Google Analytics has been the go to tool for website owners for almost two decades. With this kind of longevity, coupled with the powerhouse name of Google attached to it, it’s no surprise that many people assume that the service is both the best one to use, and the most trustworthy.
However, it’s recently been questioned whether the Google Analytics tool is completely in line with regulations. In particular, the tool has been accused of not being completely compliant with GDPR - and for good reason too.
But to understand why the Google Analytics tool is being accused of not being compliant, you first have to understand what it’s not complying with.
Many countries have their own privacy laws. Where the UK has the Data Protection Act and Brazil has the LGPD, the EU has GDPR.
GDPR stands for General Data Protection Regulation, and is the EUs privacy and security law which protects all EU residents.
This means that even if a business or website is based outside of the EU, it must adhere to GDPR if it targets residents of the EU.
The GDPR is a law that consists of 99 articles and 88 pages, so it’s fair to say that it covers a lot of content. However, the content can be boiled down to the data protection principles. Data processors (i.e Google Analytics) have to comply with these seven principles:
Under these principles comes several rights that EU residents have over their personal data, such as the right to be forgotten.
Over the last few years, Google has been hit by fines from the data protection authorities of several european countries, as well as rulings that their analytics tool isn’t up to GDPR standards.
Several issues have been raised by these data protection authorities, among others, over Google Analytics GDPR compliance. The main issues that have been raised are:
In particular, some of the rulings that have been made by the various different authorities are:
In January 2022, the Austrian data protection authority (DSB) ruled that the use of Google Analytics on the website of an Austrian company didn’t adhere to the “Schrems II” ruling, made by the EU Court of Justice in 2020.
In the same month the AP, the Dutch data protection authority, announced that the Google Analytics tool didn’t do enough to protect the data of website visitors.
The Norwegian data protection authority, the Datatilsynet, has released a similar opinion to the one issued by the AP, and is itself currently investigating two possible cases of data violation by Google Analytics.
In February, the French data protection authority (CNIL) ruled similarly to the DSB.
As a result of these rulings, Google has been handed several fines since GDPR came into effect:
While these fines will hardly break the bank for Google, they do show that even large companies will be held accountable to EU law.
Since coming under scrutiny, Google has made some changes to meet GDPR standards. Despite this, it remains worryingly easy for website owners to violate GDPR through their use of Google Analytics.
For example, Google’s data deletion mechanism allows you to delete visitor information if requested to do so. But it seems that information can only be easily deleted en masse, meaning that if you want to delete the information for one particular visitor, you need to have some proficiency in coding, plus the help of the Google Analytics User Deletion API.
For website owners, this means that there’s still a burden on your shoulders to ensure that you’re using Google Analytics in a lawful manner. But as we’ve seen through the number of different allegations against Google, there are many missteps that can be made that can land you in hot water with a potentially hefty fine.
It is possible to take steps to use Google Analytics and be GDPR compliant if you don’t wish to change analytics tools.
of visitors to your site, plus a more simple and streamlined tool. This makes it GDPR compliant straight out of the box.
With several other European countries looking further into whether Google Analytics has breached GDPR, it looks like Google still has a lot of work to do to get the data protection authorities on side. With this in mind, we’re of the opinion that website owners have better and safer alternatives to Google Analytics. Time will tell whether website owners also come to have the same opinion, and opt for more privacy friendly options.