Products   ▾Why Scale8   ▾Community   ▾
← All posts

Is Google Analytics GDPR compliant

13/04/2022 - written by: David Gondelle

Google Analytics has been the go to tool for website owners for almost two decades. With this kind of longevity, coupled with the powerhouse name of Google attached to it, it’s no surprise that many people assume that the service is both the best one to use, and the most trustworthy.

However, it’s recently been questioned whether the Google Analytics tool is completely in line with regulations. In particular, the tool has been accused of not being completely compliant with GDPR - and for good reason too.

But to understand why the Google Analytics tool is being accused of not being compliant, you first have to understand what it’s not complying with.

What is GDPR?

Many countries have their own privacy laws. Where the UK has the Data Protection Act and Brazil has the LGPD, the EU has GDPR.

GDPR stands for General Data Protection Regulation, and is the EUs privacy and security law which protects all EU residents.

This means that even if a business or website is based outside of the EU, it must adhere to GDPR if it targets residents of the EU.

The GDPR is a law that consists of 99 articles and 88 pages, so it’s fair to say that it covers a lot of content. However, the content can be boiled down to the data protection principles. Data processors (i.e Google Analytics) have to comply with these seven principles:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

Under these principles comes several rights that EU residents have over their personal data, such as the right to be forgotten.

What GDPR requirements is the Analytics tool not meeting?

Over the last few years, Google has been hit by fines from the data protection authorities of several european countries, as well as rulings that their analytics tool isn’t up to GDPR standards.

Several issues have been raised by these data protection authorities, among others, over Google Analytics GDPR compliance. The main issues that have been raised are:

  1. Google stores the privacy information of EU residents on its US based cloud servers. The issue with this is that Google can’t stop US intelligence services from accessing that data thanks to the Cloud act.
  2. Google has been found guilty of not respecting the “right to be forgotten”, in which a user can ask Google to delete any privacy information previously given to them.
  3. Google has been fined for not making it clear enough how to reject cookies.
  4. Information collected by Google Analytics can be linked back to a person.

In particular, some of the rulings that have been made by the various different authorities are:

  • In January 2022, the Austrian data protection authority (DSB) ruled that the use of Google Analytics on the website of an Austrian company didn’t adhere to the “Schrems II” ruling, made by the EU Court of Justice in 2020.

  • In the same month the AP, the Dutch data protection authority, announced that the Google Analytics tool didn’t do enough to protect the data of website visitors.

  • The Norwegian data protection authority, the Datatilsynet, has released a similar opinion to the one issued by the AP, and is itself currently investigating two possible cases of data violation by Google Analytics.

  • In February, the French data protection authority (CNIL) ruled similarly to the DSB.

Fines faced by Google

As a result of these rulings, Google has been handed several fines since GDPR came into effect:

  1. In 2019, CNIL handed Google a €50 million euro fine for not properly gaining the consent of users to use their data for personalised advertising.
  2. In 2020, the SDPA (Swedish Data protection Authority) gave Google a €7 million fine for not removing search result listings after being requested to do so, which violated “right to be forgotten” rules.
  3. Also in 2020, Belgian DPA imposed a €600,000 fine on Google Belgium, again for not respecting the right to be forgotten.
  4. In 2022, Google Ireland was fined $102 million by CNIL for how it implemented its cookie consent on youtube, stating that it should have been implemented in a way that made it simpler for users to refuse cookies.
  5. CNIL also fined Google LLC $68 million for the same reason in the same year.

While these fines will hardly break the bank for Google, they do show that even large companies will be held accountable to EU law.

How has Google responded?

Since coming under scrutiny, Google has made some changes to meet GDPR standards. Despite this, it remains worryingly easy for website owners to violate GDPR through their use of Google Analytics.

For example, Google’s data deletion mechanism allows you to delete visitor information if requested to do so. But it seems that information can only be easily deleted en masse, meaning that if you want to delete the information for one particular visitor, you need to have some proficiency in coding, plus the help of the Google Analytics User Deletion API.

What does this mean for website owners?

For website owners, this means that there’s still a burden on your shoulders to ensure that you’re using Google Analytics in a lawful manner. But as we’ve seen through the number of different allegations against Google, there are many missteps that can be made that can land you in hot water with a potentially hefty fine.

It is possible to take steps to use Google Analytics and be GDPR compliant if you don’t wish to change analytics tools.

Alternatively, you could try out Scale8’s analytics tool, which we believe to be a better option than Google Analytics in several ways, such as by protecting the data

of visitors to your site, plus a more simple and streamlined tool. This makes it GDPR compliant straight out of the box.

What’s next for Google Analytics?

With several other European countries looking further into whether Google Analytics has breached GDPR, it looks like Google still has a lot of work to do to get the data protection authorities on side. With this in mind, we’re of the opinion that website owners have better and safer alternatives to Google Analytics. Time will tell whether website owners also come to have the same opinion, and opt for more privacy friendly options.

Next Post →
An Open-source alternative to Google Analytics