Let’s break it to you: no, Google Analytics is not illegal in the US. The recent legal troubles of Google Analytics stem from European authorities ruling that the use of Google Analytics is a violation of GDPR rules on extra-European data transfers.
However, since multiple EU Member States have found the use of Google Analytics unlawful, it’s worthwhile to dig deeper here and explore the changing landscape.
- What rules apply to Google Analytics in the US?
- Can I transfer personal data from Europe to the US?
- What is all the fuss around Google Analytics about?
- Privacy legislation in the US, in general
- Final Thoughts
Let’s dive in!
What rules apply to Google Analytics in the US?
The GDPR does not apply in the US as it is not a member of the European Union or the European Economic Area. However, US companies still need to comply with the GDPR if they target the European market or monitor behaviors in the EU (this includes using Google Analytics for a website targeting a European audience).
Can I transfer personal data from Europe to the US?
At the moment, there is no adequacy decision for the US. In other words, the European Commission has not “green-lighted” the US as a safe country for data transfers. This does not mean you cannot transfer personal data to the US, but it will be trickier than transferring data to an EEA country or a country covered by the adequacy decision. You will need to rely on one of several mechanisms from Chapter V of the GDPR to make your transfer GDPR compliant (typically standard contractual clauses- SCCs).
US data transfers are especially tricky in this regard. In 2013 Edward Snowden’s revelations uncovered invasive, large-scale US surveillance programs over foreign data. The leak eventually led the EU Court of Justice to invalidate two adequacy decisions for the US in the landmark Schrems I and II rulings. The Court also clarified that data transfers to the US are only lawful when the data controller implements effective safeguards to protect personal data, on top of any “basic” compliance mechanism such as SCCs.
Implementing such safeguards can be relatively easy for certain services but might be hard or impossible for others. Google Analytics is one of those, which is why several European privacy watchdogs effectively banned it from the respective member states.
All cloud-based services that need to process personal data in the clear are problematic. By using such services, you are effectively taking a compliance risk. You may want to consider this risk and evaluate non-US-based alternatives (especially European ones since you won’t need to bother implementing standard contractual clauses or other Chapter V mechanisms).
Following US President Joe Biden’s recent executive order on electronic surveillance, the European Commission started the procedure for adopting an adequacy decision. An adequacy decision will almost certainly be adopted in the end, but it will probably face legal challenges in the Court of Justice. Two such decisions have been invalidated in the past, so it’s hard to predict how a “Schrems III” ruling will play out.
Finally, it is worth mentioning that some US providers, such as Microsoft, provide data localization by using EU-based data centers. Localization can help you minimize your compliance risk- but you should still carefully evaluate their data governance and assess whether and under what conditions data transfers to the US may take place in the provision of the service.
What is all the fuss around Google Analytics about?
The legal puzzle around US data transfers has significant consequences for the use of Google Analytics and led to important decisions in several countries. We wrote about this extensively on our blog, so here’s the story in a nutshell.
As we said, the 2020 Schrems II ruling made EU-US data transfers much more difficult. Regardless, most companies kept doing business as usual with US-based service providers. In the meantime, privacy NGO noyb filed 101 complaints against Google Analytics and Facebook connect in a strategic effort to nudge European privacy watchdogs towards stricter enforcement of the Schrems II ruling.
Data protection authorities coordinated their approach to the complaints at a European level. As a result, the Austrian, French, Italian, and Hungarian DPAs ruled against the use of Google Analytics in similar decisions. The Danish DPA also took a strict stance in a press release. All decisions amount to a State-wide ban, as we explained here.
With coordination at a European level and the influential French and Italian DPAs leading the way, other authorities will likely follow the example and adopt a harder stance on Google Analytics- and data transfers in general.
Privacy legislation in the US, in general
The US has no federal privacy law, but the US Congress is discussing a federal privacy law bill (the American Data Privacy and Protection Act). Additionally, five States have adopted privacy legislation of their own (California, Virginia, Colorado, Connecticut, and Utah).
The US does not have a federal-level agency for enforcing privacy regulation, although the Federal Trade Commission sometimes attempts to fill the void in practice.
Whether Google Analytics is illegal in the US or not, it’s definitely not privacy-friendly to your website visitors. In a world where state surveillance and monopolistic misconduct are more apparent than ever, we strive for an independent Internet.
With Simple Analytics, you can still gather insights and discover opportunities from your website analytics without using cookies or collecting personal data. Want to see what that looks like? Check out our live dashboard here.
If this resonates with you, give us a try. It's free.