Is Google Analytics illegal or not in some countries? This a question that has undoubtedly been repeated on many occasions in many marketing departments in recent weeks. However, the answer is a bit more complex than a categorical “Yes” or “No” (besides the fact that, in reality, it would do you little good).
First of all, let’s put some context:
We are in July 2020. The Court of Justice of the European Union is going to hit the table with a sledgehammer that is going to shake Marketing departments around the world: it declares that the Privacy Shield, the safe harbor agreement between the US and Europe, in force since 2016, is not valid.
The reason? US law enables US companies to collect data from European users for later transfer to the United States. The problem? That then the FBI or the NSA (among other intelligence agencies of the country of stars and stripes) would also have access to them. That is, Google Analytics could transfer the data to the NSA or to any of these agencies if requested.
This matter is not a minute peccata: it is estimated that 28 million websites around the world have Google Analytics installed.
Thus arises the sentence “Schrems II” . A sentence that indicates that Google Analytics does not comply with the European Data Protection Regulation (RGPD) (a regulation that, let us remember, your company must also comply with if you do not want to face fines of up to 4% of your annual turnover). That is to say, from then on, the Court affirms that Google Analytics is an illegal tool, since the Silicon Valley company (and more specifically, Google Analytics) is regulated by the Cloud Act and has not been able to ensure that neither the FBI nor can the NSA ever demand this information from them.
“But then it’s clear, isn’t it? Google Analytics is illegal.” Well, no, it’s not really that clear. Let’s keep going:
Is Google Analytics prohibited in the USA? Let’s look at the US-Europe data sharing agreement
What is the Privacy Shield agreement?
An agreement signed by the European Union and the United States that guaranteed a series of rights to European citizens regarding the transfer of their personal data. In this way, we could claim against US companies the use they made of said information.
As we have seen in the introduction, this agreement was annulled in July 2020 by the Court of Justice of the European Union due to the defenselessness of the personal data of European citizens against US intelligence agencies.
But our story did not end there: the “Schrems II” sentence opened the doors for the different European countries to execute, in turn, sentences in this sense.
What is the Cloud Act for data privacy?
A United States legislative norm that obliges all American companies that work in the cloud (Cloud), as well as their subsidiaries, to deliver all types of information (including user data) in the event that it is requested by the own US government
Google Analytics banned in France and Austria
The first country to join the ban on Google Analytics was Austria: On February 13, 2022, the Austrian Data Protection Authority (DSB) stated that Google Analytics violates European privacy regulations (the GDPR that we mentioned before. Specifically the article 44 ).
It didn’t take long for a new complaint to Google Analytics to emerge in France : on February 10, 2022 the French Data Protection Authority (CNIL) joins the ban on Google’s analytics platform. Again, the French institution considers that the data that Google Analytics stores in America are illegal in terms of its collection and treatment.
As you can see, all this succession of events has happened just a few months ago. In fact, Norway could also take this path: the Norwegian Data Protection Association (EDPS) would be investigating 2 complaints in this regard…
Could I be penalized for using Google Analytics in France and Austria?
The institutions of both countries consider that the transfers of personal data carried out by Google Analytics are illegal due to a clear lack of regulation. However, they have not yet imposed sanctions on any company.
In any case, they do recommend using tools that do not involve transferring the information in question outside the European Union. In the case of France, the authorities have given a month of margin for the denounced company to make this recommendation effective.
And what happens in our country? Google Analytics banned in Spain?
Short answer? Yes.
The Data Protection Agency has not yet raised its voice in the face of these successive sentences. Neither one way nor the other. Therefore, until it says otherwise, Google Analytics is still legal in Spain: the data transfer framework agreement between Europe and America is still in force.
“But it seems clear that, with the sentences of France and Austria, Spain will also join the ban, right?” There is no reason why, in fact, the Austrian sentence was more controversial than it seems a priori. A controversy that would weaken potential future sentences for 2 main reasons :
- The Austrian Data Protection Authority (DSB) executed the sentence, yes. But, in reality, the resolution did not impose any penalty. Moreover, not only were there no consequences, but he left it to the German legal authorities to continue the process. For now, and to this day, nothing else has happened.
- The reported website (and for which the sentence in question was executed) did not implement any of the alternative solutions proposed by Google. Had he done so, everything could have changed greatly. In fact, in the face of new complaints, everything could change again if these measures were applied.
Which countries of the European Union are going to ban Google Analytics or not? We will have to see how events unfold in the coming months, but from Web Specialists, we will be updating this article (and informing you via social networks) so that you are always informed and know what you should do.
Does Google Analytics comply with GDPR? What can I do to comply with the GDPR regulations?
The answer to the first question is clear: not currently; the data transfers made by the platform are not legal.
However, this problem is not due to Google Analytics itself, but to the negotiations between the United States and Europe on data transfer that we mentioned in previous points. Furthermore, if Google Analytics stored the personal data of European users on servers within Europe (or restrict the transfer of such information to the US), everything would be solved.
Moreover, to date, Google has already implemented various measures such as the proposal of guarantees for data transfer based on the level of risk or the anonymization of IPs. However, both measures have already been declared insufficient by the Austrian APD.
Another option, of course, would be for Europe and the United States to sign a new Privacy Shield that gives legality to the current situation.
However, that solution does not yet exist. And from your company, you have to prepare yourself so that this whole situation does not affect the growth and metrics of your business. How? Let’s see it:
5 recommendations to avoid being sanctioned by the RGPD regulation
Opt for other alternatives
Google Analytics is not the only digital measurement tool out there. In the following point, we have prepared a list commenting on the most outstanding options that could interest you in this regard.
However, changing the analysis tool implies carrying out migration and thus not losing all the metrics and data collected previously. It is a technical process that is somewhat complex and with which you have to be very careful. We repeat: you do not want to lose all that information.
Contact us without any kind of commitment and we will gladly give you a hand.
Privacy controls, or how to enable the advanced privacy principles of Google Analytics
Thanks to the various Privacy controls options you can somewhat restrict the collection of data and thus be seen favorably by the European authorities.
These options range from disabling advertising features to disabling 100% of data collection.
From Web Specialists, we recommend that you do a preliminary analysis of the metrics that you have implemented and that are necessary for the proper functioning of the website and the growth of your business. An analysis that allows you to know what user data you need to collect and what you can do without.
Obtain clear consent from users for the use of Google Analytics
A consent that is also a necessary part to comply with the RGPD.
Other vital express consent: transfer of data to the USA
First of all, let’s refer to article 49 of the RGPD:
“In the absence of an adequacy decision (…) or adequate guarantees (…), a transfer or a set of transfers of personal data to a third country will be made (…) if the interested party has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the interested party due to the absence of an adequacy decision and adequate guarantees.”
This article, more than as a forceful affirmation that provides us with a definitive solution, must be taken as a recommendation, as a possibility of action.
But it is a recommendation that we advise you to implement to be even friendlier before the aforementioned European data protection authorities.
Does your company’s website comply with the GDPR?
Since May 26, 2018, the General Data Protection Regulation (GDPR) is in force throughout Europe to protect the personal data of all European users on the Internet.
A regulation whose non-compliance can lead to fines of up to 20 million dollars or 4% of the annual turnover of your business.
And you know what? 90% of companies still do not comply with this regulation. In fact, large companies such as Vodafone, BBVA, EDP and Mercadona have already received heavy sanctions…
Although this regulation goes beyond Google Analytics, we recommend you take a look at these recommendations to comply with the RGPD and thus prevent the solvency of your business from being harmed.
Are there other alternatives to Google Analytics?
Yes. And in fact, there are not a few options that you have at your disposal. Although they do not reach the standards and different possibilities of Google Analytics, they all focus on user privacy. That is, they do not share your personal data with third parties for commercial or advertising purposes:
- Matomo Analytics. An open source software used by 1.4 million websites in more than 190 countries throughout the world. This tool will allow you to obtain data from your users such as the language, what pages they visit, what files they download, the Keywords they have used to find you or what search engine they have used.
- Fathom. A platform whose software prevents the tracker from slowing down your business website. Fathom analyzes your website without the need for cookies and allows you to obtain such outstanding metrics as unique visitors, views of each page, average stay time, bounce rate, or the device and browser used by the user to access your website.
It is a very, very intuitive tool, and allows access to navigation data such as unique visitors, page views, duration of the visit or bounce rate.
We hope that this article has been helpful to you in better understanding what is happening with the European Commission and Google Analytics, how you can protect yourself from sanctions for transferring data to the United States, and what quality alternatives exist.
However, we will be updating this news with any new information that comes out (as well as through our profiles in RRSS) so that you know at all times how to act.
After all, as entrepreneurs, we know how important it is that nothing and no one hinders the growth of your company.