Cutting through Austria’s Google Analytics headlines
Written by Chris Schimkat, Global Head of Analytics, Reprise
In light of the recent media attention and speculation around the legality of Google
Analytics within Europe, Reprise have decided to produce a document sharing our perspective on recent events. We aim to provide greater clarity based on the current information available and provide some recommendations to reduce your risks with regards to Google Analytics and European data protection law.
With that said, we must caveat this document with the following disclaimer:
We are not legal professionals, and as such, this document does not constitute legal advice. We merely aim to provide some timely information related to our area of expertise, which is the Google Analytics platform itself. To ensure full compliance with European data protection law, or the laws of any other region/country, seek guidance from a qualified and specialized legal professional.
What happened in Austria?
On January 13th, the Austrian Data Protection Authority (DPA) ruled that an Austrian website’s use of Google Analytics violated the EU’s General Data Protection Rules (GDPR) (source). The specific infringement was that the Austrian website provider transferred personal data to Google within the process of tracking website behaviour with Google Analytics.
The definition of personal data here has been defined as personal user identifiers, IP addresses, and browser parameters. Interestingly, only the website owner was held responsible, as Google argued that under GDPR law, only the data exporter (website owner) is responsible, not the importer (Google).
Further to this, the DPA has said that the law was specifically broken because this personal data was imported into the US where it would be subjected to US laws such as one that would hypothetically make that data available to the US government in specific circumstances.
Google’s Response
Where things start to get less clear is that according to Google, precautions have been taken to continue to operate within the bounds of European law, despite this data being transferred from the EU to US servers. They have published two key pieces of content in response to the ruling including one which talks to some core facts about Google Analytics and how it is used, as well as another which directly addresses Google’s position with regards to GDPR law and their interpretation.
https://blog.google/around-the-globe/google-europe/google-analytics-facts/
https://blog.google/around-the-globe/google-europe/its-time-for-a-new-eu-us-data-transfer-framework/
Within the article, Google call out that the responsibility of GDPR compliance ultimately falls to Google Analytics customers. They go further to outline some of the user controls available to help with compliance. Within this list includes recommendations to:
- Turn on IP anonymisation or IP masking, which means collecting just a portion of the user’s IP address, to allow continued use of basic geographic targeting but with less accuracy. For example, a user’s IP address may be 128.99.1.12, but we collect just the first three “blocks” in Google Analytics and as such just collect 128.99.1.0.
- Further, Google recommend to “partially or completely disable data collection on certain pages”. This is a no-brainer in some industries like banking, where you wouldn’t want to track specific behaviours within an online banking portal. But it’s worth thinking about what personal data could be exposed on your website, and actively prevent its collection.
- As well as this, there are settings in Google Analytics for limiting how long specific types of data are stored before automatic deletion, and there is also a User Deletion API to comply with a user’s right to be forgotten.
- Google also recommends to leveraging legally compliant consent messaging within a website, allowing users to control what information is collected, including a provision to allow or disallow cookies.
- Finally, Google not only recommend, but require (and enforce) that organisations may not collect personally identifiable information (PII) within the Google Analytics platform. Where this gets confusing is that Austria’s DPA and Google have different definitions in this regard. Where the DPA have determined that IP addresses, and user IDs constitute personal information, Google’s definition does not.
Our Verdict
Ultimately, our verdict is not the one that matters in a court room, however with significantly different presentation of facts on both sides, we would like to share our conclusions.
Is Google Analytics Illegal?
Google Analytics as a service appears to be legal in Europe as evidenced by the lack of charges brought against Google. However, improper use of the platform can be considered illegal. The catch here, is that using Google Analytics out of the box does not go far enough to comply with European requirements. Features such as IP anonymisation are not enabled by default in the most common version of GA (Universal Analytics). However, IP anonymisation is enabled by default in the new Google Analytics 4, living up to Google’s promise of a more privacy-centric platform. Further to this, if an organisation uses Google Analytics to deliberately or inadvertently collect personal information, there isn’t much Google can do to prevent this (despite working to actively audit and call out such transgressions). As reported in tech publication, Wired “At the moment, the decision applies only in Austria and isn’t final. Websites across Europe aren’t suddenly going to stop using Google Analytics.”
What about Google Analytics alternatives?
As shown above, no matter which analytics platform your organisation uses, improper use could still result in breaking GDPR law. However, for most analytics platforms including Adobe Analytics, the same types of user identifiers and IP addresses are used, so don’t rush to start a vendor selection process. Many less-established web analytics platforms have also jumped on the news as a means to try and convert Google Analytics customers to their platforms, but remember to exercise a degree of professional scepticism when reading their perspectives on the situation. However, if you are looking into alternative platforms, Reprise are here to help you in the selection process.
Where to from here?
We can only assume that this isn’t the end of the story. Last year €1bn in fines were handed out in relation to GDPR infringements. What’s unclear is if there will be any further changes to the GDPR laws to provide a viable future for digital advertising while balancing the needs of individuals’ privacy. As recommended within Google’s recent article, there is a need for an EU-US data transfer framework and more consistent approach to data privacy around the world. But aside from that, there are also calls for Google to provide a localised Google Analytics service based in the EU which would solve the core issue highlighted by the Austrian DPA. While individual user privacy must be a priority for our industry, we need to find a solution that doesn’t sacrifice the ability of digital professionals to create a useful, relevant, and effective digital experience for users.
Protecting yourself
As previously mentioned, to ensure legal compliance with the GDPR framework, consult a legal professional. Alongside this, we have compiled a list of activities that you can start right away to reduce your risk of breaking GDPR rules.
Consent Management
Ensure that consent is received correctly for your website. For users within the EU, you not only need to ask for consent to track them, but you need to wait until that consent is attained before firing your analytics and advertising tags. It’s quite common to see analytics codes fire before consent is given by the user, in conflict with GDPR guidelines. Work with an analytics professional to assess if this is the case. Beyond this, investigate the relevant rules relating to cookie and tracking consent banners.
Often we see cookie banners that say things like “by using this site you consent to our tracking and cookies policy”. This doesn’t comply with GDPR which requires a “clear affirmative action” for consent. Opting out of tracking through the consent management solution should be just as easy as opting in. There should not be engineered obstacles that make the opt-out process more complicated than opting in. There have also been recommendations from industry leaders to continue to track user behaviour if a user opts out of cookies, but simply not using cookies, IP addresses, or assigning a user identifier. This maintains complete measurement, without collecting personal information of any kind.
IP Anonymisation
As we’ve seen, IP addressed are considered PII in the Austrian ruling. You can choose to completely anonymise or simply mask a user’s IP address when they visit your website. To do this, add a field on your Google analytics tracking code variable to set “anonymizeIp” to “true”.
Google Analytics 4
As we’ve seen, the new Google Analytics (GA4), has been developed with a stronger emphasis on privacy across both app and web tracking. There are a range of options and features like automatic IP anonymisation, highly customisable advertising privacy features, and data retention policies to give you the tools to meet compliance requirements without losing the power of the platform.
For both privacy and performance reasons we recommend to start your transition to GA4 as soon as possible if you haven’t already.
Server-side Tagging
Server-side tagging provides another layer of defence against improper data handling. Instead of sending data directly from a user’s browser to the Google servers, it allows us to create a step in-between where we can more tightly control data anonymisation and consent. See the illustration below comparing client-side tagging (which runs in a user’s browser), versus server-side tagging.
This in-between step can be done using Google Tag Manager server-side which can be deployed in a cloud environment owned and operated by the organisation. Here, we can add additional checks and filters to ensure user consent has indeed been attained before sending event data to Google Analytics. As well as that, we can add filters that search for potential PII, and stop that data from ever reaching the analytics platform. For example, we can create rules that search for email addresses, IP addresses, or phone numbers in the data and prevent that data from transferring. You can also add a step to force IP anonymisation in all data transferred to Google Analytics – a crucial step based on the Austrian DPA ruling.
Server-side tagging is also useful for implementing next-generation conversion tracking like Google’s Enhanced Conversion API and Facebook’s Conversion API, effectively future-proofing against browser tracking prevention, while keeping user consent at the centre. Reprise have successfully implemented server-side tagging for a range of clients across the region for this very purpose. Reach out if you’re interested in learning more.
Privacy Audit
Finally, there are a range of ways that an organisation can inadvertently break with GDPR guidelines. We recommend undertaking a privacy audit to make sure you’re being proactive about compliance. A typical privacy audit should include, but not be limited to:
- Assessing access permissions for people inside and outside your organisation.
- Combing through all of your platforms for any PII that may be collected illegally.
- Review how and where data is extracted or collected.
- Audit data collection practices to ensure tracking and advertising consent is attained lawfully.
- Ensuring IP addresses are anonymised.
- Limiting advertising features to only those that fit within your organisation’s privacy policy.
- Limiting data retention to only as long as is required.
- Creating a means to facilitate a user’s right to be forgotten.
Summary
The complete implications of the DPA’s decision remains to be seen, and we expect this story to develop in the coming months. What is clear however, is that organisations must act quickly to reduce their risk of being caught on the wrong side of GDPR regulators. In particular, there are some concrete steps you can take now to do the right thing by European law, and European residents. Start conversations with your marketing, technical, and leadership stakeholders to ensure everyone understands the risks and potential solutions. By leaning into this conversation, you’ll be starting an important transition towards durable measurement that will future-proof your organisation in the face of the increasing technical and legal challenges facing marketers.
If you want to reduce your GDPR risk exposure while using Google Analytics, please contact us.