets.simpleanalytics.com/US_EU_Cables_82cac8c34d.png)\n\n## What did the decisions say about Google Analytics exactly?\n\nMany websites and news outlets report that Google Analytics has been banned or declared illegal in certain countries. Is this true?\n\nIn every decision, an authority ordered a specific website to stop using Google Analytics because it found that its data transfers lacked sufficient **safeguards** for personal data. In theory, a different website could implement stronger safeguards for personal data and use Google Analytics lawfully and securely. But **theory** is the keyword here. In practice, implementing safeguards is difficult for many services and **impossible** for Google Analytics.\n\nGoogle Analytics uses cookies to track users. Those cookies contain **unique IDs** to identify each user and qualify as personal data. So the only way to use Google Analytics in a GDPR-compliant manner is anonymizing that data- but that’s precisely the data Google Analytics needs the most! You could use Google Analytics lawfully by running it server-side and anonymizing all personal data, but that would cripple Google Analytics’s performance. **It’s an expensive solution that yields poor results**.\n\nSo, for all practical purposes, decisions against Google Analytics amount to **a nationwide ban**. And we already have such decisions for several countries, including France and Italy- two **key national markets** in the EU.\n\n![google-lawsuit.png](https://cms-assets.simpleanalytics.com/google_lawsuit_b974536c37.png)\n\n## What about IP anonymization?\n\nUniversal Analytics includes an option to anonymize IP addresses, but this is not the default option. Google Analytics 4 is better in this regard and anonymizes IP addresses automatically.\n\nUnfortunately, **Google Analytics’ IP anonymization option does not make Google Analytics GDPR compliant**. European authorities found that Google’s IP masking technique is rather weak and does not meet the GDPR’s standards for anonymization. Besides, Google Analytics cookies are still personal data under the GDPR regardless of IP anonymization. So anonymizing IP addresses does not solve the core legal issue of the transfer of personal data.\n\n## What about Google Analytics 4?\n\nIs it more privacy-friendly than Universal Analytics? Yes. Is it GDPR compliant? Probably not. We don’t have any decisions on Google Analytics 4, but the new version does not solve the crucial legal issues with data transfers.\n\nGoogle Analytics 4 shows some improvements compared to Universal Analytics. Google Analytics 4 revolves around first-party cookies, which are less invasive than third-party cookies. Additionally, IP anonymization is always enabled, and IP is not collected by Google. But upon close examination, Google Analytics 4 suffers from the **same compliance issues** because it still relies on cookies, and cookies **are personal data**. The changes are welcome but do not solve the legal issue.\n\n## What about Google Analytics for Firebase?\n\nIt’s a safe bet that Firebase suffers from **the same legal issues** as Google Analytics. Much like Google Analytics, Google Analytics for Firebase uses cookies with unique identifiers, which are personal data under the GDPR. It also processes other personal data, including invasive **identifiers for mobile devices**. All these data are **processed on Google’s infrastructure** because Google owns Firebase.\n\n## Will Google solve the issue?\n\n**They won’t because there is no easy fix**. Google cannot solve this by tweaking its processing terms. If intelligence agencies request the data, Google must hand them over under US legislation.\n\nAt the moment, the only solution is moving the processing of European data to the EU directly, like Microsoft is starting to do with its EU Data Boundary Program. Of course this is an expensive solution that requires some beefy infrastructure in Europe. Google never announced a similar program and likely has no intention to invest in data localization.\n\n## What about the new data transfer agreement?\n\nAfter long negotiations, the US and the EU agreed on a **new data transfer framework** (the Trans Atlantic Data Privacy Framework). The European Commission is in the process of implementing it in EU law through an **adequacy decision**: an act that examines the privacy framework of another country and essentially “greenlights” the country as a safe destination for data transfers.\n\nThe adequacy decision will likely pass the vote, but that won’t be the end of the story. The Commission can only issue an adequacy decision when a country’s privacy framework can ensure that the data are safe. It cannot issue an adequacy decision for the US just because it likes them or because Europe badly needs its service providers. The new adequacy decision will surely be **challenged in the EU Court of Justice** because US law does not ensure a sufficient level of protection for European data.\n\nThe Court already invalidated two data transfer frameworks for this reason and might do it again in the upcoming Schrems III case. The new framework is complex and it’s hard to say how things will play out, but for the moment, the future of data transfers remains uncertain.\n\n## What can I do to make Google Analytics compliant?\n\nYou can’t really do anything to protect personal data from US surveillance. You either switch to a different tool for web analytics or accept some degree of **compliance risk**.\n\n## Are there other privacy risks related to Google Analytics?\n\nMore than we can count. Google is one of the least privacy-friendly companies out there. It makes a fortune from tracking Internet users, collecting enormous amounts of personal data about them, and building behavioral profiles for targeted advertisement.\n\nGoogle Analytics is a crucial part of Google’s business, but it’s not the only way it extracts data. Popular services such as Search, Maps, and Youtube provide Google with enormous amounts of data. Every mail sent or received through Gmail is processed for profiling, and users who log into their Gmail account on their browser are tracked across websites. Even Android tracks users. This unimaginable amount of personal data is pooled together and used for profiling and prediction to infer even more personal data without needing to collect them.\n\nOf course, Google swears it takes your privacy seriously and promises it is working to offer you more and more privacy in the future. But things will not change because the invasion of your privacy is not a side effect of their business model- **it** **is** **their business model.**\n\n## Google Analytics alternatives\n\nYou can stick to Google Analytics and hope you don’t get in trouble, or you can move to a privacy-friendly, EU-based alternative like Simple Analytics (Yes, I know that’s us).\n\nWe are definitely not the only ones in the space. T**here are many alternatives to Google Analytics,** such as Matomo, Pirsch & Fathom. They are all more privacy-friendly than Google.\n\nThe same goes for us (Simple Analytics). We designed Simple Analytics in a way that provides all the insights you need without collecting any personal data at all. This makes our tool 100% compliant with any privacy regulation, including the GDPR. We are based in the Netherlands and don’t transfer data outside the EU. Also, you can import your historical data from Google Analytics too! If this sounds good to you, feel free to [check us out!](https://simpleanalytics.com/simpleanalytics.com)\n\n## Decide to stick with Google Analytics?\n\nIf you decide to stick to Google Analytics, things are not looking great. Universal Analytics will be phased out by 2024, so if you are using it, you will need to switch to Google Analytics 4 as soon as possible. **You will lose your Universal Analytics historical data in the process**, as Google Analytics 4 offers no import function for most of the data collected by Universal Analytics (Simple Analytics does).\n\nTo minimize risk, your website should include a **clear, comprehensive cookie policy**. This is easier said than done. A good cookie policy must provide a lot of information while being short and readable. We have some suggestions on our blog, but of course, you need to find something that works for you and considers the data you collect and the policies you have in place.\n\nFinally, you should be careful with your cookie banners. There are signs of a possible **EU-wide crackdown on non-compliant cookie banners** ([we wrote about this on our blog](https://www.simpleanalytics.com/blog/eu-task-force-cracks-down-on-cookie-banners)). Ensure your cookie banners are transparent and present users with a visible and easily accessible “reject all” button (or a clearly-worded option to that effect). This will likely lead to **more users rejecting cookies** and impact the performance of Google Analytics on your website. People don’t like being tracked and will often say “no thanks” when presented with a transparent choice.\n\n## Final Thoughts\n\nGoogle Analytics is a compliance risk for your business (ethics aside). In theory, it’s still debatable whether or not it's considered illegal in the EU, but continuing to use Google Analytics (even GA4) is a risk. Even if you decide to take this risk, you must ensure your cookie banners are 100% compliant. You need a good cookie policy, which is easier said than done. In addition, you need to familiarize yourself with Google Analytics 4 and switch to it as soon as possible, as Google is sunsetting Universal Analytics.\n\nYou can also choose to ditch Google Analytics altogether. Multiple tools provide the insights you need to track your website performance without taking any compliance risks. [Deleting Google Analytics](https://www.simpleanalytics.com/blog/how-to-delete-google-analytics-in-4-steps) is easy, as is switching to a privacy-friendly solution. Don't know where to start? Let the guys at [New Metrics](https://newmetrics.io) help you out for independent advice or give Simple Analytics a spin too see if you like it.\n\nThe choice is yours!\n",{"alt":46,"caption":47,"small":48,"medium":49,"large":50,"original":51,"averageColorHex":52,"isDark":25},"Biden.png",null,"https://cms-assets.simpleanalytics.com/small_biden_26b5b4a62c.png","https://cms-assets.simpleanalytics.com/medium_biden_26b5b4a62c.png","https://cms-assets.simpleanalytics.com/large_biden_26b5b4a62c.png","https://cms-assets.simpleanalytics.com/biden_26b5b4a62c.png","39404a",{"data":54},[55,121,156],{"id":56,"attributes":57},136,{"name":58,"alternativeText":47,"caption":47,"width":59,"height":60,"url":51,"formats":61,"mime":65,"provider_metadata":119},"biden.png",1536,864,{"large":62,"small":77,"medium":85,"xlarge":93,"xsmall":102,"thumbnail":110},{"ext":63,"url":50,"hash":64,"mime":65,"name":66,"path":47,"size":67,"width":68,"height":69,"provider_metadata":70},".png","large_biden_26b5b4a62c","image/png","large_biden.png",1157.37,1000,563,{"meta":71},{"page":72,"isOpaque":25,"averageColorHex":73,"dominantColorHex":74,"averageColorBrightness":75,"dominantColorBrightness":76},0,"38404a","181818",64,24,{"ext":63,"url":48,"hash":78,"mime":65,"name":79,"path":47,"size":80,"width":81,"height":82,"provider_metadata":83},"small_biden_26b5b4a62c","small_biden.png",308.38,500,281,{"meta":84},{"page":72,"isOpaque":25,"averageColorHex":73,"dominantColorHex":74,"averageColorBrightness":75,"dominantColorBrightness":76},{"ext":63,"url":49,"hash":86,"mime":65,"name":87,"path":47,"size":88,"width":89,"height":90,"provider_metadata":91},"medium_biden_26b5b4a62c","medium_biden.png",671.6,750,422,{"meta":92},{"page":72,"isOpaque":25,"averageColorHex":73,"dominantColorHex":74,"averageColorBrightness":75,"dominantColorBrightness":76},{"ext":63,"url":94,"hash":95,"mime":65,"name":96,"path":47,"size":97,"width":98,"height":99,"provider_metadata":100},"https://cms-assets.simpleanalytics.com/xlarge_biden_26b5b4a62c.png","xlarge_biden_26b5b4a62c","xlarge_biden.png",2181.02,1400,788,{"meta":101},{"page":72,"isOpaque":25,"averageColorHex":73,"dominantColorHex":74,"averageColorBrightness":75,"dominantColorBrightness":76},{"ext":63,"url":103,"hash":104,"mime":65,"name":105,"path":47,"size":106,"width":75,"height":107,"provider_metadata":108},"https://cms-assets.simpleanalytics.com/xsmall_biden_26b5b4a62c.png","xsmall_biden_26b5b4a62c","xsmall_biden.png",6.14,36,{"meta":109},{"page":72,"isOpaque":25,"averageColorHex":52,"dominantColorHex":74,"averageColorBrightness":75,"dominantColorBrightness":76},{"ext":63,"url":111,"hash":112,"mime":65,"name":113,"path":47,"size":114,"width":115,"height":116,"provider_metadata":117},"https://cms-assets.simpleanalytics.com/thumbnail_biden_26b5b4a62c.png","thumbnail_biden_26b5b4a62c","thumbnail_biden.png",80.55,245,138,{"meta":118},{"page":72,"isOpaque":25,"averageColorHex":73,"dominantColorHex":74,"averageColorBrightness":75,"dominantColorBrightness":76},{"meta":120},{"page":72,"isOpaque":25,"averageColorHex":52,"dominantColorHex":74,"averageColorBrightness":75,"dominantColorBrightness":76},{"id":122,"attributes":123},129,{"name":124,"alternativeText":47,"caption":47,"width":125,"height":125,"url":126,"formats":127,"mime":65,"provider_metadata":154},"US_EU_Cables.png",528,"https://cms-assets.simpleanalytics.com/US_EU_Cables_82cac8c34d.png",{"small":128,"xsmall":139,"thumbnail":146},{"ext":63,"url":129,"hash":130,"mime":65,"name":131,"path":47,"size":132,"width":81,"height":81,"provider_metadata":133},"https://cms-assets.simpleanalytics.com/small_US_EU_Cables_82cac8c34d.png","small_US_EU_Cables_82cac8c34d","small_US_EU_Cables.png",323.01,{"meta":134},{"page":72,"isOpaque":25,"averageColorHex":135,"dominantColorHex":136,"averageColorBrightness":137,"dominantColorBrightness":138},"b5b5c1","f8f8f8",182,248,{"ext":63,"url":140,"hash":141,"mime":65,"name":142,"path":47,"size":143,"width":75,"height":75,"provider_metadata":144},"https://cms-assets.simpleanalytics.com/xsmall_US_EU_Cables_82cac8c34d.png","xsmall_US_EU_Cables_82cac8c34d","xsmall_US_EU_Cables.png",7.76,{"meta":145},{"page":72,"isOpaque":25,"averageColorHex":135,"dominantColorHex":136,"averageColorBrightness":137,"dominantColorBrightness":138},{"ext":63,"url":147,"hash":148,"mime":65,"name":149,"path":47,"size":150,"width":151,"height":151,"provider_metadata":152},"https://cms-assets.simpleanalytics.com/thumbnail_US_EU_Cables_82cac8c34d.png","thumbnail_US_EU_Cables_82cac8c34d","thumbnail_US_EU_Cables.png",38.68,156,{"meta":153},{"page":72,"isOpaque":25,"averageColorHex":135,"dominantColorHex":136,"averageColorBrightness":137,"dominantColorBrightness":138},{"meta":155},{"page":72,"isOpaque":25,"averageColorHex":135,"dominantColorHex":136,"averageColorBrightness":137,"dominantColorBrightness":138},{"id":157,"attributes":158},119,{"name":159,"alternativeText":47,"caption":47,"width":160,"height":161,"url":162,"formats":163,"mime":65,"provider_metadata":206},"google-lawsuit.png",1024,575,"https://cms-assets.simpleanalytics.com/google_lawsuit_b974536c37.png",{"large":164,"small":176,"medium":183,"xsmall":191,"thumbnail":198},{"ext":63,"url":165,"hash":166,"mime":65,"name":167,"path":47,"size":168,"width":68,"height":169,"provider_metadata":170},"https://cms-assets.simpleanalytics.com/large_google_lawsuit_b974536c37.png","large_google_lawsuit_b974536c37","large_google-lawsuit.png",994.42,562,{"meta":171},{"page":72,"isOpaque":25,"averageColorHex":172,"dominantColorHex":173,"averageColorBrightness":174,"dominantColorBrightness":175},"7c6454","080808",105,8,{"ext":63,"url":177,"hash":178,"mime":65,"name":179,"path":47,"size":180,"width":81,"height":82,"provider_metadata":181},"https://cms-assets.simpleanalytics.com/small_google_lawsuit_b974536c37.png","small_google_lawsuit_b974536c37","small_google-lawsuit.png",273.12,{"meta":182},{"page":72,"isOpaque":25,"averageColorHex":172,"dominantColorHex":173,"averageColorBrightness":174,"dominantColorBrightness":175},{"ext":63,"url":184,"hash":185,"mime":65,"name":186,"path":47,"size":187,"width":89,"height":188,"provider_metadata":189},"https://cms-assets.simpleanalytics.com/medium_google_lawsuit_b974536c37.png","medium_google_lawsuit_b974536c37","medium_google-lawsuit.png",605.28,421,{"meta":190},{"page":72,"isOpaque":25,"averageColorHex":172,"dominantColorHex":173,"averageColorBrightness":174,"dominantColorBrightness":175},{"ext":63,"url":192,"hash":193,"mime":65,"name":194,"path":47,"size":195,"width":75,"height":107,"provider_metadata":196},"https://cms-assets.simpleanalytics.com/xsmall_google_lawsuit_b974536c37.png","xsmall_google_lawsuit_b974536c37","xsmall_google-lawsuit.png",6.69,{"meta":197},{"page":72,"isOpaque":25,"averageColorHex":172,"dominantColorHex":173,"averageColorBrightness":174,"dominantColorBrightness":175},{"ext":63,"url":199,"hash":200,"mime":65,"name":201,"path":47,"size":202,"width":115,"height":116,"provider_metadata":203},"https://cms-assets.simpleanalytics.com/thumbnail_google_lawsuit_b974536c37.png","thumbnail_google_lawsuit_b974536c37","thumbnail_google-lawsuit.png",74.06,{"meta":204},{"page":72,"isOpaque":25,"averageColorHex":205,"dominantColorHex":173,"averageColorBrightness":174,"dominantColorBrightness":175},"7d6554",{"meta":207},{"page":72,"isOpaque":25,"averageColorHex":172,"dominantColorHex":208,"averageColorBrightness":174,"dominantColorBrightness":209},"f8b898",195,410,"Is Google Analytics GDPR Compliant?","Is Google Analytics GDPR compliant? This is an ongoing debate, so here’s an overview of what’s going on with Google Analytics and its relationship with GDPR","is-google-analytics-gdpr-compliant","carlo-cilento","2023-02-15T09:44:20.257Z","2024-04-16T13:22:11.055Z",{"en":218,"de":219,"fr":221,"it":223,"es":225,"nl":227},{"slug":213},{"slug":220},"ist-google-analytics-gdpr-konform",{"slug":222},"google-analytics-est-il-conforme-au-gdpr",{"slug":224},"google-analytics-e-conforme-al-gdpr",{"slug":226},"cumple-google-analytics-el-gdpr",{"slug":228},"voldoet-google-analytics-aan-de-avg"]