You can continue to use Google Analytics, but you need to use a proxy solution that prevents direct communication between the end-user’s browser and Google. This has been pointed out by several data protection agencies, for example by The Danish Data Protection Agency (Datatilsynet) and The French Data Protection Agency (CNIL). The Danish Data Protection Agency also notes that if no satisfactory solutions can be found, the user should stop using Google Analytics and possibly find another software solution.
See: https://www.cnil.fr/en/google-analytics-and-data-transfers-how-make-your-analytics-tool-compliant-gdpr or https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2022/sep/brug-af-google-analytics-til-webstatistik (danish text)
Most of the collected information will not be altered. You will for example continue to get information about the users’ navigation on your web site and where people make a purchase or leave the site. You will, however, lose out on personal information such as the precise geographic area of a user, since Google bases the geographical location of the user on the user’s IP number which must not be sent to Google.
A user visiting a site with GA (Google Analytics) embedded will have PII (Personally Identifiable Information) sent to Google servers. Authorities in the US might ask Google to hand over any information it holds related to the user and even require Google to assist to have such information decrypted (if relevant). This also applies to data stored on servers located outside of the US belonging to American/US companies. US authorities like the FBI or CIA have a legal right to do this because of FISA Section 702 legislation. The EU courts have judged that US authorities have more power than strictly necessary, and that EU citizens have too few legal rights when investigated by US authorities. This violates the GDPR.
See in Danish here p.21 or see in English here p.20
Only the sending of PII (Personally Identifiable Information) to Google (as a US company) is a violation of GDPR. If the information is sent in such a way, that it can be argued that even clever people from Google/FBI/CIA with access to all their resources will not be likely to identify the user, then the sent information will not be in GDPR violation.
No. Google Analytics cannot be used unless additional actions are taken to protect end-user privacy. The French Data Protection Authority (CNIL) has made an in depth legal and technical analysis of GA with respect to the GDPR, see https://www.cnil.fr/en/qa-cnils-formal-notices-concerning-use-google-analytics. Their conclusion is that GA cannot be configured in such a way that it fulfils the GDPR. The Danish Data Protection Agency states that if you want to use GA legally and you believe you have configured GA in such a way that it has become GDPR compliant then you must document this and be able to demonstrate how the various issues identified by the supervisory authority are irrelevant.
See https://www.datatilsynet.dk/english/google-analytics in english or https://www.datatilsynet.dk/hvad-siger-reglerne/vejledning/internet-medier-og-apps-/google-analytics in danish
The Data protection agencies in Austria, France, Italy, and Denmark have ruled to halt using Google Analytics (GA) for data transfer to the United States without further safeguards. See https://www.contentgrip.com/eu-countries-ban-google-analytics. The European Data Protection Supervisor (EDPS) has indicated that GA is not GDPR compliant. Other European countries are likely to follow these decisions.
Some tracking technologies are GDPR compliant. It is important that these technologies do not store and/or process the data in the US (or other non-secure third-party countries) or are owned by companies from non-secure third-party countries.
Yes, if they send personal data to the US or to a US company.
No, there is no grace period.
See https://techcrunch.com/2022/02/10/cnil-google-analytics-gdpr-breach or in Danish https://www.datatilsynet.dk/hvad-siger-reglerne/vejledning/internet-medier-og-apps-/google-analytics.
Sooner or later, it should be expected that fines are going to be given. See in Danish https://finans.dk/tech/ECE14425154/ekstremt-populaert-googlevaerktoej-er-ikke-laengere-tilladt-i-standardindstilling-millioner-af-danske-websider-ramt and see https://www.techzine.eu/news/privacy-compliance/76885/france-bans-google-analytics-fines-rise-to-20-million-euros/.
It is a good idea to at least begin planning how to become GDPR compliant and to transition without undue delay.
Yes. The data authorities also issue fines to small companies.
See in Danishhttps://www.datatilsynet.dk/hvad-siger-reglerne/myter-om-gdpr. See https://www.enforcementtracker.com. Note that any person believing that their privacy rights have been violated has a right to submit a complaint to the data protection authority.
No. Article 49 of the GDPR would have made this possible if the use was non-systematic and the use was not long-term or permanent. The use of GA is systematic and mostly long-term or permanent.
Yes, most likely. But the Trans-Atlantic Data Privacy Framework is not in effect and will not be for several months. The Trans-Atlantic Data Privacy Framework is likely to be challenged just as the earlier privacy shield agreement was challenged. It is very likely that the Trans-Atlantic Data Privacy Framework will also be judged to provide inadequate GDPR compliance, just as the earlier privacy shield agreement between the US and EU was judged to provide inadequate compliance.
See https://iapp.org/news/a/a-view-from-brussels-the-latest-on-the-dsa-dma-and-privacy-shield/ and https: //www.mondaq.com/unitedstates/privacy-protection/1239198/mark-your-calendars-for-schrems-iii-key-takeaways-from-the-latest-developments-in-the-eu-us-data-deal
Google has earlier made several improvements on GA to better comply with the GDPR. These improvements have not been enough to make GA GDPR compliant. An essential problem is that a request cannot be made directly to Google’s servers without revealing the end-user’s IP number, which is one of the core reasons for the data authorities to declare Google Analytics to be non-compliant, no matter how it is configured. Thus, it seems impossible to construct a solution unless it involves an independent third-party (e.g., a proxy server) not operated by Google.
Yes, they do. The location of a company's head office determines where a case should be raised. Therefore, for a Danish company, the Danish Data Protection Authority would handle the case. The Danish Data Protection Authority must also assess any activities that the company may have in other countries, such as Germany.
Furthermore, decisions made in any EU country apply throughout the entire EU. Therefore, the use of Google Analytics is also illegal in Germany due to GDPR regulations.
See in Danish: https://www.datatilsynet.dk/hvad-siger-reglerne/vejledning/internationalt-/danmark-eu-og-resten-af-verden/internationale-virksomheder
Privacy Proxy is a cost-effective solution that ensures compliance with GDPR regulations when using Google Analytics and that preserves most of Google Analytics capabilities. It utilizes a proxy server to intercept and control the data being sent to Google, allowing for anonymization and other protective measures to safeguard PII (Personally Identifiable Information).
Server-side tracking refers to the process of transferring user data from the user to the company's own server and from there to Google Analytics, rather than sending user data directly from the user's device. This way companies can ensure that they are not sending network information like the IP address to Google. Special care must be taken to ensure that the information actually sent to Google is not personally identifiable, which typically is a large and complex task.
There are several alternative analytics solutions to Google Analytics that will ensure compliance with GDPR regulations. The Analytics provider should be in the EU and owned and operated by an EU company.
Please contact us if you have questions related to Privacy Proxy or Google Analytics and how PII Guard can help you and your organization.