A provocative headline? Perhaps. But no clickbait here. Because Google’s web-based analytics package has been judged illegal by multiple jurisdictions across Europe: Austria, Italy, and the privacy watchdog in France. And that’s not the end. It’s likely many (if not all) EU member states will follow their lead.
While the basic reasons for this are simple, their effects aren’t. Which is making a lot of marketers both inside and outside the EU anxious. To help marketers navigate the changes, we turned to Arnoud Engelfriet – a leading expert in internet law and Director of ICTRecht. Taking his advice on board, we’d like to propose a fresh angle – that’ll help you through the coming changes … and even open up fresh opportunities.
The core reason: the European Union’s GDPR privacy legislation requires data on EU customers to be stored within the EU. That’s hard to square with a global cloud model, where different applications may be housed in data centers spread around the world – and data passed across borders as it’s exchanged between them.
Google has been unable to guarantee that personal data collected from consumers always stays within EU borders as the law requires. Indeed, as an American-based enterprise, it’s likely that data crosses borders a lot. And American laws require Big Tech to disclose private data to authorities when asked – which is a GDPR no-no.
A common approach that analytics teams take in order to overcome the data privacy issue on Google Analytics (GA) is to restrict data that goes into the tool. IP addresses are one such – as personally identifying information, keeping them away from Google’s servers resolves legal concerns. It works in the current GA and will continue working in the upcoming GA4 – giving many companies the confidence to migrate straight from GA to GA4 without considering other options.
The problem here? Such workarounds throw out the good stuff along with the bad; less meaningful data going in means fewer deep insights coming out. For example, not sending identifiers (considered personally identifiable information) to Google Analytics might solve the legal problem. But it’ll also prevent your analytics experts from recognizing cross-website visitors; the website will treat all returning visitors as new ones.
Furthermore, a recent decision by the French National Commission for Information Technology and Civil Liberties (CNIL) states changing the processing settings of the IP address is not sufficient to meet the requirements to be compliant in France. Companies must ensure the complete absence of transfer of the IP address to the servers of the analytics tool.
“We see such workarounds a lot. But as an advertiser (company), you have to guarantee that the data is not used for anything else. You as a company are then liable. Moreover, you are stripping away everything in order to keep using GA while there are perfectly good other solutions that don't require you to bend over backward.”
– Arnoud Engelfriet, internet law expert and Director of ICTRecht
Obviously, when operating within the EU, you must have an analytics solution that’s fully GDPR-compliant. Due to the current challenges, a trade-off between compliance and useful analytics emerges. We see that companies are reconsidering their tech stack decisions and analytic vendors with a resulting shift towards best-of-breed analytics solutions that process data within the EU that do not impose this trade-off and workarounds.
As an agnostic Customer Data Platform, Relay42 can help you stream all required data to any web analytics tool via our server-side real-time event connectors. This means that you can not only easily switch to a compliant web analytics tool, but you’ll also be able to obtain the raw event data and use it to build your own reposts and dashboards. In addition, with Relay42 on board, you’ll have greater control of your data (what data is sent where), and much richer data for your analytics tool of choice.
Don't hesitate to reach out to our team.