The European General Data Protection Regulation (GDPR, also known as DSGVO in German and RGPD in French) has been in effect for four years.
That's plenty of time for a corporation the size and scope of Google to meet the standards. Certainly.
Here are the specifics on how GDPR affects Google Analytics 4 and what the current compliance status is.
Are you confident that Google Analytics 4 is GDPR compliant?
No. Google Analytics 4 (GA4) isn't completely GDPR compliant as of mid-2022. Despite the addition of additional privacy-focused features, GA4's position with European regulators remains murky. Google will continue to regulate EU-US data privacy when the Privacy Shield framework is invalidated in 2020. Currently, the corporation does not adequately protect the data of EU citizens and residents from US surveillance rules. A GDPR infringement has happened here.
The complicated Google Analytics and GDPR relationship
Following the implementation of GDPR in 2018, European regulators investigated Google.
While the company made steps to prepare for GDPR requirements, it did not completely comply with key regulations governing the storage, transfer, and security of user data.
After the Court of Justice of the European Union (CJEU) cancelled the Privacy Shield, a framework Google employed for EU-US data transfers, the battle between Google and EU regulators became even more intense. GDPR litigation will be filed against Google after 2020.
This post summarises the key events in the tale and discusses the implications for Google Analytics clients.
Timeline for Google Analytics and GDPR in 2018: GDPR Compliant Google Analytics
The EU introduced the General Data Protection Regulation (GDPR) in 2018, which is a set of privacy and data security laws that applies to all EU member states. Every business that interacts with EU citizens and/or residents must follow the rules.
The GDPR created new parameters for what constituted "sensitive personal information" and standardised data protection rules across the EU (or PII). PII includes a wide variety of data, including:
- Background (ethnic or racial)
- Workplace status Religious or political beliefs
- Health Status
- Biometric or genetic data
- Transactional records (such as payment method data)
- Phone and in-person contact information
Businesses were not allowed to access this information unless they had the full approval of the client (and even with it in some cases). Stringent rules control the collection, storage, transport, and use of such private information.
The GDPR's 7 important principles
Article 5 of the GDPR provides seven fundamental principles for personal data and privacy protection:
Lawfulness, fairness, and openness – data must be gathered legally, with consent, and in accordance with the law.
Personal information must only be collected for particular, unambiguous, and legitimate objectives.
Data minimization - organisations must only collect data that is necessary and appropriate for the stated goal.
Data accuracy must be checked on a regular basis. Companies must have systems in place to quickly remove or correct incorrect data.
Storage restriction - data must only be kept for as long as the declared purpose suggests. However, there is no restriction to how long data can be kept.
Integrity and confidentiality (security) - businesses must make every effort to store data securely and prevent unauthorised access.
Accountability — companies must be able to demonstrate that they met the above standards.
Prior to the deadline, Google apparently took steps to ensure that all of its products were GDPR compliant. That wasn't always the case, though.
A group of publishers chastised Google in March 2018 for not providing them with enough GDPR compliance tools:
Because you decline to supply it, the publishers receive no clear information on how you will gather, share, and use the data. It is impossible to shift the full burden of obtaining new consent on the publisher unless the publisher is given the exact information needed to provide sufficient transparency or to gain the appropriate specific, comprehensive, and informed permission under the GDPR."
The GDPR permission form for Google Analytics was not only difficult to implement, but it also lacked customizability. Google "makes unilateral judgements" when it comes to the storage and use of collected data.
Users have no method of knowing or regulating how their data was utilised, therefore the second requirement was difficult to meet.
Unsurprisingly, Google (together with Facebook) was one of the first companies to be sued under the GDPR (together with Facebook).
By 2019, the French privacy authority CNIL had successfully argued that Google was not properly disclosing its data collection across goods, and thus was in violation of GDPR. Google had to pay a €50 million fine and commit to do better after an appeal was denied.
For the better part of 2019, Google worked to resolve some of the issues identified by GDPR across all of its products, including Google Universal Analytics (UA).
They established a more visible consent mechanism for internet tracking and provided additional consumer compliance tips. In the background, Google made engineering changes to their data processing mechanism in order to gain regulatory approval.
Some of the issues were resolved by Google, but others were not. According to an independent analysis published in 2019, Google's real-time bidding (RTB) ad auctions are still exploiting EU citizens' and residents' data without their consent. However, it was quickly addressed before the claims could be brought to court.
In November of this year, Google Analytics 4, the successor to Universal Analytics, was released as a beta.
For GDPR compliance, GA4 added a number of additional privacy-focused features, including:
A mechanism for data deletion. Users can now request the surgical extraction of specific data from the Analytics servers through a new interface.
Data retention over a shorter period of time. The default retention period can now be shortened to two months (rather than fourteen), or a custom restriction can be set.
Internet Protocol (IP) addresses are anonymized. By default, GA4 does not log or save IP addresses.
Google Analytics' terms of service and privacy policies have also been updated.
Despite the company's efforts, Google Analytics 4 still has a lot of issues and fails to meet GDPR regulations.
The Privacy Shield
Google designated its Irish corporation (Google Ireland Limited) as the "data controller" legally responsible for the information of EEA and Swiss users as part of its 2018 GDPR preparations.
Initially, Google believed that by taking this legal step, they would be able to ensure GDPR compliance because "legally speaking," a European firm would be in charge of European data.
However, EEA consumers' data was still mostly transmitted and processed in the United States, where the majority of Google data centres are situated. Due to the Privacy Shield arrangement, such cross-border data transfers were considered legal until 2020.
This technology does not provide proper data protection for digitally transmitted data, according to a judgement made by the European Union Court of Justice in July 2020, in breach of US surveillance requirements. As a result, corporations such as Google are unable to use it. The FDPIC (Federal Data Protection and Information Commissioner) of Switzerland reached the same conclusion in September 2020.
The ineffectiveness of the Privacy Shield scheme put Google in a bind.
The following is stated explicitly in Article 14.f of the GDPR:
"The controller (the business) who plans to send personal data to a receiver (Analytics solution) in a third country or an international organisation must inform its users about the location where their data is processed and stored."
The Privacy Shield framework was invalidated, preventing Google from transmitting data to the United States. At the same time, GDPR legislation required them to reveal the proper location of their data.
However, unlike many other solutions, Google Analytics does not have a way for:
- Ensuring data storage within the EU
- Choosing a preferred regional storage site
- Notifying users of the location of their data storage and any data transfers outside of the EU
And these features put Google Analytics in direct violation of GDPR, a situation in which they will remain until 2022.
GDPR breach and fines Google in 2020-2022
Google is now facing GDPR lawsuits from data protection authorities in a number of countries as a result of the 2020 decision.
A heavy cease-fire was imposed on Google Analytics in particular.
Sweden was the first country to sanction Google for breaking the GDPR by failing to fulfil its obligations to request data delisting by 2020.
France has ruled out using Google Analytics 4's IP address anonymization function to secure cross-border data transfers. Even with it, US intelligence services have access to user IPs and other personally identifying information (PII). Google Analytics was fined €150 million after it was discovered to be illegal in France.
Even in Austria, Google Analytics was found to be in violation of the GDPR and was ruled "illegal." The authorities has requested yet another fine.
The Dutch Data Protection Authority and the Norwegian Data Protection Authority have both declared Google Analytics to be in violation of the GDPR and intend to prohibit its use.
The underlying issue – unregulated, non-consensual EU-US data transit — is not addressed by the new privacy protections in Google Analytics 4.
Google Analytics' noncompliance with GDPR exposes any website tracking or analysing European visitors to legal ramifications.
This is already happening in reality. Over 100 complaints have already been lodged against European websites that employ Google Analytics by noyb, a European privacy NGO.
Negotiations for Privacy Shield 2.0 in 2022
The Privacy Shield structure has been invalidated, which is bad news for everyone, not just Google. Thousands of internet businesses face non-compliance as a result of the ruling.
In April 2022, US and EU officials began "peace talks" to resolve the problem.
President of the European Commission Ursula von der Leyen stated that the European Commission is working with the Biden administration on a new pact that will "allow predictable and trustworthy data flows between the EU and the US while protecting privacy and civil liberties."
Negotiations will, however, continue for some time. The situation is far from solved, and there are still serious concerns, as we discussed on Twitter (come say hello!).
To begin with, the US is hesitant to change its surveillance standards, preferring instead to make them "proportional" to those in place in the European Union.... These changes may not be enough to satisfy the CJEU, which has the authority to block or invalidate the agreement afresh.
While these difficulties are being worked out, Google Analytics users who collect data on EU citizens and/or residents are still on precarious ground. They may be vulnerable to GDPR-related lawsuits as long as they use GA4.
You can download Matomo, which was previously known as Piwik, an open source marketing analytics platform. It provides a wealth of information about your website's visitors, including the search engines and keywords they used, the language they spoke, the sites they liked, the items they downloaded, and more. In essence, Matomo is a Google Analytics substitute. In addition to giving you complete control over your data, it also safeguards the privacy of your customers.
The open-source alternative to Google Analytics, to be exact. You can download and install Matomo, like you can with Mautic, on your own web server, and use it to manage your PHP MySQL databases. If you prefer, we can handle this for you if you'd like our help.
Google Analytics vs. Matomo
Google may at any time use your personal information for their own purposes. Because of this, you could lose their trust and damage your reputation if your customers learn about it. You don't need permission to use Matomo at all.
Matomo is a software system built on ethical principles. In terms of data security, it is unmatched. You're well-informed about where and how your data is handled. There isn't any outside help.
Aside from that, Matomo is another open-source success story. Developers from all over the world have put it through its paces to ensure its quality.
Aside from the fact that it's highly customizable, doesn't limit the amount of data you can store and is user-friendly, it also adheres to the strictest privacy laws on Earth (unlike GA).
Our Drupal website now employs both of these methods! However, the Matomo module is GDPR-compliant out of the box, so we had to tweak the Mautic module in order to make it GDPR-compliant.
As a company, we strive to provide our clients with personalised, high-quality, and most importantly, unparalleled data privacy. We were relieved to learn that, despite recent shifts in EU-US data privacy laws, we were always on the right track with GDPR.
To be honest, this is all pretty simple, but you'll need some help to do it correctly. Simply get in touch with us if you'd like to learn more about self-hosting Mautic.
Google Analytics 4 and Google Universal Analytics are not GDPR compliant tools because the Privacy Shield will be revoked in 2020. Google Analytics operations have been labelled "illegal" by French and Austrian data watchdogs. Authorities in the Netherlands, Sweden, and Norway have also accused it of breaking GDPR. Any website that uses Google Analytics to collect data about European citizens and/or residents could be prosecuted under the GDPR (which is already happening) (which is already happening).
Discussions on the Privacy Shield 2.0 Framework to restrict EU-US data flows have just just began and might take years. Even if adopted, the new framework(s) may be invalidated by local data regulators, as has been the case in the past.
It's Time to Get a GDPR-Compliant Website As an alternative to using Google Analytics, we advocate keeping complete control over all personal data to ensure GDPR compliance.
You may rest assured that no "behind the scenes" data gathering, processing, or transfers occur if you use a transparent web analytics solution that guarantees 100% data ownership.
Unlike Google Analytics 4, Matomo comes with everything you need to comply with GDPR:
- Anonymization of all data
- Use of data for a single purpose
- A simple permission process and an opt-out option
- By default, first-party cookies are used
- Data collection is simple, and data erasure is quick
By learning about your target consumers in a way that respects their privacy, you can protect your firm from unjustified legal ramifications.
Read next: Why we use Mautic for marketing automation and personalisation