Google Analytics and GDPR: we interviewed a lawyer

November 1, 2022 / Published in: General from Ivan Messina

In recent days, we have been hearing a lot about the Google Analytics and GDPR case.

But where did the issue originate, and which services does it affect?

Does the case relate only to Google services, or can it be extended to all those in the US?

Would changing the privacy policy solve the Google Analytics problem?

To shed light on possible solutions and to understand what the possible consequences could be, we have examined several possible scenarios and answered these and other doubts with Frida Del Din of legaledigitale.com.

Table of Contents

Google Analytics and GDPR: what's going on?

Google Analytics And Gdrp Ivan Messina Interview

Ivan Messina of SupportHost.

Google Analytics And Gdrp Frida Del Din Interview

Frida Del Din of legaledigitale.com.

Below, you can see the video interview in which Frida answered in a clear and simple way to all the doubts on the GDPR and Google Analytics issue.

Also check out our past interview regarding the GDPR, processing log and the use of cookies on the website.

How the GDPR and Google Analytics case broke out and how to move

Let's see where the Google Analytics problem that is causing so much discussion came from.

What was the case that sparked the whole situation?

Could adopting Google Analytics 4 really solve it? Or are the solutions to be found elsewhere?

And what should we do while we wait? Could changes to the privacy policy be enough, or will it be necessary to remove the services from the site in all cases?Let's look at all the answers.

Let's start with the first question. What exactly happened with Google Analytics in the last few days?

It all started because of a measure issued by the Supervisory Authority in the first days of June. Let me specify that this is a measure that concerns a specific company that has been the subject of an audit.

The Supervisory Authority has established that the use of Google Analytics presents some criticalities. These are related to the fact that the data that is transmitted to Google Analytics is transferred to the United States. And, since 2020 the Court of Justice of the European Union has invalidated what was the protective umbrella that allowed us to safely transfer data to the United States.

I am talking about a protective umbrella not so much from the point of view of IT security as for the fact that, pursuant to the GDPR, the transfer of data to countries outside the European Union is free only to the extent that the legislation and practice of these countries offer guarantees similar to those offered by the GDPR to data subjects and data protection.

Since there is no such alignment, in fact the transfer becomes substantially prohibited, or rather it is prohibited, it could be carried out using additional tools, but even these in the end are considered as not adequate, not sufficient to protect the rights of the interested parties.

The provision was published on 9th June, since that moment the news has had a great resonance and has put all those who use Google Analytics for site analytics in crisis.

I heard someone say that with Google Analytics 4, the GDPR problem could be solved because IPs are anonymized and eventually this should be the only personal data, if I'm not mistaken. How does that work?

Even Google Analytics 3 allows you to anonymize IPs as an optional option and the Supervisory Authority, in fact, had found that at the time the company (from which the whole case started) did not have anonymized IPs. During the investigation, the company anonymized the IP addresses.

Unfortunately, however, the Supervisory Authority has found that the anonymization of IP addresses is not sufficient. This is because, especially if the user is logged in with their Google account, even if the data is anonymized and some of the characters of the IP address are obscured (3 out of 8), in some way Google still manages to identify the subject through the crossing of other data.

This is what emerges from the provision, even if it should be deepened. So it would seem that anonymization alone is not enough.

To return to the question, as regards Google Analytics 4, if the technical implementations are limited only to anonymization and to make it mandatory, we should then go and see specifically if there is any more measure.

So, switching to Google Analytics 4 does not solve the situation

It remains to be seen if Google is rolling out other features as well. Considering that GA4 will become mandatory from 1 July 2023, it is plausible that they are still implementing the product. So you can then see if, in its final version, other functions will also be included.

In the same way, the Trans-Atlantic act is expected to arrive and that it should be an adequacy decision that should solve this problem upstream. Let us remember, that the issue does not only concern Google Analytics, but also all the other tools that are provided by US companies.

We will return to this later with specific questions. In this case, however, who needs to find a solution? Google or the act you referred to?

In reality, according to the principle of accountability, the one who has to find a solution is the data controller, therefore the one who manages the site. Then surely Google will take note of the situation, as it has already happened in the past, and will find a solution.

Certainly, if the Trans-Atlantic Act arrives, the problem of the unequal treatment of laws at European and US level will be solved. At that point, therefore, there will be no further problems because the underlying problem is actually this: a US company can receive a request and have to exhibit the data even without having to comply with a series of guarantees. At least this was the conclusion of the Court of Justice after analyzing the issue.

This situation is also linked to the issue of social surveillance and to the law and practice that took place after the well-known events of 2001 and subsequent ones. The ideal solution, and the best of all, would therefore be the arrival of the Trans-Atlantic act.

To date, it is the data controller who must make his assessments. This is because the Supervisory Authority will also be able to take action against Google (as has already happened in the past), but when he opens an investigation on a company that manages a site, then the owner of the company will be responsible for it.

For now, the solution for those who have a site is to delete Google Analytics and then hope for the Trans-Atlantic act or hope that Google can fix it and you can continue to use the service. Do I have that right?

Yes, certainly the best solution, especially for those sites that use Google Analytics because of common use, but do not make a fundamental use of it in their strategy, is to search for similar tools that do not involve the transfer of data outside the European Union.

A popular alternative is Matomo

Yes, in fact it is one of the alternatives to Google Analytics that are proposed as possible.

Let's assume that I have a cookie banner and users who visit the site have the possibility to choose what type of cookies they want to accept and, for example, agree to use Analytics cookies. If I insert a wording in the privacy policy in which I say that I use Google Analytics and that the data can be exported outside Europe, etc. Could this be a solution or not?

It could be a solution. As we said before, in fact, there are exceptions by virtue of which it is possible to make the transfer. One of these exceptions, dictated by article 49 letter A of the GDPR, is the explicit consent of the interested party, provided that he is adequately informed of the risks of the transfer.

Google Analytics And Gdrp Cookie Preferences

This might seem like a solution, in reality the doctrine requires you to be careful. In fact, since it is a derogation, and therefore an exception to a prohibition, it must be applied in extraordinary, exceptional and not repeated cases.

It is clear that, if we apply to all visitors who may arrive on our site, this exceptional nature that the derogation must have could be disputed that it does not exist. And, therefore, such a solution could be considered insufficient.

So, let's say it's not a real solution

It is a solution that involves risks. The processing of personal data, as trivial as it may seem, under civil law is equivalent to "carrying out dangerous activities", in the sense that the data are important.

It follows that it is necessary to have a proactive attitude and seek solutions that comply as much as possible with the law.

It may be, in some cases, that by balancing the various interests in the field, the data controller may also decide to assume the risk.

In this case it could decide to implement the solution, even if it is not ideal and is therefore not the maximum guarantee possible. The owner thus decides to implement the solution, in light of this premise, and to justify it, especially in the event that it should be challenged.

The most important thing is always to make an upstream assessment because all the legislation on the processing of personal data is based on accountability. So I am free to choose, but I have to give an account of the reasons for my choices.

Having made an assessment and taking risks may be, in a sense, less serious than not having assessed anything and having acted without thinking.

It is not enough that I enter in the privacy policy where the data ends and that the user accepts to be "authorized" to do so?

Exactly. Precisely for the principle of exceptionality we were talking about earlier. In some isolated or particular cases that derogation may apply.

Let's open a parenthesis by entering more into the technical to understand why evaluation is important. While it is true that data is "in danger" in the United States because it is acquired in some situations by the Intelligence, it is also true that Article 49 letter D (of the GDPR) provides for the exception of serious reasons of public interest.

This is the argument that was raised by the US government after the ruling, assuming that this type of legal basis could be used. That is to say that when the intelligence is accessed, I can invoke that kind of exception that justifies the transfer of data.

The problem is that it is not clear why the Court of Justice, on the other hand, maintains that in reality access requests are carried out without a judge's order or without well-founded suspicions. This parenthesis only serves to understand how complex the question is and, therefore, how difficult it is to find a solution.

GDPR, Google Analytics and other services of US companies: what to expect

The question that everyone is asking now is whether the situation of Google Analytics does not concern only this service but can also be extended to other US tools.

This is the case with other Google services and beyond.

Just think of the Facebook pixel and all the other services made in the USA.

But also, the very situation of hosting service providers that are offered by US companies while relying on servers in Europe. Does the server location matter in this case? Or should other factors also be taken into account?

Let's see what happens in all these situations.

At this point the question that comes to mind, and that I have also read everywhere on the various groups I frequent, is whether this situation could trigger a domino effect. If I can't use Google Analytics, can I continue to use the Facebook pixel, for example?

This is a problem because actually the issue is not just about Google Analytics. The problem must be addressed in all cases in which I go to use tools that transfer or can transfer data to a country that has not been deemed, by the European Union, adequate for the transfer and, therefore, safe.

if for now, to go back to the example above, the problem has not yet emerged explicitly regarding the Facebook pixel, do you still recommend deleting it from the site?

Here, too, assessments must always be made on a case-by-case basis. Certainly, even if the Supervisory Authority has not expressed himself in relation to that specific tool, an evaluation must be made on all the tools that are being used.

Without going into detail, regarding the Facebook pixel, we could consider that we already have users who are on the social network, and therefore their data is already out, but we must also consider how the tool works.

Google Analytics And Gdrp Social Networks Integrations

Furthermore, it is necessary to take into account how it is used and, above all, what the user's role is. This case, in fact, is different from that of Analytics in which the user undergoes, in a certain sense, the choice of the data controller who has the right to use the tool on his site or not.

In the case of social networks, the discussion could be broader precisely because the user has agreed to enter and create an account. Even in this case, however, it should be emphasized that it is necessary to evaluate carefully.

Suppose I use a service where European user data is uploaded that has servers in Europe, but the company is in the US. Can I continue to use it or would it be better to avoid doing it?

The measure that is causing so much discussion offers an answer to this type of situation. In this case, the US company is subject to US federal law. So, regardless of where it can have the servers, it is clear that if it is under the control of a company subject to that jurisdiction, it is easy to think that in front of a request it has no way to escape just because the servers are somewhere else.

Google Analytics And Gdrp Server Policies

We have all seen that in these two years Google has founded the Irish company and, recently, it also has the Italian one. However, it is also true that the US company controls these other companies. In the case that the Supervisory Authority examined, the data was transferred to the United States and encrypted, but the decryption key was in the possession of the US company, so let's go back to the same speech as before.

There is, therefore, always the risk given that the company must respond since it is a government request. In conclusion, having the servers in Europe is not a sufficient solution, because it depends on who can have access to that data.

Could the blocking of Google Analytics cause a domino effect and thus render all services in the U.S. illegal? That is my understanding, yes.

More than illegal, I would say that they present these problems we have talked about. Google, but also other companies, are aware of this situation and are trying to solve it.

Google Analytics And Gdrp Agreementsbe Tween Several Parties

For example, in June last year, the European Commission approved the new standard contractual clauses that can be included in contracts to add extra measures, precisely in cases where transfers are made to countries that have not made an adequacy decision.

These clauses and supplementary measures may be sufficient, but in reality, they are not because in the end the real solution will be there when we have an agreement between the European Union and the United States that offers guarantees in accordance with the European regulation.

Do the various Google services like Drive and Gmail suffer from the same problem? If I am using Gmail for work and I send an email to Frida, I must at least have her email address

On closer inspection yes, because there is always the concept of data and where it is stored or under the control of who is stored.

And how does it work for Adsense? Is there an exchange of personal data or not if I use banners on my site?

In this case, it is also necessary to do an in-depth analysis to understand how exactly the tool works and if there is data tracking.

What needs to be done now?

Now that we have examined the issue and understood that we must also be careful with the use of other tools, let's see what needs to be done from here on out and how much time we have to adapt to avoid risks.

Do you know if measures have already been taken towards sites that use Google Analytics or is it still early?

As for the Italian Supervisory Authority and in fact I believe also the French one, there is a provision which ends with the company's warning and the assignment of a 90 - day term to find a satisfactory and alternative solution.

At the moment there are no financial penalties, I always speak of the present case. And there have been evaluations by the Supervisory Authority that have led to consider this type of violation, I am talking about Google Analytics etc., as a minor violation.

All this refers only to the present case.

Surely the nature of the data that is processed is the same for all site owners. The fact that the Company was particularly cooperative and took steps to fix things also played a role here. This behavior is also viewed positively.

Of course, we must consider that since it is the first, this treatment may not be reserved for the next ones.

The problem affects everyone, even at the level of public bodies that perhaps use some of these tools.

What is the latest date to delete Google Analytics from all sites?

There is no single date because the only data is 90 days starting from 9 June, but only for the company that was the subject of the assessment.

We can assume that we can take some time to evaluate the situation well, deepen it and update our choices, in fact, the choices we make are never final.

So, today, in the light of this further data, it is appropriate to reflect and analyze according to your site and your business and make decisions. Furthermore, let's not forget that alternatives can also be explored.

Conclusion

Thanks to this valuable interview with Frida Del Din, we have clarified the Google Analytics and GDPR issue. We have seen where the problem originated and how compliance with the regulation that protects data protection is increasingly important.

We just have to follow the advice Frida offered us in conclusion: evaluate the situation and adapt our choices, perhaps even opting for alternatives.

And what do you think? Is the situation clearer to you now? But above all, are you already moving to test alternatives to the well-known Google service?

Ivan Messina

Founder of SupportHost. With over 10 years of experience in web hosting, he works every day to improve the service and pays attention to each and every customer.

Cookie	Duration	Description
_dc_gtm_UA-*	1 minute	Google Tag Manager cookie for controlling the loading of a Google Analytics script tag.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
promocode	Until the coupon code expires, maximum 1 year	This cookie is set when you visit a page via a link that includes a discount code. The name of the discount code is remembered to remind the user that they can get a discount on the service.
RefID	90 days	This cookie stores the ID of the referral that sent the friend so that if the customer places an order within the next 90 days following the referral, the referral receives a gift for it.
user_currency_pref	11 months	This cookie is set to remember the user's currency.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
WHMCSAffiliateID	90 days	This cookie stores the ID of the affiliate that made the referral so that if the customer places an order within the next 90 days following the referral, the affiliate receives a commission for it.
WHMCSInstanceID	session	This cookie stores the unique session ID for each visitor and enables variables to pass between page loads. The cookie only contains a reference to a session on the web server. The user's browser won't store any personal information.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.

Cookie	Duration	Description
cf_chl_*	1 hour	This cookie is used to check whether the Cloudflare Edge server supports cookies.
cf_chl_prog	1 hour	These cookies are used by Cloudflare for the execution of Javascript or Captcha challenges. They are not used for tracking or beyond the scope of the challenge.
cf_chl_rc_ni	1 hour	These cookies are for internal use which allows Cloudflare to identify production issues on clients.
cf_chl_seq_*	session	These cookies are used by Cloudflare for the execution of Javascript or Captcha challenges. They are not used for tracking or beyond the scope of the challenge.
pvc_visits*	1 day	These Cookies are used by Posts View Counter plugin to count visits to specific posts, pages and tutorials.
WHMCSLinkID	364 days	This cookie remembers the link the visitor followed to get to our website, and the system uses it when receiving an order, to be able to associate the conversion with a link to be able to provide stats.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__stripe_mid	1 year	This cookie is used to prevent credit card frauds.
__stripe_sid	1 year	This cookie is used to prevent credit card frauds.
WHMCSUser	364 days	This cookie is used for the remember me functionality of the client area. The system only sets it if a client chose to have the system remember their details, ensuring that they don't need to log in multiple times. It is persistent and lasts for 365 days, or until logout.