In a fast-changing digital landscape, the use of data for marketing purposes is evolving. Regarding the question of Google Analytics banned, Europe is only scratching the surface with recent legislation. The protection of personal data is a topic with wide-reaching consequences, and matters whether you're a business based in the USA, Australia, or anywhere in the world.
In this handy guide, we've compiled a rundown to make sense of the most common questions regarding GDPR, Google Analytics, data privacy, and more.
Is Google Analytics Banned in Europe?
No, Google Analytics is not banned in Europe. However, on January 13th 2022, a court in Austria ruled that use of Google Analytics on any site within the European Union is a breach of GDPR. Following this ruling, many are expecting that other EU countries will follow suit and gradually declare the same. In fact, reports say Dutch authorities are already reviewing the possibility.
Google Analytics is instrumental in measuring website performance, and is used universally across large companies and small. Consequently, it's causing some shock waves of concern within the digital world about exactly what this decision means.
Below, we've summarized the facts as they stand today, and the steps we would recommend taking to minimize any impact to your business.
What has the Austrian Data Protection Authority said?
In short, the use of Google Analytics in the EU is a breach of data protection laws (as it stands on Jan-31-2022).
The Austrian Data Protection Authority (ADPA) stated that use of Google Analytics leaves EU citizens ‘personal data’ (as defined by the GDPR) at risk of being made available to the US government.
This is the conclusion they made: “the Google Analytics tool (at least in the version of 14 August 2020) can thus not be used in accordance with the requirements of Chapter V of the GDPR.”
The Austrian decision has implications for more than just Google Analytics but for the tech industry as a whole. How tech companies like Facebook manage international data transfers, data flows, and data sharing is under increasing scrutiny.
So the question is...
What is GDPR?
GDPR stands for General Data Protection Regular. It aims to protect and restrict the collection and use of personal data. EU Data Protection Authorities implemented this legislation in the wake of the Cambridge Analytica scandal — and comparatively, GDPR some of the strictest regulations of this nature in the world.
The most notable impact for a user was the introduction of cookie pop ups, which required a user to explicitly approve their use.
Why is there a breach? The issue of data transfers
Google holds a lot of data in the US, which is subject to different data protection laws than the EU. These laws require companies like Facebook and Google to hand over data to the US authorities if required. The potential for accessing personal data is why it was ruled incompatible with GDPR.
US surveillance laws have come up in other discussions involving digital data collection, with another EU court recently saying that “even the placement of a cookie by a US provider is violating EU privacy laws. No proper protections against US surveillance were in place”.
What data is being collected?
The personal data in discussion here are personal user identifiers, IP addresses, and browser parameters.
The court documents stated “due to a possible configuration error, the respondent did not activate the IP anonymisation function in all cases.” By not anonymising the IP address, the user could be identified, which under the GDPR is a major breach.
Even within Australia, PII collection is illegal and can result in a breach of Google’s terms of service, who can then delete your account. This includes data like email addresses and phone numbers, which are sometimes found in form submission data that is sent back to Google Analytics (in the URL).
What has Google said?
Google’s published response puts responsibility for data privacy back on Analytics users. Published on the day of the court's ruling, Google directly addressed data privacy and how GA is used.
A few days later, Google called for a new legislative framework to regulate data transfer between the US and Europe.
Although it appears this is Google calling for change as a response to the ADPA’s decision, it should be noted the court ruling still stands.
I run a website, should I stop using Google Analytics?
Something important to note here is that the website providers themselves were fined for the breach, rather than Google as an entity. The good news is that there are technical measures you can take when using Google Analytics on your website to limit the collection of this data and protect yourself.
These are not legal recommendations but general, helpful guidelines.
Websites in the EU
For EU companies or companies that operate in the EU, it's important to make sure the way you have set up your analytics tracking carefully considers data privacy. Ensure you are utilizing the available settings to limit the data you are collecting and increase compliance with GDPR while the dust settles and we get a confirmed solution from Google or a court.
Websites in Australia
These rules don’t apply to anyone operating in Australia. However, there's a good chance similar decisions or even additional measures may come into effect soon, so we would recommend future-proofing your Google Analytics set up.
If your primary market is not in the EU, but you still serve an EU country - any data you collect from that country is subject to the GDPR rules we have outlined. We would therefore recommend covering all bases and ensuring your setup considers data privacy as a whole.
What should I do in the short term?
Google says it does not allow for the collection of personally identifiable information (PII). However, part of the problem is that Austria’s DPA and Google have different definitions of what constitutes PII, in this instance IP addresses, and user IDs.
As a website publisher - there are a few steps to increase compliance with GDPR while still allowing you to effectively utilize Google Analytics data.
1. Turn on IP anonymisation or IP masking
This means you only collect a portion of the user’s IP address. Basic geographic targeting is still enabled, but with less accuracy.
2. Disable data collection on sensitive pages
Consider which pages of your site may make users vulnerable if their data was to be collected. This will depend on your industry and may be more obvious in some than others. For instance, financial services should not track audience insights and behaviour within their online banking portals.
3. Limit the length of time you store personal data for
Implementing a user deletion API increases compliance with a user’s right to be forgotten. You should also consider how long you really need certain types of data to be stored for. GA has many settings for automatic deletion which can limit the amount of personal data you are holding at any one time.
4. Implement a clear and easy to opt out of cookies policy
We previously touched on this one. Cookie policies are an industry standard, however some companies are still getting into trouble for not properly implementing them. Your cookies policy should pop up on a user's first visit to your site and be just as clear and easy to opt out of, as it is to opt in. It's not enough to simply state ‘by proceeding on our site, you accept cookies’.
Some very basic examples:
5. Enable consent mode
Consent mode requires a user to explicitly approve ads and analytics tracking before GA begins to collect the PII in question. At the moment, this is a beta feature of GA. However, the express consent feature of consent mode seems to bring personal data collection much more in line with EU data privacy.
6. Server side Google Tag Manager (GTM)
At the moment, most web tracking is done client-side — that is, on the user’s web browser. The information that sites collect is sent from the website they’re on to the third-party platform like Google Analytics. But it’s the browsers themselves (e.g. Google Chrome, Safari) that ultimately control how the cookies can be used and set.
Server-side tracking involves a single tag on a site which then sends data to a secure server that houses all the measurement tags the site is using (like Google Analytics, or the Facebook (Meta) Pixel). The secure server then filters the personal data that is sent through to the third-party platforms which reduces the likelihood of leaks of personally identifiable information.
7. Consider migrating to GA4
The site discussed by the court in this case was using Universal Analytics. Google introduced GA4 (an updated version of Analytics which is much more privacy focussed) in 2021. Some of the elements we have suggested setting up are automatic in GA4. For example, anonymize IP is always on, there is consent mode support, there is an event-based collection model and more.
This is not yet confirmed as a solution to the GDPR issues by a court of law. However, making sure you are set up for GA4 means you're more equipped and ready if any new privacy updates are rolled out by Google as a response to this case.
What happens in the long run?
At this point, the majority of long term theories are little more than speculation.
One solution is that US providers host European data within the EU, where it would not be subject to any requests from US authorities.
A second possibility is that Google will roll out an analytics update which more closely aligns with universal data protection laws and allows GA users to operate internationally without having to take steps to comply with GDPR on a case by case basis.
The key challenge is every country will have their own data protection authorities, and each may rule differently on the legal issues involved.
We’re here to help you make sense of this all
We know that these changes can seem overwhelming and we may even have stirred up some new questions. At OMG we are always available to talk and help you overcome, adjust and re-strategise for the ever changing market.
Whether you're looking to make a switch to Google Analytics 4, or more broadly looking to launch or strengthen a multichannel Digital Marketing campaign, our Gurus can help.
Disclaimer: We are not legal experts. While we are well versed in the digital space, please seek advice from a legal professional should it be relevant. We cannot accept liability for any reliance on the above information.