Is Google Analytics illegal in Europe? Here’s what you need to know

On February 10th, the French data protection agency CNIL issued a statement ordering a French website manager to comply with the General Data Protection Regulation (GDPR) and, if necessary, to stop using Google Analytics in its current setup.

A lot of our clients, partners and prospects are wondering about the implications of this decision (and other DPAs’ decisions across Europe) and looking for answers, which is why we’ve partnered with the enterprise SEO and data platform Oncrawl to host a webinar together on the topic, and come up with some recommendations on what to do next.

The webinar was presented by Clément Hochedez, Senior SEO Manager at Didomi. Thomas Adhumeau, Chief Privacy Officer at Didomi, and Jérôme Salomon, Senior SEO Strategist at Oncrawl. Watch the recording here, and keep on reading for a recap of the main takeaways.

Summary

• Web analytics and the privacy landscape

• What is the context behind the decision impacting Google Analytics

• Recommendations to get closer to compliance

• What are some alternatives to Google Analytics?

• Questions and Answers (Q&A)

Web analytics and the privacy landscape

Web analytics tools are a vital part of every marketer’s toolbox, as the data they help gather plays a big role in helping businesses:

• Understand website and/or app performance

• Analyze customer trends and satisfaction

• Reduce costs with actionable business insights

Implementing great analytics practices provides valuable insights that can lead to new and improved products and services for clients. However, regulations around the globe have been challenging the use of these analytics tools.

In Europe, ePrivacy and GDPR have had a direct impact, because web analytics platforms often (not always) rely on cookies or trackers, and require the processing of personal information, which can be unlawful under certain conditions in light of European regulations.

In the U.S, the California Consumer Privacy Act (CCPA) takes a slightly different approach by requiring website operators to add a “do not sell my data” button on their websites. This opt-out approach impacts marketers and their use of analytics tools by limiting the ability to run retargeting campaigns.

But what happened exactly on February 10th regarding Google Analytics and the CNIL?

What is the context behind the decision impacting google analytics?

To understand the recent decisions that have impacted Google Analytics, it’s important to take a step back to another milestone decision: The Schrems II decision, taken by the court of Justice of the European Union in July 2020,

Schrems II stated that the scheme making transfers between the US and the EU possible and valid (called the “Privacy Shield”) was invalid. This had far-reaching consequences and technically prevented any data transfers between the EU and the US, unless supplementary measures (although not explicitly defined which) were put in place by participants, i.e. data exporters and importers. 

As a result, Google implemented measures to comply in the context of Google Analytics, which the Austrian, Danish and French Data Protection Authorities (DPA) considered insufficient. As a result, they reached the conclusion that the transfers occurring between the EU and the US with Google Analytics are not performed lawfully. 

Now, what can you do as a Google Analytics user? We’ve gathered some recommendations.

Recommendations to get closer to compliance

1. Consider alternatives

The first action recommended by the CNIL in their press release is to look at Google Analytics competitors. We’ve listed some options in the section below.

Most businesses should run an analysis on whether migrating to another tool is a possibility. Additionally, we recommend documenting the process in case of an audit by a DPA.

If you decide to continue using Google Analytics, there are other things you can implement immediately (after contacting your Google representative or reseller for guidance):

2. Use the IP anonymization function offered by Google Analytics

Google Analytics offers the ability to anonymize IP addresses. We highly recommend enabling this function as it is directly recommended in the Austrian DPA decision.

3. Consider implementing further privacy controls

Google also offers a series of advanced privacy controls that you can implement to limit data collection, ranging from disabling advertising features to deactivating data collection completely. 

We recommend that you audit your Google Analytics usage internally and decide whether some or all of these measures are appropriate for your business. 

4. Obtain users’ consent for the use of Google Analytics

This is a recommendation you should already have implemented by now given the latest recommendation from DPAs across Europe (e.g. the CNIL’s recommendations on cookies), but if not, please make sure that you are obtaining consent for the use of Google Analytics from your users. 

In light of these decisions, you should not be relying on legitimate interest. Consent is presumably always required for the use of Google Analytics in its current setup and unless the data is not fully anonymised.

5. Consider obtaining explicit consent for the transfer to the US

This recommendation stems from Article 49 of the GDPR: 

This is not an ideal solution from a user standpoint, and as such can be considered more as a possibility than a recommendation for now. 

What are some alternatives to Google Analytics?

While it’s currently difficult to assess the impact of the decision against Google Analytics, we decided to gather some non-US alternatives, whose data cannot potentially (and theoretically) be transferred to the United States. For clarity’s sake, we’ve gathered the pros, cons, price range and data hosting location for each tool.

Please note that these recommendations do not replace a legal assessment to be conducted on your side.

Piwik Pro

Piwik Pro is a cookie-based solution with a similar integration as Google Analytics. 

Price range: Core Plan free (500k visits/max) / Enterprise upon request

Data hosted in: EU (Elastix)

Headquarters: Poland, EU

Pros:

• Great user interface 

• No data sampling

Cons:  

• Might be tricky to integrate with other tools

• Fewer options available than Google Analytics

AT Internet

AT Internet is a French company acquired by Piano Software Inc.in 2021.

Price range: Starting from 355€/month

Data hosted in: EU (SFR & AWS)

Headquarters: EU, France

Pros:

• Dedicated e-commerce features

Cons:  

• Claims in online reviews that the tool might be difficult to use

Fathom

Fathom is a cookie-free solution, which resolves the question of consent and the question of data reliability, since it’s only based on hits. Unfortunately, it also means that the data will be really high-level (no channels, no sources, only referrals).

Price range: Starting from $14/month (100k page views)

Data hosted in: Germany (Hetzner)

Headquarters: Canada

Pros:

• No consent notice required

• Size of script is very small, resulting in fast loading

Cons:  

• Really high level analytics

• No behavioral tracking 

Plausible

Another cookie-free solution, Plausible is open-source and can be hosted on your own servers.

Price range: Starting from 9€/month (10k page views)

Data hosted in: Germany (Hetzner)

Headquarters: Estonia

Pros:

• No consent notice required

• Size of script is very small, resulting in fast loading

• Open source

Cons:  

• Really high level analytics

• No behavioral tracking 

Matomo

Matomo is the open-source version of Piwik Pro, with three ways to integrate: cookie free, cookie-based and server-side tracking.

Price range: Free (hosted on your own server) / Starting from 13€ (cloud-based)

Data hosted in: EU (but the contract is with AWS New Zealand)

Headquarters: New Zealand

Pros:

• Lots of stats

• Web vitals

• No data sampling

• No consent notice required (depending on your setup)

Cons:  

• No integration with google Ads (no PPC data)

Questions and Answers (Q&A)

Would you mind elaborating on the far-reaching implications of the decision?

This decision could have consequences on a lot of different industries, in the same way the Adtech industry was impacted by the decision from the Belgian authority regarding IAB Europe’s TCF. 

For example, solutions that have been developed recently such as contextual advertising, in response to the lack of data, could also be impacted since transfers will occur in the same way and IP addresses will be accessed. 

It’s possible that these decisions are preventing to a certain extent the free flow of data between the US and the EU, and as a result most of the services or tools we use on a daily basis would no longer be compatible or accessible from a GDPR and ePrivacy standpoint.

In short, it’s huge. 

Has anyone heard about Google’s response regarding this specific issue with the incriminated ecommerce website? 

Google has shared an interesting answer. 

To a certain extent, Google seems to disagree with the decision. Ultimately the best option available for everyone to move forward is to make sure that the US and the EU strike a deal on data transfers. That would mean the US would have to backtrack on some of its surveillance acts and regulations, which won’t be an easy win, but that’s what would save some of the compliance pain and make it easier for everybody to do a good job.

Google seems to be pushing for that. They are involved in the negotiations and in the meantime, they seem to be working on additional features and controls for their customers.

How do you calculate your website’s existing consent rate?

You can easily calculate your website’s consent rate with a Consent Management Platform (CMP).

Have any of the regulators put a time limit retention period on log files ? How would a retention period affect the user rates to have data corrected or destroyed?

There isn't any guidance around that to our knowledge.This should be an assessment for each website owner to perform. But it should always be proportionate to the processing activities that are occurring. 5 years for example is probably not a good idea but  one day is probably not enough.

The main criterion is always going to be whether you are able to single out somebody using the information you have at your disposal? If so, it means that it can be considered personal information.

Oncrawl anonymizes the data in logs for example, to make sure that they are GDPR compliant.

Should e-commerce think about a new way to get consent for tracking? For example asking to create an account and/or to login before using the website?

It’s not so much about how you collect the data but how you share it. In a logged-in environment it’ll be easier to collect data in a compliant way, but when sharing it with other parties, the same issues will remain.

Tools like Mixpanel and Amplitude are not based on cookies but user IDs. Could it be an alternative to Google Analytics?

It’s slightly better because of the absence of cookies, but it won’t solve the issue of transferring data to the US. In this case, user IDs would allow anyone to single out and/or identify a user, and would thus be considered personal information.

If you have a server-side integration and you encrypt the data before sharing it with Google, or you anonymize it in a way, would it be compliant?

One of the main issues is that Google has so much data beyond Google Analytics that DPAs are worried that they would eventually track users throughout all these services. 

In that sense, reprocessing data before sharing it so that Google isn’t able to tie it to other data assets that they have, could probably make it compliant. To be determined. 

Storing in the EU doesn’t solve everything

Storing the information in Europe is not necessarily going to be fixing things, as long as you’re going to work with a US company that could be asked and required by the US government to share data. So even if the data is stored in the EU, the risk of transfer exists and could potentially cause a problem.

To learn more about Didomi, book a demo with one of our experts: