Google Analytics has been a cornerstone of web analytics for years, providing valuable insights into user behavior for millions of websites. However, its compliance with the General Data Protection Regulation (GDPR) has been a contentious issue. With the introduction of Google Analytics 4 (GA4), businesses are hopeful for a more privacy-friendly solution. But is GA4 truly GDPR compliant?

This article explores the complexities surrounding Google Analytics and GDPR compliance, delving into the legal landscape, key issues, and practical steps to ensure your analytics remain compliant.

Table of Contents

1. What is GDPR
2. Google Analytics and GDPR: A brief timeline
3. The EU-US data transfer frameworks
   • Safe Harbor and Privacy Shield
   • The Invalidation of Privacy Shield
   • EU-US Data Privacy Framework
4. Key GDPR compliance issues for Google Analytics
5. Frequently asked questions
6. Future-proofing your web analytics
7. Conclusion

What is GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law implemented by the European Union (EU) to protect the privacy and personal data of EU citizens. Effective since May 25, 2018, GDPR sets strict guidelines on how organizations collect, store, and process personal data, ensuring individuals have more control over their personal information.

The seven principles of GDPR

GDPR introduces seven key principles to safeguard personal data:

1. Lawfulness, Fairness, and Transparency:
   • Data must be processed lawfully, fairly, and transparently. Organizations must inform individuals about how their data is used.
2. Purpose Limitation:
   • Data should only be collected for specified, explicit, and legitimate purposes and not used beyond those purposes.
3. Data Minimization:
   • Only data that is necessary for the specified purposes should be collected.
4. Accuracy:
   • Data must be accurate and kept up to date. Inaccurate data should be corrected or deleted promptly.
5. Storage Limitation:
   • Data should only be kept for as long as necessary for the purposes for which it was collected.
6. Integrity and Confidentiality (Security):
   • Data must be processed securely to prevent unauthorized access, loss, or damage.
7. Accountability:
   • Organizations must demonstrate compliance with GDPR principles through proper documentation and practices.

Google Analytics and GDPR: a brief timeline

Google Analytics has faced significant scrutiny under GDPR since the regulation came into effect in 2018. The primary concern revolves around how it handles personal data, especially concerning data transfers between the EU and the US.

• Schrems I (2015):
  • Max Schrems challenged Facebook's data transfers from the EU to the US, arguing that the Safe Harbor framework did not provide adequate protection against US surveillance. The Court of Justice of the European Union (CJEU) agreed, invalidating Safe Harbor in October 2015. This decision, known as Schrems I, highlighted the need for stronger data protection measures.
• Schrems II (2020):
  • Following the invalidation of Safe Harbor, the EU and US established the Privacy Shield framework. However, Schrems again challenged this arrangement, arguing that it still did not protect EU citizens' data from US government surveillance. In July 2020, the CJEU invalidated Privacy Shield in the Schrems II ruling. This decision emphasized that US surveillance laws, such as FISA 702 and Executive Order 12.333, do not provide sufficient protection for EU citizens' data. In 2023 the US & EU introduced a new Data Privacy Framework.
• Austrian Data Protection Authority (DPA) rules Google Analytics is in violation of GDPR (2022)
• French Data Protection Authority (DPA) rules Google Analytics is in violation of GDPR (2022)
• Italian Data Protection Authority (DPA) rules Google Analytics is in violation of GDPR (2022)
• Danish Data Protection Authority (DPA) rules Google Analytics is in violation of GDPR (2022)
• Finnish Data Protection Authority (DPA) rules Google Analytics is in violation of GDPR (2023)
• Norwegian Data Protection Authority (DPA) rules Google Analytics is in violation of GDPR (2024)
• Swedish Data Protection Authority (DPA) rules Google Analytics is in violation of GDPR (2023)
• Schrems III (2024?):
  • Following the introduction of the EU-US Data Privacy Framework the privacy group NOYB (run by Max Schrems) filed a complaint against the proposed new framework which will likely see the issue back at the Court of Justice (CJEU), maybe as soon as 2024.

The EU-US Data Transfer Frameworks

Safe Harbor and Privacy Shield

Safe Harbor:

Safe Harbor was an agreement that allowed US companies to self-certify that they complied with EU data protection standards. It was invalidated by Schrems I due to inadequate protection against US surveillance.

Privacy Shield:In response, Privacy Shield was established to provide a new mechanism for transatlantic data transfers, with enhanced protections and oversight. However, Schrems II found that Privacy Shield also failed to protect EU data adequately.

The Invalidation of Privacy Shield

The Schrems II ruling declared that Privacy Shield did not provide adequate protection for EU citizens' data against US surveillance laws. This left businesses relying on Standard Contractual Clauses (SCCs) for data transfers, but these too required additional safeguards.

Standard Contractual Clauses (SCCs):SCCs are legal tools to ensure that data leaving the EU is protected according to EU standards. However, they require companies to assess and implement additional safeguards, which can be complex and resource-intensive.

EU-US Data Privacy Framework

In July 2023, the EU and US introduced the Data Privacy Framework, aiming to resolve these issues. However, privacy advocates, including NOYB, argue that it does not adequately address the core concerns, especially regarding US surveillance practices.

1. Key provisions of the Data Privacy Framework:
   • Enhanced Privacy Protections: New safeguards for data transfers.
   • Redress Mechanisms: Options for EU citizens to seek redress if their data privacy rights are violated.
2. Criticism of the Framework: Despite these improvements, many argue that the framework does not go far enough in curbing US surveillance powers. The issue will likely be seen by the Court of Justice (CJEU) again.

In short there's a US-EU data transfer framework but has been challenged again.

Key GDPR compliance issues for Google Analytics

1. Uncertain with Data Privacy Framework:
   • The newly introduced EU-US Data Privacy Framework aims to address data transfer issues, but many privacy experts question its adequacy. Previous frameworks like Safe Harbor and Privacy Shield were invalidated due to insufficient protections against US surveillance, and there is skepticism about whether the new framework will withstand legal challenges.
2. Google Uses Visitor Data for Its Own Purposes:
   • Data collected by Google Analytics is used to improve Google’s services, including advertising. This practice conflicts with GDPR’s purpose limitation principle, which states that data should only be used for the purpose for which it was collected. Thus, while you may use Google Analytics to understand your website traffic, Google leverages this data to enhance its own products and services (which is why they offer “free” analytics).
3. Inadequate Consent Mechanisms:
   • Google Analytics’ consent framework has been criticized for not meeting GDPR’s strict requirements. Consent must be freely given, specific, informed, and unambiguous. However, Google often places the burden of obtaining this consent on website owners, leading to inconsistent application and potential non-compliance. Additionally, since your user’s IP addresses are sent in the TCP layer when a page loads it means that the user’s IP address (which is considered PII under GDPR) is exposed to Google regardless of your user’s consent.
4. Data Retention and Deletion:
   • GA4 offers mechanisms for data deletion and retention, but these need to be configured correctly to comply with GDPR. While you can set data retention periods and delete data upon request, improper configuration can lead to unintentional violations, making compliance challenging.
5. IP Anonymization:
   • GA4 includes measures like IP anonymization, which is a step in the right direction for enhancing privacy. But the platform's capability to collect and aggregate diverse datasets— from device information to user interactions — can reconstruct individual profiles. This aggregation can unintentionally convert non-personal data into PII, raising concerns about compliance with GDPR's stringent privacy standards.

Frequently Asked Questions

1. Does Google Analytics collect personal data?Yes, Google Analytics collects online identifiers, IP addresses, and device identifiers, which are considered personal data under GDPR.
2. Can data encryption and pseudonymization in GA4 make it GDPR compliant?Encryption and pseudonymization are necessary steps to meet compliance requirements, but they do not eliminate all privacy concerns. Google Analytics collects a massive amount of data that, in aggregate, can become personally identifiable information (PII). Even anonymized data can be re-identified when combined with other data points, making it possible to track back to individuals.
3. Can server-side tracking improve privacy compliance?Yes it can improve it but not eliminate compliance concerns. It also tends to involve high costs and technical challenges. Server-side tracking allows you more control over the data that is sent to Google, but it requires significant resources to implement and maintain. Depending on the data sent in may also ultimately be subject to some of the other issues outlined in this article.
4. What GDPR settings are available in Google Analytics?GA4 offers data deletion mechanisms, data retention settings, and IP anonymization. These settings can help you manage data in a way that aligns with the Data Privacy Framework as best as possible. But you need to ensure you configure a number of settings correctly, additionally upcoming CJEU decisions or regional DPA court decisions may ultimately find that these measures are not enough for GA4 to meet GDPR requirements.
5. Will GA4 pass the new legal scrutiny it’s under?
6. Only time will tell but international data transfer with insufficient privacy controls and recourse for EU citizens was at the heart of Schrems I and II cases. It doesn’t appear much has changed aside from GA4 introducing pseudonym based tracking which as we mentioned above only addresses a fraction of the number of issues with GA4.

Future-Proofing Your Web Analytics

Given the ongoing challenges with Google Analytics and GDPR compliance, businesses should consider modifying their GA4 settings to be more GDPR friendly and implement strong consent mechanisms to ensure compliance with the ePrivacy directive as well as GDPR.

The landscape in which we do business is changing dramatically for marketers. Since GDPR was introduced 15 US states have also introduced privacy laws. Largely to curtail privacy infringements from companies like Google, users of products like GA should expect to see disruptions like the abrupt shift to GA4.

If you’re still concerned about the apparent legal risk of continuing to use Google Analytics in the EU or one of the 15 US states with a privacy law; we suggest reaching out to your attorney for additional support or consider using a privacy friendly analytics platform like Ziplytics. Ziplytics is a simple, modern, privacy friendly Google Analytics alternative. We’re an EU based (Dublin, Ireland 🍺) business with strict EU isolation and host Ziplytics on German based servers owned by a German company (Hetzer). Meaning you can rest easy knowing you can track your site analytics with greater ease and remain compliant with the more than 130 privacy laws globally. Try Ziplytics free for 30 days, no credit card required.

Conclusion

While the EU-US Data Privacy Framework offers a temporary solution, the future of Google Analytics under GDPR remains uncertain. But given UA has been ruled illegal in a number of EU regions, Google’s documentation for GA4, and existing case law; GA4 does not appear to be GDPR compliant.

Ready to make the switch? Try Ziplytics today!