Feel free to ask us anything regarding Google Analytics or our Proxy Privacy solution
Please provide your name.
Please provide your company name.
Please provide a shorter role.
Please provide a valid email address.
Please provide a valid phone number.
Please provide a shorter message.

Google Analytics GDPR FAQ

It is crucial for a website owner or administrator to understand how to do analytics in a way that complies with GDPR. In this FAQ page we will provide answers to common questions about Google Analytics and GDPR compliance, including how to use Google Analytics legally and what alternative solutions there may be.


How can I continue to use Google Analytics legally?

Analytics FAQ

You can continue to use Google Analytics, but you need to use a proxy solution that prevents direct communication between the end-user’s browser and Google. This has been pointed out by several data protection agencies, for example by The Danish Data Protection Agency (Datatilsynet) and The French Data Protection Agency (CNIL). The Danish Data Protection Agency also notes that if no satisfactory solutions can be found, the user should stop using Google Analytics and possibly find another software solution.

See: https://www.cnil.fr/en/google-analytics-and-data-transfers-how-make-your-analytics-tool-compliant-gdpr or https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2022/sep/brug-af-google-analytics-til-webstatistik (danish text)


Will I continue to get the data I need if I use a proxy solution with my Google Analytics account?

Analytics FAQ

Most of the collected information will not be altered. You will for example continue to get information about the users’ navigation on your web site and where people make a purchase or leave the site. You will, however, lose out on personal information such as the precise geographic area of a user, since Google bases the geographical location of the user on the user’s IP number which must not be sent to Google.


Why does Google Analytics violate the GDPR?

Analytics FAQ

A user visiting a site with GA (Google Analytics) embedded will have PII (Personally Identifiable Information) sent to Google servers. Authorities in the US might ask Google to hand over any information it holds related to the user and even require Google to assist to have such information decrypted (if relevant). This also applies to data stored on servers located outside of the US belonging to American/US companies. US authorities like the FBI or CIA have a legal right to do this because of FISA Section 702 legislation. The EU courts have judged that US authorities have more power than strictly necessary, and that EU citizens have too few legal rights when investigated by US authorities. This violates the GDPR.

See in Danish here p.21 or see in English here p.20


Will all information sent by Google Analytics violate GDPR?

Analytics FAQ

Only the sending of PII (Personally Identifiable Information) to Google (as a US company) is a violation of GDPR. If the information is sent in such a way, that it can be argued that even clever people from Google/FBI/CIA with access to all their resources will not be likely to identify the user, then the sent information will not be in GDPR violation.

See https://www.gdpreu.org/the-regulation/key-concepts/personal-data/


Is it possible to configure Google Analytics to be compliant with GDPR?

Analytics FAQ

No. Google Analytics cannot be used unless additional actions are taken to protect end-user privacy. The French Data Protection Authority (CNIL) has made an in depth legal and technical analysis of GA with respect to the GDPR, see https://www.cnil.fr/en/qa-cnils-formal-notices-concerning-use-google-analytics. Their conclusion is that GA cannot be configured in such a way that it fulfils the GDPR. The Danish Data Protection Agency states that if you want to use GA legally and you believe you have configured GA in such a way that it has become GDPR compliant then you must document this and be able to demonstrate how the various issues identified by the supervisory authority are irrelevant.

See https://www.datatilsynet.dk/english/google-analytics in english or https://www.datatilsynet.dk/hvad-siger-reglerne/vejledning/internet-medier-og-apps-/google-analytics in danish


Which countries consider Google Analytics to be non-compliant with GDPR?

Analytics FAQ

The Data protection agencies in Austria, France, Italy, and Denmark have ruled to halt using Google Analytics (GA) for data transfer to the United States without further safeguards. See https://www.contentgrip.com/eu-countries-ban-google-analytics. The European Data Protection Supervisor (EDPS) has indicated that GA is not GDPR compliant. Other European countries are likely to follow these decisions.

See https://www.loyensloeff.com/insights/news--events/news/data-protection-authorities-say-no-to-google-analytics-whats-next


What about other tracking technologies, are they GDPR compliant?

Analytics FAQ

Some tracking technologies are GDPR compliant. It is important that these technologies do not store and/or process the data in the US (or other non-secure third-party countries) or are owned by companies from non-secure third-party countries.


Does this problem apply to other technologies besides tracking/statistics?

Analytics FAQ

Yes, if they send personal data to the US or to a US company.


Is there a grace period?

Analytics FAQ

No, there is no grace period.

See https://techcrunch.com/2022/02/10/cnil-google-analytics-gdpr-breach or in Danish https://www.datatilsynet.dk/hvad-siger-reglerne/vejledning/internet-medier-og-apps-/google-analytics.

Sooner or later, it should be expected that fines are going to be given. See in Danish https://finans.dk/tech/ECE14425154/ekstremt-populaert-googlevaerktoej-er-ikke-laengere-tilladt-i-standardindstilling-millioner-af-danske-websider-ramt and see https://www.techzine.eu/news/privacy-compliance/76885/france-bans-google-analytics-fines-rise-to-20-million-euros/.

It is a good idea to at least begin planning how to become GDPR compliant and to transition without undue delay.


I am with a small company. Do the data protection authority issue fines to small companies?

Analytics FAQ

Yes. The data authorities also issue fines to small companies.

See in Danishhttps://www.datatilsynet.dk/hvad-siger-reglerne/myter-om-gdpr. See https://www.enforcementtracker.com. Note that any person believing that their privacy rights have been violated has a right to submit a complaint to the data protection authority.


Can I continue to use Google Analytics, if I obtain explicit consent from all my users?

Analytics FAQ

No. Article 49 of the GDPR would have made this possible if the use was non-systematic and the use was not long-term or permanent. The use of GA is systematic and mostly long-term or permanent.

See https://www.cnil.fr/en/qa-cnils-formal-notices-concerning-use-google-analytics


Will the coming new Trans-Atlantic Data Privacy Framework between the US and the EU makes the problem go away?

Analytics FAQ

Yes, most likely. But the Trans-Atlantic Data Privacy Framework is not in effect and will not be for several months. The Trans-Atlantic Data Privacy Framework is likely to be challenged just as the earlier privacy shield agreement was challenged. It is very likely that the Trans-Atlantic Data Privacy Framework will also be judged to provide inadequate GDPR compliance, just as the earlier privacy shield agreement between the US and EU was judged to provide inadequate compliance.

See https://iapp.org/news/a/a-view-from-brussels-the-latest-on-the-dsa-dma-and-privacy-shield/ and https: //www.mondaq.com/unitedstates/privacy-protection/1239198/mark-your-calendars-for-schrems-iii-key-takeaways-from-the-latest-developments-in-the-eu-us-data-deal


Can a risk-based approach be used in the GA case, by considering the likelihood of data access requests by US authorities?

Analytics FAQ


See See https://fpf.org/blog/what-happened-to-the-risk-based-approach-to-data-transfers and https://www.cnil.fr/en/qa-cnils-formal-notices-concerning-use-google-analytics


Can Google be expected to come up with a fix that will make the problem go away?

Analytics FAQ

Google has earlier made several improvements on GA to better comply with the GDPR. These improvements have not been enough to make GA GDPR compliant. An essential problem is that a request cannot be made directly to Google’s servers without revealing the end-user’s IP number, which is one of the core reasons for the data authorities to declare Google Analytics to be non-compliant, no matter how it is configured. Thus, it seems impossible to construct a solution unless it involves an independent third-party (e.g., a proxy server) not operated by Google.


If a Danish company has a website in Germany, do they need our proxy on the German website?

Analytics FAQ

Yes, they do. The location of a company's head office determines where a case should be raised. Therefore, for a Danish company, the Danish Data Protection Authority would handle the case. The Danish Data Protection Authority must also assess any activities that the company may have in other countries, such as Germany.

Furthermore, decisions made in any EU country apply throughout the entire EU. Therefore, the use of Google Analytics is also illegal in Germany due to GDPR regulations.

See in Danish: https://www.datatilsynet.dk/hvad-siger-reglerne/vejledning/internationalt-/danmark-eu-og-resten-af-verden/internationale-virksomheder

Potential solutions

Privacy Proxy

Privacy Proxy is a cost-effective solution that ensures compliance with GDPR regulations when using Google Analytics and that preserves most of Google Analytics capabilities. It utilizes a proxy server to intercept and control the data being sent to Google, allowing for anonymization and other protective measures to safeguard PII (Personally Identifiable Information).

Server-side tracking

Server-side tracking refers to the process of transferring user data from the user to the company's own server and from there to Google Analytics, rather than sending user data directly from the user's device. This way companies can ensure that they are not sending network information like the IP address to Google. Special care must be taken to ensure that the information actually sent to Google is not personally identifiable, which typically is a large and complex task.

Alternative analytics providers

There are several alternative analytics solutions to Google Analytics that will ensure compliance with GDPR regulations. The Analytics provider should be in the EU and owned and operated by an EU company.

Analytics FAQ

Still not sure?

Please contact us if you have questions related to Privacy Proxy or Google Analytics and how PII Guard can help you and your organization.