Google Analytics: Privacy Friend or Foe?

The truth is that most of us have either used or installed Google Analytics on client websites. It’s relatively easy to use, provides great insights on website performance, and gives excellent clues on how to improve engagement.

In fact, Google Analytics has become so popular that it’s used on over 28 million websites and many agencies usually have it listed in their standard operating procedures for building new websites.

Even though Google Analytics is a great tool that many of us are intimately familiar with, Google Analytics has also made headlines recently for a different issue – privacy law non-compliance.

Google Analytics

source

In this article, we will discuss the privacy implications of using Google Analytics so that you can protect both yourself and your clients.

Disclaimer: The information contained in this article is provided for awareness purposes only, and should not be construed as legal advice. Consult your attorney for legal matters.

What personal data does Google Analytics collect?

The purpose of Google Analytics is to track someone as they use a website to see what pages they clicked on, how they used the website, and more. This tracking does not happen by magic, but rather through the collection of personal data. Google Analytics collects a trove of personal data, including:

  • IP addresses
  • Client IDs, consist of a string of numbers that are unique to the user of the website
  • Information as to how the individual used your website

While the above list may seem innocuous, personal data such as the data collected by Google Analytics is regulated under multiple privacy laws, non-compliance with which may result in fines and lawsuits.

In addition, whenever Google Analytics is placed on a website, the owner of that website becomes responsible for compliance with those laws and is required to ensure that any tools that are installed on that website are compliant.

Google Analytics and privacy laws 

Google Analytics Privacy Laws

source

While the criteria for determining whether a particular privacy law applies is unique to each privacy law, generally, privacy laws do not apply to businesses that do not collect any personal data.

If your website does not have a contact form, email newsletter, sign-up form, account creating form or an analytics tool that collects personal data, installing Google Analytics will mean that you are now collecting it.

This will thereby subject you to multiple privacy laws that apply as soon as the personal data of an individual residing in a particular state or country is collected (regardless of where your business is located and the fact that Google Analytics is the only feature on your website where data is collected).

In addition, certain privacy laws such as the General Data Protection Regulation (GDPR) apply if you are tracking or monitoring the behavior of residents of the European Union for purposes of making decisions concerning a resident or for analyzing or predicting that resident’s personal preferences, behaviors, and attitudes.

Since the purpose of Google Analytics is to analyze someone’s behaviors on a website, as well as their preferences when using that website, the use of Google Analytics may very well subject you or your clients to GDPR.

Google Analytics Privacy - GDPR

GDPR is a very extensive privacy law and is one of the most highly enforced privacy laws in the world, with fines being issued for non-compliance on a weekly basis. Thus, if GDPR applies only due to the fact that Google Analytics is being used on the website, it is best to avoid the tool and the law altogether.

Finally, the ePrivacy Directive requires websites to obtain consent from residents of the European Union for cookies that are not necessary to the operation of the website.

Since Google Analytics does place a cookie onto a user’s device and since it is not necessary to the operation of the website, the usage of the tool may also subject you to the ePrivacy Directive and thus require you to have the annoying cookie consent banner on your website.

As you can see from the above, Google Analytics can, by itself, subject you to multiple privacy laws and extensive privacy compliance requirements, and even put you at risk of privacy-related fines and lawsuits.

If you are building websites for clients, it is essential that you inform them that you have installed Google Analytics onto the website so that they are aware of this collection of personal data and can put measures into place to comply with these laws.

If you already have a compliance program and are confident that you are in compliance with all of the privacy laws that apply to you, you may be wondering what the harm is in adding an additional tool to your website.

When it comes to Google Analytics specifically, the issue is that Google Analytics itself has been recently found to be non-compliant with privacy laws.

Schrems vs. Google Analytics

Google Analytics Privacy

source

Max Schrems is a privacy activist and the leader of the group NOYB (None Of Your Business), the purpose of which is to get governments to enforce privacy laws and protect the privacy rights of residents of the European Union.

The group is perhaps most famous for its complaint that led to the EU-US Privacy Shield being invalid, which was a mechanism that used to be used to transfer data from the European Union to the United States.

In 2021, NOYB filed a complaint with the Austrian Data Protection Authority alleging that Google Analytics transfers personal data to the United States, thereby allowing that data to be accessed by US intelligence agencies such as the NSA.

Max Schrems and the NOYB alleged that such transfers are in violation of GDPR as the United States is the third country and does not provide sufficient privacy protections for residents of the European Union.

The Austrian Data Protection Authority agreed with this assessment and ruled that the use of Google Analytics is a violation of GDPR. In an additional blow to Google, the authority found that companies cannot change their Google Analytics settings to make Google Analytics compliant.

While this decision was being made, NOYB filed an additional 101 complaints to Data Protection authorities all over the European Union, requesting decisions as to the compliance of Google Analytics with GDPR.

European Union Data Protection Authorities vs. Google Analytics 

In response to the 101 complaints filed by NOYB, the Data Protection Authorities of France and Italy have also ruled that Google Analytics violates GDPR.

The rulings state that Google Analytics transfers personal data to the United States, a country without an adequate level of protection, and the use of standard contractual clauses by Google to attempt to protect the data do not ensure sufficient protection for privacy either.

Perhaps most importantly, the ruling from the French Data Protection Authority also stated that there are no sufficient additional safeguards that could be implemented to enable the use of the tool.

As more Data Protection Authorities analyze the complaints that have been filed, it is highly probable that we will see many more decisions such as those taken by Austria, France, and Italy in the next few months.

What do these decisions mean for website owners?

Should I Care Google Analytics Privacy?

If you are a website owner that needs to comply with GDPR and have Google Analytics installed, these decisions essentially mean that your website is not compliant with GDPR. For example, Italy’s Data Protection Authority has stated that companies found to be in violation of GDPR due to the use of Google Analytics have 90 days to rectify this issue otherwise they can be subject to GDPR enforcement, which includes fines up to €20,000,000 or more, depending upon annual revenue.

In addition, other Data Protection Authorities that have not ruled on the issue specifically, such as the Norwegian Data Protection Authority, are recommending that businesses use alternatives to Google Analytics to become compliant.

Since Google Analytics is being scrutinized closely by various Data Protection Authorities and has been declared to be in violation of GDPR, it is putting businesses at risk of privacy law noncompliance.

Businesses and agencies should take the time to research alternatives to Google Analytics that provide website insights without compromising user privacy. There are a variety of privacy-focused analytics tools to consider such as Fathom Analytics, Plausible Analytics, and Umami.

Regardless of the tool that you choose though, make sure that it is not putting you or your clients at risk by verifying that they are privacy-focused and are not subject to the intense scrutiny of privacy regulators.

Looking for something?

Privacy laws apply to businesses that collect personal information. Since no personal information is collected by the MainWP plugins, no privacy laws apply to the MainWP plugins. This includes GDPR, UK DPA 2018, PIPEDA, Australia Privacy Act 1988, LGPD, PIPL, and other privacy laws.
Donata Stroink-Skillrud
Donata Stroink-Skillrud
President of Agency Attorneys