What Is Google Analytics and Does It Comply With GDPR? 

Web analytics is a crucial tool in today’s digital era. It is a gateway to becoming a more successful online business. However, using web analytics has data protection and privacy implications. This is especially the case for Google Analytics, which when used incorrectly, will definitely lead to penalties. This article will explain how to avoid these GDPR violations.

What Is Web Analytics?

It is important for website owners to know things like how long users spend on their sites, which content is most popular, where those users are located, and so on. This data is useful because it provides website owners with the information they need to make informed choices about the services and products they provide. Web analytics is the process of collecting and analyzing data about how users engage with a website. 

Web analytics is used primarily to learn about how site visitors interact with a given website. If you want to increase sales, attract more customers, and fine-tune your website's content to what your visitors find most engaging, you need to have a firm grasp on how they interact with it. Web analytics can tell you things like which countries or regions provide the majority of your site's visitors, for instance. If so, you may want to increase production and distribution of goods and services with a regional or national focus. Or, if you discover that some of your products or services are not popular with your audience, you will need to analyze why they are not successful and make adjustments accordingly. 

Website analytics is technically possible because of cookies and other tracking tools. These tracking tools are coded into websites and record information about site visitors. This information is sent to the web analytics service provider's servers, where it is processed and analyzed before being forwarded on to the website owner. Site owners are provided with aggregated and organized data that can be used to better understand their enterprise. 

Privacy-Friendly Analytics Tools

There are more and more web analytics tools available on the market. Multiple factors contribute to the wide range of available instruments. The main distinction, however, is whether or not the analytics tool is privacy-friendly. 

Privacy-friendly analytics tools do not collect, distribute, or sell individual users' information. Their main goal is to help software development companies with analytics. They also do not rely on cookies to perform their analytics functions. In most cases, you'll have to shell out some cash if you want to make use of analytics tools that respect your privacy, but there are also free analytics tools that are privacy friendly. 

Privacy-invasive analytics tools, on the other hand, track users' online activities and may sell their data to third parties, such as advertising agencies. Google Analytics and other modern web analytics tools rely on cookies to record visitors' actions while they browse. Because of this, Google Analytics cannot be considered privacy-friendly.

What Is Google Analytics? 

Google Analytics is a free web analytics service offered by Google that gives you the tools to better understand your website users. For Google Analytics to function, a small amount of Javascript code must be added to each website. This code is triggered whenever a new user accesses the site, and it sends information about each user to Google's servers. You can set up Google Analytics to generate reports that include metrics like total users, average session length, page views per session, and more. Site owners can use this data to learn more about their audience and tailor their services to them. 

Which Categories of Data Does Google Analytics Collect?

Simply by adding some code to your site, you can start using Google Analytics. All visitors to your site can be tracked individually with the help of this code. According to the Google Ads Data Protection Terms: Service Information, it gathers the following data: 

• Online identifiers, including cookie identifiers
• Internet protocol addresses and device identifiers
• Clients identifiers

In its privacy policy, Google also explains what data they collect and how they do it. They collect the following:

1. Information that you create or provide to them. This includes the information you provide to them by using their services, such as name, email address, phone number, and content that you create or upload while using Google services.
2. Information about your use of their services. This includes three types of information:
   undefinedundefinedundefined

Why Is Google Analytics the Most Popular Tool?

Google Analytics, like other analytics services, provides website owners with insights into their businesses by collecting and analyzing data from their users. But that isn't the whole story. In addition to Google Analytics, Google offers a plethora of other tools that can be useful to website owners. For instance, Google Analytics can be seamlessly integrated with Google AdWords, another Google advertising product where businesses can place bids to have their brief ads, services, and products displayed to users of the web. 

Although there are a number of analytics service providers available, Google Analytics is by far the most widely adopted platform for web analytics. A recent survey found that 85 percent of websites use Google Analytics to analyze their traffic. First, it's free and simple to integrate into websites; second, it's a Google product, so it has a lot of name recognition; and third, it's been around for nearly two decades, all of which contribute to its widespread adoption (since 2005). 

Google Analytics may not be able to maintain its dominance for much longer if it continues to earn a negative reputation for being "privacy-intrusive," especially in light of the growing concern for privacy and the increasing number of privacy-friendly analytics providers. 

Google Analytics and Privacy Laws

According to the majority of data privacy laws, identifying information obtained online qualifies as private information. Internet users leave digital footprints, or "online identifiers," that can be used in conjunction with other data collected by servers to reveal personally identifiable information. This can include Internet Protocol (IP) addresses, MAC addresses, device fingerprints, social media account handles, and more. 

For the most part, online identifiers are considered to be personal data and protected under data privacy laws. For example, the GDPR says that online identifiers from a person's device, like IP addresses, cookie identifiers, or other identifiers like radio frequency identification tags, can be linked to a person. The CCPA defines identifiers as including, among other things, IP addresses and online identifiers. Online identifiers are treated as personal data under the Brazilian LGPD. 

Google can access data about customers who visit a company's website where the Google Analytics tool has been installed. While this information does not include anything personally identifiable like a name, email address, or phone number, it does include things like online identifiers, cookie identifiers, and other data that can be used to identify a person when combined with other information. Because of this, the use of Google Analytics is subject to privacy and protection laws. 

Google Analytics and the GDPR

Recital 30 of the GDPR states that “natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

Personal information is defined as any information about an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as, among other things, an online identifier, as stated in Article 4.1 of the GDPR. 

This means that online identifiers are subject to the same regulations as other forms of personal data under the General Data Protection Regulation. Since Google Analytics almost exclusively uses online identifiers, legally, website owners using Google Analytics must ensure they meet all GDPR requirements, such as consent requirements.

Is Google Analytics Compliant With the GDPR?

In December 2021, the Austrian Data Protection Authority ("Datenschutzbehörde" or DSB) found the data transfers to the US-based Google Analytics to be illegal under the GDPR. Another EU privacy watchdog, the French DPA-CNIL, issued a similar decision in February 2022, also finding that Google Analytics' data transfers are unlawful. Because Google Analytics is a service based in the United States, any data collected by using it will be sent there. This is a violation of the GDPR regulations. 

To understand how Google Analytics violates the GDPR, we must first understand the reasons for the decisions made against Google Analytics. 

The European Court of Justice (CJEU) issued a decision in June 2020 that is now commonly referred to as the "Schrems II." This decision completely invalidates the EU-US Privacy Shield. The Standard Contractual Clauses (SCCs) remained in effect, but only under strict conditions. As a result, businesses need to evaluate the level of data protection in the country where the data will be received on a case by case basis. 

As previously stated, Google Analytics sends the raw data collected to its servers in the United States, where it is aggregated, structured, and analyzed before website owners receive customized reports about their websites. In simple terms,  Google Analytics performs international data transfers. 

SCCs are one of the safeguards required for the international transfer of personal data. In particular, Google Analytics uses SCCs to transmit data to Google's servers in the United States.

Using SCCs for cross-border data transfers is perfectly acceptable. The situation is trickier in the United States, though. This is because Google can be compelled by US authorities to hand over the private information of EU citizens in accordance with Section 702 of the Foreign Intelligence Surveillance Act (FISA). Therefore, personal data of EU residents is not as safe and secure in the United States as it is in the European Union. 

This is a barrier to EU residents' exercising their rights as data subjects, including their right to have data deleted or restricted from being processed. According to the Austrian and French DPAs, the extra security measures provided by Google (such as a fence around the data centers, encryption of stored data, and "careful review" of each disclosure request) are insufficient and ineffective because they cannot guarantee that US intelligence agencies will not be able to monitor and access the stored data.

GDPR Compliance With GDPR

In light of the foregoing, it would be unreasonable to label Google Analytics as an unlawful service. Google Analytics itself is not illegal; ultimately, it is up to the data controllers to ensure compliance.  However, it is critical to understand that it may be invading web users' privacy and that several measures must be taken to both protect data subjects' rights and ensure you are not in violation of the GDPR. 

The General Data Protection Regulation lays out several exceptions that allow for the transfer of personal data outside of the European Union. Article 49 of the GDPR allows for specific derogations for situations where neither an adequacy decision nor appropriate safeguards exist for the international transfer of personal data. One of the specific derogations is if the person whose data is being transferred has given explicit consent to the transfer after being informed of the possible risks of such transfers if there isn't an adequacy decision and appropriate safeguards. Businesses can rely on this legal basis to transfer data to the United States if they provide users with a notice explaining the transfer and stating that data subjects' data will not receive the same level of protection and that there could be severe risks for the protection of personal data. If implemented correctly, this measure should be sufficient to resolve the issues identified in the EU DPA decisions and allow the use of Google Analytics. 

While installing Google Analytics, website owners should prioritize user privacy by selecting the most appropriate settings. To protect their users' privacy, website owners should implement measures like Google Analytics' IP Anonymization, disabling data sharing settings, and blocking ad tracking. 

These measures alone do not, however, ensure that Google Analytics is GDPR compliant. These are part of an effort to comply with the GDPR by not collecting personal data.

Conclusion

Website owners use Google Analytics to find out how well their sites are doing, and Google Analytics's efforts are crucial to our knowledge of user metrics. However, if Google Analytics isn't set up correctly, it will violate GDPR. Before installing Google Analytics on a website, businesses should familiarize themselves with the legal basis for transferring personal data internationally and make sure the most privacy-friendly settings are selected.