Google Analytics vs. the GDPR: why your data isn’t safe with Google

Google’s hitherto free Universal Analytics (UA) is scheduled to sunset in 2023 and will be replaced by the Google Analytics 4 (GA4) standard and premium offerings. With data-driven companies reliant on up to 13 months backlogged data to support their business decision-makers, analytics teams need to act fast to minimize the disruption to their operations.

This migration comes at an inopportune time, with Google in hot water across the globe for running afoul of privacy regulations.

To evaluate whether to migrate to GA4 or choose a new provider, stakeholders must understand the privacy landscape and how and why Google is being deemed non-compliant.

While privacy regulations are created and enforced on a country-by-country basis, the GDPR has set the framework for international data protection—and serves as the benchmark for compliance obligations companies need to meet.

In this article, we’ll break down where Google stands in regard to EU privacy standards and analyze the shortcomings of the tech giant’s analytics solutions.

Why Google Analytics is not GDPR compliant

In recent years, Big Tech has run afoul of data privacy regulations, with Google chief among accused offenders. Regulators and watchdogs alike have repeatedly filed complaints with various Data Protection Agencies (DPAs), accusing Google of violating European data protection laws.

This came to a head in 2020 when the European Court of Justice invalidated the EU-US data transfer “Privacy Shield” as it no longer recognized the United States as a country providing a sufficient level of protection for personal data. This means that the transfer of personal data from countries covered under the GDPR to the US is now prohibited.

In a nutshell:

  • Google Analytics and, by extension, its products UA and GA4, are not GDPR compliant following the 2020 Privacy Shield invalidation
  • Websites in EU member-countries such as France that use UA or GA4 to collect EU citizens’ personal data are considered in breach of the GDPR
  • The proposed Privacy Shield update (Transatlantic Data Privacy Framework), which would allow safe and compliant sharing of data between the EU and the US, has not been drafted yet, and no final decision is expected by 2023, when Google is set to sunset UA

Global implications:

At the start of 2022, Google Analytics was officially deemed illegal to use by the Austrian, French, and Italian DPAs. Their decision was based on Google’s failure to guarantee that European data remains stored in-line with GDPR requirements. This movement to penalize Google is spreading across the EU and is expected to expand throughout the rest of the world as other countries play catch-up with the EU’s privacy protections.

How Google Analytics breaches GDPR

The determination by Austrian, French, and Italian DPAs that Google Analytics is not GDPR compliant applies to both UA and GA4. This therefore directly affects anyone using UA and those migrating to GA4 in 2023.

Personally identifiable information

Under the GDPR, Personally Identifiable Information (PII) is defined as “any information related to an identified or identifiable (directly or indirectly) physical person, in particular by reference to an online identifier.”

This includes any pseudonymous information such as:

  • IP addresses
  • Any online identifier: cookies, mobile IDs, advertising IDs, and even fingerprinting
  • Any information combination that can lead to a single person being identified, such as navigation, behavior, or any other demographic data

Google strays from the strict definition in the GDPR and does not consider the following as personal data:

  • Pseudonymous cookie IDs
  • Pseudonymous advertising IDs
  • IP addresses
  • Other pseudonymous end-user identifiers

This means that Google does not consider any IP request sent with an ad request (which includes almost all ad requests) as sending PII under the GDPR—a decision in direct conflict with the GDPR, which could put anyone who uses UA or GA4 in hot water with regulators.

Data collection and use

The GDPR states that "[p]ersonal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject." In other words: all website and app publishers who gather personal data need to share precisely how this information is collected and used.

Google however fails to provide the transparency necessary to comply with the GDPR. This was highlighted by the 2019 €50M financial penalty from the CNIL, the French data protection authority, which stated that Google has a “lack of transparency, inadequate information and lack of valid consent regarding advert personalization”.

Data storage

Data transfer to the US from the EU has strict requirements. They are:

  • Implementing the appropriate safeguards, Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR)
  • Providing additional measures of protection (pseudonymization and encryption)
  • Providing a fully transparent look at how data is accessed and used
  • Improving the importer’s audit procedure to ensure compliance
  • Complete compliance with strict security and privacy policies based on EU certifications/codes of conduct and the ISO standard

Under the GDPR, personal data transmission to non-EU countries is possible when appropriate safeguards are implemented. Such measures include ensuring adequate levels of protection, informing visitors their data will be transmitted, and respecting their data privacy rights.

However, Google fails to meet requirements for EU-US data transfer and storage:

  • Google’s data centers are distributed across the globe
  • They fail to guarantee that European data remains stored in the EU
  • US government surveillance laws specifically require US providers like Google or Facebook to provide the personal details of internet users to US authorities
  • According to CNIL, there is a risk that American intelligence services could access personal data transferred to the US if the transfers are not properly regulated

What should companies look for in an Analytics alternative?

Finding an alternative to UA and GA4 is about risk management and what guarantees your analytics provider can make to protect your data.

Companies should look for vendors with an accessible Data Protection Agreement, that explicitly specifies:

  • Who is responsible for all data usage and who informs which parties
  • Exactly what personal data is processed, how, and for what purpose
  • Where the data is processed and stored and the associated guarantees

Companies should also make sure their analytics provider’s Data Protection Agreement clearly outlines how they operate within the parameters set by the GDPR. They should provide easily accessible support, including a specific data privacy contact such as a Data Protection Officer (DPO), so you don’t have to worry about whether or not you’re compliant with strict protections.

Piano Analytics is privacy-by-design

Unlike Google Analytics, Piano Analytics is a privacy-by-design solution built to make understanding and sharing data cross-functionally among departments easy and intuitive, without worrying about running afoul of data regulations.

Piano maintains the strictest levels of compliance with the GDPR and other privacy regulations, with an in-house team of experts who maintain and update our solution as-needed.

Our experts are on-call to help clients understand their data and the regulatory landscape in which they operate, ensuring that our clients are maximizing their return on investment by understanding user behavior while adhering to regulations.

How is Piano Analytics different?

  • Strict compliance with GDPR and ePrivacy: Piano Analytics complies with the legal requirements set by the GDPR and other privacy regulations such as California’s CCPA. Our cloud provider follows the European code of conduct and is approved by the CNIL and the European Data Protection Board, meaning our clients can be assured we are taking the proper measures to meet data privacy standards.
  • Strong policies on data usage: We only collect the data strictly necessary for our clients’ goals and expressly consented to by the end-user. The purpose is limited to strict audience measurement, and the data is always 100 percent owned by our customers.
  • In-house data expertise: Piano has an in-house Data Protection Officer who works to ensure Piano remains compliant as regulations change. Our team also helps clients put their data into action while maintaining strict privacy standards.
  • Conflict-free data: We never use, sell, or transfer data, or engage in any activity that would otherwise breach GDPR or local regulations. Our solution has one purpose: to collect, process, and store pseudonymized audience, navigation, and behavioral data on behalf of our customers. We provide a range of additional technical measures like anonymization and encryption to ensure compliant data.

A powerful and GDPR-compliant analytics solution that puts privacy first

Piano’s mission is to provide expert support for our customers and enable them to stay compliant with data protection regulations in tune with the latest developments in data privacy. By choosing Piano Analytics, you get the benefit of an advanced analytics platform that allows you to share high-quality data across teams—all with the peace of mind that comes with a privacy-first analytics solution.

With a longstanding reputation in the analytics market as a GDPR-friendly solution, we are fully transparent about data and privacy practices. This means that you always know where your data is processed and stored.

Together, we can work on your website's privacy compliance and show your audience how important their privacy rights are to you.