Only two weeks into the new year, the internet exploded, because of a court ruling in Austria. Is Google Analytics illegal now? In Austria, not exactly. In the rest of the EU, no. And it won’t be.
Although it was a great day for Privacy last week, it was a dark day for website (and ecommerce store) owners when Austria’s data protection authority (DPA, or DSB) decided that using Google Analytics on your website is in breach of GDPR.
Later that same week, the Dutch personal data authority (AP) followed with a warning that using Google Analytics might soon be forbidden. And Germany’s next in line.
If using Google Analytics becomes illegal, what does this mean for us website and ecommerce store owners? Should we migrate our (years of) data to a Google Analytics alternative? Is there an easier way out of this mess?
Spoiler alert: Yes, there is.
First, allow me to Degeneralize these Statements
If the internet is good at one thing, it’s generalization. Since last week, companies developing Google Analytics alternatives have been throwing around statements like “Google Analytics illegal” and “forbidden in Austria” like candy.
What I don’t like about this, is that they’re (ab)using fear to market their products. It’s making actual people (website and ecommerce business owners) panic unnecessarily.
While there are several reasons that might make Google Analytics illegal. It just isn’t that simple.
Many measures have been taken by Google already, and there’s a few measures you can take yourself to keep you from having to migrate to a Google Analytics alternative and learn a whole new system.
Second, an Important Nuance that demands Emphasis
Also thanks to the internet, there’s a nuance that demands emphasis:
Is Google Analytics illegal? No. The ruling is about using Google Analytics. Not about Google Analytics as a tool.
This shouldn’t make you feel better, though. This ruling is aimed at website owners and puts additional pressure on business owners who might already be under pressure due to COVID-19.
Before moving on to the specifics and the measures need taking, I think understanding the core of the issue is a good place to start.
Why is using Google Analytics illegal or in breach of GDPR?
Since it’s introduction, the GDPR has forced companies to be more transparent about the data they collect about their (potential) customers.
The cookie notice being (by far) the most (in)famous example of this phenomenon, we’ve all (attempted) to configure our websites to respect the privacy of our visitors and inform them of the data we collect.
Unfortunately there’s a (not at all obvious) catch to using Google Analytics, which is (partially) the reason making Google Analytics illegal.
Google makes its money collecting and selling data. Analytics is just one in an array of tools Google has at its disposal to track and profile us.
The data Google Analytics displays to you about your visitor(s) is a fraction of the data it actually collects — about your visitor(s). Google simply uses our website(s) to further complete their profile about every person on this planet with access to an internet connection.
I think we can all agree that this is a problem and we should be happy that the GDPR exists. However, there’s more…
Google Analytics never respected Our Privacy
Google took several Technical and Organizational Measures (TOMs) the moment the GDPR was introduced.
They allowed us to enable IP anonymization, disable data sharing, etc. We ate it up like hungry puppies, while Google laughed its shaft off.
Because at that point they already had so much data, that a (partially) masked IP wasn’t going to stop them from identifying a user. The (partial) IP was already mapped to an (internal) universally unique ID (UUID) which was conveniently stored in a cookie on each of our computers.
And so, the tracking continued… But Google’s mountain of data is just the tip of the iceberg.
The Wait is Over!
The CLOUD act never respected Our Privacy
The CLOUD act allows US authorities to demand and investigate personal data from any business located in the US. Even when they’re storing/hosting that data outside the US.
Google being a US business has no choice but to handover its collected data when the US government deems it necessary. Essentially, the US government has access to profiles on all of us.
That’s what makes this matter interesting.
Before, GDPR was all about obtaining consent for collecting personal data. From now on, it’ll also be about not allowing personal data to be stored outside the European Union.
That’s where Google Analytics is kind of screwed, because even if they’d store personal data of EU citizens on servers inside the EU, the CLOUD act would still allow the US government to request it.
Can I keep using Google Analytics?
By now the ethical part of your brain might be considering to step far away from Google Analytics and anything related to it.
I wouldn’t blame you, but if you have a practical nature, you might be wondering: What if I’d like to keep using it, could I?
The answer is: Yes, of course. Some customization is in order, though.
Prevent Personal Data Collection in Google Analytics
The European Union won’t decide to ban and make using Google Analytics illegal. The consequences (and Google’s legal team) are simply too big.
What they’ll probably do is force website owners to take measures (again) to prevent Google Analytics from collecting any personal data.
The reality of the situation is that there are certain downsides to this, for example:
- You’ll no longer be able to use certain Google Analytics’ features, e.g. demographics and interests.
- User location data will probably be inaccurate.
To prevent Google Analytics from collecting personal data and comply with the GDPR as of 2022, there’s a few measures need taking:
For a detailed guide on the following measures and how to fully comply with the GDPR “post-Austria”, I suggest you read this guide on how to configure Google Analytics in compliance with the GDPR.
Configure Google Analytics to be GDPR compliant
The first and easiest step (if you haven’t already) is enable each of the measures taken by Google to increase GDPR compliance. These include:
- Accept the Data Processing Amendment
- Disabling data sharing
- Disable Data Collection for Advertising Features, and
- Make sure the User ID feature is disabled.
In addition to the IP address, Google has generated a universally unique ID (UUID) for each of us, to further identify us anywhere its tentacles can reach and attach demographics e.g. from your Google account.
To make sure this UUID is no longer used, cookies should be disabled in your tracking code.
Refresh and randomize the UUID
clientId parameter is required for every Google Analytics request. Now the original one is lost, a random (new) UUID needs to be stored (e.g. in the browser’s
localStorage) and sent to Google.
Properly mask the IP address of your visitors
aip-parameter provided by Google is no longer considered proper IP anonymization by EU privacy watchdogs, for a few good reasons:
- The IP anonymization is done by Google, after the IP address is already stored on their servers.
- An IP address with only the last octet (the digits after the last dot) masked, can still be traced back to 255 (home) computers.
The IP address needs to be anonymized before its sent to Google. For this, you’re going to need a proxy.
Proxy traffic to Google Analytics
Besides allowing you to handle the data before sending it to Google Analytics, using a Proxy does one other important thing: it makes sure the IP addresses of your users aren’t stored in Google’s access logs.
A proxy could simply be anything from a single script to an API endpoint. As long as it captures the data and modifies it according to the specified requirements before passing it to Google Analytics’s Measurement Protocol. It could also be a custom API endpoint (much like CAOS’ Stealth Mode.)
Unfortunately, there’s no one size fits all solution here. But if you’re a WordPress user you’re in luck!
Have you heard of CAOS Pro?
I’d love to say that I orchestrated this entire mess in an attempt to sell my products. But no, I don’t have that kind of power.
The fact is that CAOS and its Pro upgrade (formerly known as Super Stealth) for WordPress have always been developed privacy first, setting the standard for protection of users as well as Google Analytics data.
I guess you could say I’ve been ahead of the curve.
If you’re wondering if CAOS Pro will work in your situation. Please don’t hesitate to contact me! I’m sure we’ll get you sorted one way or another.
What makes using Google Analytics illegal is the way the default implementation currently deals with personal data.
While it’s highly unlikely that Google Analytics will be entirely forbidden by the GDPR, it’s very possible website and ecommerce store owners will need to take additional measures to prevent Google Analytics from collecting personal data.
This could be of impact to a business’ data driven decision making, because data like demographics and interests will no longer be available.
Today we’ve learned which steps are needed for you to keep using Google Analytics in compliance with the GDPR.