January 27, 2022

Google Analytics May Violate GDPR

Written by

European companies may need to find a new website analytics provider to replace Google Analytics — if they want to avoid legal action under GDPR.

NetDoktor, a medical news website based in Austria, was found to have violated the European Union’s General Data Protection Regulation (GDPR) by using the website analytics software Google Analytics, which shipped plain text data about European Union citizens to the United States. In the January 13, 2022, ruling, the Austrian data regulator Datenschutzbehörde found that the use of the Google Analytics cookie allowed the transfer of unique user ids, IP addresses, and browser parameters to the US, where privacy protection were deemed “not effective, as they do not eliminate the monitoring and access options by US intelligence services”

The legal case is one of many cases brought by noyb recently that aim to uphold the GDPR restrictions on personal data collected in the EU and transferred to American companies. Most notably data giants like Google and Facebook have been targeted, but the suits also extend to other companies that haven’t traditionally been lumped in with the usual data collectors, like Stripe

The EU’s argument is that tools like Google Analytics collect data, including assigning unique identifiers to EU citizens when those citizens visit the website. That data, processed by US data centers, can be used to individually identify a user when combined with other identifiers like IP address and browser type. The court is concerned mostly with how this data could be used by US Intelligence agencies to monitor EU citizens.

What companies need to know about the Google Analytics decision

Google Analytics is the most widely-used website analytics tool for one reason: it’s free. But the adage that has ruled tech for the last 20 years applies here as well, “If the product is free, you are the product.” In this case, data on visitors to your website is the product Google is interested in. This data helps Google build better algorithms to surface useful content for searchers on their search engine results pages (SERPs). According to BuiltWith, over 28 million websites currently use Google Analytics, with the UK, Germany, France, and the Netherlands all appearing in the top 10 countries where Analytics is used. 

Should the courts decide that Google Analytics is violating GDPR rules, individual companies will need to remove the Analytics code from their website and find an alternative to Google Analytics that either provides local customer data storage and processing or provides data storage within the EU.