Google Analytics has been dealt another blow after the Italian DPA, the Garante, has found a website to be non-compliant with GDPR through its use of Google Analytics.
This comes after several other European DPAs (data protection authorities) also ruled that Google Analytics was not compliant with GDPR laws earlier this year.
The Garante has declared that the website operator, Caffeina Media S.r.l, wasn’t complying with GDPR since it failed to adjust Google Analytics accordingly. The Garante has given the website operator 90 days to amend its processing so that it’s compliant with the law.
Among many other rules set out by GDPR, one law is that any PII (Personally Identifiable Information) collected by websites must be stored in a way that guarantees that this information will remain private, and won’t be made available to any other parties without the permission of the subject (i.e the website visitor).
The problem with Google Analytics is that data collected by GA is transferred to and stored in the US. This becomes an issue due to the Cloud Act.
In a nutshell, the Cloud Act gives the American security services the right to obtain electronic data where they believe that a crime may have been committed. This includes data that many European DPAs consider to be PII, such as IP addresses.
By essentially giving a third party the ability to access PII of European citizens, the Garante have found that this violates GDPR.
Despite these rulings, website owners are still allowed to use Google Analytics on their websites. However, they have to do so in a way that complies with GDPR.
It is possible to make Google Analytics compliant with GDPR. Unfortunately, it’s not the most simple of processes, with there being many changes that have to be made. Even failing to make just one of these changes means that your website still isn’t fully compliant with GDPR, leaving you at risk of being fined.
In response to the Garante’s ruling, Google told TechCrunch:
“People want the websites they visit to be well designed, easy to use, and respectful of their privacy. Google Analytics helps publishers understand how well their sites and apps are working for their visitors — but not by identifying individuals or tracking them across the web. These organizations, not Google, control what data is collected with these tools, and how it is used. Google helps by providing a range of safeguards, controls and resources for compliance.”
While it is true that there is a responsibility on the part of the website owners to remain GDPR compliant, Google Analytics also has responsibilities as the data processor. And it’s not without reason that Google has been found to be non-compliant with GDPR on so many occasions. Google doesn’t make it exactly easy to use their analytics tool in a compliant manner.
Over the last few years, Google has continued to make changes to its products to make them compliant with EU law, but it seems as though they’re still falling short of the mark in the eyes of the DPAs.
This isn’t the first time that Google has had to respond to a European DPA’s decision to declare Google Analytics non-compliant.
Since the start of this year, there have been a number of Data Protection Authoroties that have ruled similarly to the Garante.
The first DPA to make this ruling was the Austrian data protection authority (DSB) in January. It ruled that the use of Google Analytics on the website of a German website operator didn’t adhere to the “Schrems II” ruling.
Within weeks the Dutch, French and Norwegian DPA’s had followed suit.
Even before this, Google has been hit with fines from the French, Swedish and Belgian DPA’s for violating GDPR, for reasons such as:
Failing to delist search results after being requested to do so, violating the “right to be forgotten”
Failing to receive permission before sending personalised ads
Making it unnecessarily difficult to reject cookies on YouTube.
Google is currently reviewing the Garante’s ruling. Whether they’ll appeal against it or look to see what additional changes they need to make to their analytics tool remains to be seen.
For website owners, this poses yet another reminder of why it’s important to ensure that your website is 100% GDPR compliant. As we’ve seen, it is possible to use Google Analytics in a GDPR compliant manner, but many others have started looking for alternatives that are compliant straight out of the box.