Let’s break it to you: no, Google Analytics is not illegal in the UK. The recent legal troubles of Google Analytics stem from European authorities ruling that the use of Google Analytics is a violation of GDPR rules on extra-European data transfers. This does not concern the UK as it is no longer a Member State of the European Union or the European Economic Area.
However, since multiple EU Member States have found the use of Google Analytics unlawful, it is worthwhile to dig a bit deeper here and explore the changing landscape.
- What rules apply to Google Analytics in the UK?
- Can I transfer personal data from Europe to the UK?
- What is all the fuss around Google Analytics about?
- Privacy legislation in the UK, in general
- Final Thoughts
Let’s dive in!
What rules apply to Google Analytics in the UK?
Cookie rules are the exact same as the EU and quite strict. Under the Privacy and Electronic Communications Regulations (PECR), cookies always require express consent from the user, with only very narrow exceptions which do not cover marketing and web analytics cookies. So Google Analytics definitely requires consent in the UK, just as it does in the EU.
Can I transfer personal data from Europe to the UK?
The European Commission adopted an adequacy decision for the UK in 2021, essentially declaring the country a safe destination for data transfers. Because of this decision, data transfers to a company in the United Kingdom are treated the same way as, say, transfers to a Slovenian or Dutch company. You can transfer data this way without the compliance burdens that typically come with extra-EU data transfers.
Please note that the Commission periodically reviews adequacy decisions. If you plan on relying on an adequacy decision, make sure it’s still valid.
What is all the fuss around Google Analytics about?
The recent trend of decisions against Google Analytics is part of a larger legal puzzle about data transfers between the EEA and the US. The issue does not involve the UK directly, but it does involve websites in the UK using Google Analytics, provided that they target the European market and audience. We wrote about this extensively on our blog, so here’s a short version.
The core issue is State surveillance. Under the GDPR, European personal data can only be transferred safely outside the EEA. This is difficult for US data transfers because the US legal framework allows extensive and invasive surveillance of the data of foreign citizens. Suppose a company from the UK collects users' personal data in the EU with Google Analytics. In that case, the data will be transferred in the US for Google to process, which creates a risk that the data will be subject to surveillance from US agencies.
Two different data transfer frameworks (Safe Harbor and Privacy Shield) between the EU and the US made GDPR-compliant data transfers possible in the past, but both frameworks were invalidated by the EU Court of Justice in the Schrems I and II cases. A third framework is on the way but will undoubtedly face a legal challenge. With a Schrems III ruling already on the horizon, the future of EU-US data flows remains uncertain.
Meanwhile, companies must resort to different legal tools (typically standard contractual clauses) to lawfully transfer data to the US under the GDPR. However, the issue with these tools is that they offer no protection against State surveillance. For this reason, the Court of Justice clarified in the Schrems II case that they must be supplemented by additional privacy-safeguarding measures whenever data is sent to “unsafe” countries. This is difficult and entirely impossible for the transfers required by certain cloud-based services such as Google Analytics (we wrote about this here).
After the Schrems II ruling in 2020, most companies kept doing business as usual with US-based service providers. In the meantime, data protection authorities coordinated their approach to data transfers at a European level. As a result, the Austrian, French, Italian, and Hungarian DPAs ruled against the use of Google Analytics in similar decisions. The Danish DPA also took a strict stance in a press release. All decisions practically amount to a State-wide ban, as we explained here. Other DPAs will likely follow the example and adopt a more rigid stance on Google Analytics.
Privacy legislation in the UK, in general
The UK is no longer an EU Member State. However, the UK GDPR and the PECR (which implements the ePrivacy Directive) are still in force. As a result, the UK data protection framework is almost identical to the European one.
The Information Commissioner’s Office (ICO) is the data protection authority for the UK, exercising similar powers to its European counterparts. The current Commissioner is New Zealander John Edwards.
(By the way, the ICO’s website is an excellent source of information on privacy law, with lots of accurate, detailed and accessible explanations- most of which apply to the GDPR and EU data protection law as well)
Whether Google Analytics is illegal in the UK or not, it’s definitely not privacy-friendly to your website visitors. In a world where state surveillance and monopolistic misconduct are more apparent than ever, we strive for an independent internet.
With Simple Analytics, you can still gather insights and discover opportunities from your website analytics without using cookies or collecting personal data. Want to see what that looks like? Have a look at our live dashboard here.
If this resonates with you, give us a try. It's free.