Google Analytics (GA) is a web analytics service that collects statistics data from websites and apps for search engine optimization (SEO) and creates reports and analytical tools for marketing purposes. GA is a widely used web analytics tool, however, it was recently outlawed by several data protection authorities of European Union (EU) countries for not complying with the GDPR. To comply with the EU cookie law and other privacy laws, Google recently introduced Google Analytics 4 (GA4), which, among other changes, is heavily focused on data privacy. However, despite implementing extra privacy features, GA4 is still not fully GDPR compliant. GA4 still has not reached a consensus with the European regulators regarding data transfer between the EU and the USA. There are also other features like data sharing between Google products, which could breach the GDPR law.
Why does Google Analytics not Allowed by Some Data Protection Authorities of the EU?
The main problem with GA, according to the data protection authorities of the EU, is that the personal data of website users is sent to the US. Google is based in the United States, where all the data analysis is performed. The US legislation does not provide sufficient guarantees for data privacy against access by the authorities, particularly the intelligence services, to the personal data of European citizens.
Google Analytics with its current settings can't ensure an adequate level of data protection in the US after the EU-U.S. Privacy Shield Framework became invalidated. The European Court of Justice announced that the EU – US Privacy Shield became invalid on 16 July 2020. As a result of that decision, the EU – US Privacy Shield framework is no longer valid to comply with EU data protection requirements when transferring personal data from the EU to the United States.
On January 12, 2022, the Austrian data protection authority “Datenschutzbehörde” announced that an Austrian company’s website’s use of Google Analytics violates the GDPR due to the EU – US Privacy Shield invalidation from the European Court of Justice (CJEU). Even if the data collected was anonymized, it was insufficient, as it would only have taken place after data reached US servers, so it was not true anonymization. An IP address in combination with additional data like User ID could be used to identify a particular user.
In February 2022, France’s Commission Nationale de l'informatique et des libertés (CNIL) data protection authority issued a decision that Google Analytics breached Article 44 of GDPR for the same reason- international data transfers. User consent wasn’t obtained for these data transfers. As with the Austrian authorities, encryption of user data was deemed insufficient for protection, as Google had the encryption key, and thus could easily identify a user.
In June 2022, Italy’s data protection authority Garante also ruled against Google Analytics data transfers to the United States as violating the GDPR. As in other previous cases, encryption of user data using IP anonymization was deemed insufficient for data protection.
Lastly, in September 2022, Denmark’s data protection authority Datatilsynet announced that Google Analytics is not compliant with the GDPR for the same reasons – the data transfers to the United States which does not offer an adequate level of data protection after the EU-U.S. Privacy Shield Framework was invalidated.
In March 2022, the European Commission and the United States announced that a new Trans-Atlantic Data Privacy Framework is being discussed. However, the agreement does not yet provide any specific guidelines for the transfer of personal data to the United States.
So, what could be done to comply with the GDPR while using Google Analytics?
Want to be GDPR compliant? Use CookieScript CMP to manage Google Consent Mode and other Google Analytics settings to comply with GDPR and other privacy laws. CookieScript can also create a unique and professional Privacy Policy for your business or website, which informs, among others, about GA and international data transfers, required by the GDPR.
A Possible Solution for Using Google Analytics in a GDPR Compliant Way
First, if you are still using Google Analytics, we highly recommend switching to Google Analytics 4 (GA4). GA4 introduced many features of privacy control to comply with majority privacy laws, particularly the GDPR.
On the other hand, GA4 isn’t fully GDPR compliant, the data processing agreement with Google regarding a restricted transfer of data does not fully solve the problem.
Simply changing the processing of the IP address like IP anonymization is not sufficient to comply with the GDPR due to the international data transfer. Another proposed solution was to use the encryption of the identifier generated by GA or replace it with an identifier generated by the website operator. However, this does not guarantee data privacy and was deemed insufficient for protection by several EU data protection authorities, as Google has the encryption key, and thus could easily identify a user. All these ideas would allow Google servers to obtain the IP address of the user as well as a lot of information about his browsing devices. This information could possibly allow the user to be re-identified and, consequently, to collect personal data on all websites and devices using Google Analytics.
France data protection authority CNIL explains that the only solution that could solve the issue with international data transfer- one allowing to break of the connection between the user's devices and the Google servers. CNIL suggests using a proxy server and pseudonymization before data export.
Possible solution – a proxy server
One possible solution for using Google Analytics in a GDPR compliant way is the use of a proxy server, which breaks direct contact between the website user's device and the GA servers. In addition, the usage of a proxy server should come with pseudonymization. Effective pseudonymization could be reached using a so-called reverse proxy, that sits in front of servers and forwards users' requests to those web servers.
European Data Protection Board issued recommendations regarding the usage of pseudonymization:
- The pseudonymization should be used before data export.
- Such an export could only be possible if the data controller has established that the pseudonymized personal data cannot be attributed to an identified or identifiable individual, even if cross-checked with other information.
- The data controller must ensure that all transmitted information does not allow the user to be re-identified.
To use the proxy server for data transfer in a GDPR compliant way, the CNIL suggests that the proxy server must fulfill the following criteria:
- The proxy server must be hosted inside the European Union. The proxy server must be hosted in such a way o ensure that the data it processes will not be transferred outside the EU to a country that does not provide an adequate level of protection substantially equivalent to that provided within the EU. Practically it means that the proxy server must be hosted inside the EU.
- The IP addresses of users must not be transferred to the Google servers. If a user's location is transmitted to the GA servers, it must be carried out by the proxy server, not the Google server.
- Such a transfer must ensure that the information does not allow the user to be re-identified.
- Sufficient replacement of the user identifier by the proxy server. To ensure effective pseudonymization, the algorithm performing the user identifier replacement must ensure an adequate level of collision and include a time-varying component. An adequate level of collision means that it is a sufficient probability that two different identifiers would give an identical result after a hash, while the inclusion of a time-varying component means adding a value to the hashed data that evolves over time so that the hash result is not always the same for the same identifier.
- The external referrer information must be removed from the website.
- Any parameters contained in the collected URLs must be removed. For example, UTMs, but also URL parameters allowing internal routing of the website, must be removed.
- Processing of information for the generation of fingerprinting is not allowed. For example, the rarest configurations of devices or browsers that can lead to re-identification must be removed.
- The collection of cross-site or lasting identifiers (CRM ID, unique ID) must be removed.
- Any other data that could lead to re-identification must be removed.
Following the EDPB recommendations, the data controllers should have the possibility to carry out an analysis of the location and pseudonymization of the proxy server.
An alternative solution for GDPR compliance could be to usef a web analytics tool that is based inside the EU.
Conclusion
The EU – US Privacy Shield became invalid on 16 July 2020, and the US legislation does not provide sufficient guarantees for data privacy against access by the authorities. As a result, several data protection authorities of the EU outlawed the use of Google Analytics for not complying with the GDPR due to international data transfers. One possible solution for using Google Analytics in a GDPR compliant way is the use of a proxy server. The proxy server must be used with pseudonymization and it must be hosted inside the EU. There are also other pseudonymization criteria for protecting website users' privacy that the proxy server must fulfill.
Neither Google Analytics nor Google Analytics 4 could be used in some EU countries like Austria, Italy, France, and Denmark in a GDPR compliant way due to the international data transfers. However, the French Data Protection Authority CNIL proposed that using a reverse proxy and pseudonymization could solve the problem of international data transfers. If the proxy server is used properly, GA or GA4 could be used in a GDPR compliant way.
Frequently Asked Questions
Is Google Analytics GDPR compliant?
After the invalidation of the Privacy Shield framework in 2020, Google has not yet reached a consensus with the European Commission regarding the transfer of personal data to the US. Until now, GA was outlawed by DPAs of Austria, France, Italy, and Denmark. CNIL proposed using a proxy server and pseudonymization to comply with the GDPR.
Why does Google Analytics not allowed in some countries of the EU?
The General Data Protection Regulation (GDPR) is an EU law that protects the rights and personal data of European citizens. Google Analytics sends data for processing to the US, however, with its current settings, GA can't ensure an adequate level of data protection in the US after the EU-U.S. Privacy Shield Framework became invalidated.
How to use Google Analytics in a GDPR compliant way?
Google Analytics could be used in a GDPR compliant way by using a proxy server and pseudonymization. A so-called reverse proxy should sit in front of Google servers and break direct contact between website users' devices and the Google servers.
Is it possible to set Google Analytics so that personal data is not transferred outside the EU?
No. Google indicated that all the data collected through Google Analytics is hosted and processed in the US. A possible solution for using Google Analytics in a GDPR compliant way could be by using a proxy server and pseudonymization.
Is it possible to transfer Google Analytics data to the US with the explicit consent of users?
As stated in the European Data Protection Committee's guidelines, there could be derogations, when the data could be sent to the US with the explicit consent of users. However, it can only be used non systematically, and cannot represent a long-term and permanent solution, such transfers cannot become the general rule. Use CookieScript CMP to manage user consent.