How to be compliant with the GDPR when using Google Analytics

SHARE

19/09/2022

Authors:

Richard Jonkhof
Strategy Consultant
Relay42

Tim Doorduijn
Product Owner
Relay42

With more and more countries ruling that Google Analytics is not compliant with the General Data Protection Regulation (GDPR) in its basic setup, European companies are looking for ways to stay compliant with their website analytics and tracking.

Recently, the CNIL (French privacy authorities) launched a detailed Q&A on their decision to ban the use of Google Analytics, followed by a detailed article on how to make your analytics setup GDPR compliant. At Relay42, we see the French authorities being a front-runner in these rulings, and are following this with a close eye with the expectation that more countries will follow CNIL in their ruling and advice.

So, what does it mean to be “compliant” with the GDPR, and how do you make your site compliant?

WHAT IS THE CNIL RULING ON GOOGLE ANALYTICS?

The CNIL is the French supervisory authority for data protection and has issued several organizations with an order to comply regarding their use of Google Analytics due to there being insufficient protections for the rights of EU citizens whereby personal data was transferred to the United States.

The following conclusions were reached:

  • The data of EU resident internet users is therefore illegally transferred through Google Analytics.
  • The organizations given formal notice have a period of one month to comply.
  • All data controllers using Google Analytics in a similar way to these organizations should now consider this use as unlawful under the GDPR.
  • They should switch to a web analytics provider offering sufficient guarantees of compliance.
  • Alternatively, organizations can use Google Analytics via a proxy server that avoids direct contact between the user’s terminal and Google’s servers, thereby ensuring anonymization.


What Is the Impact of the CNIL Ruling on Google Analytics?

France was among the first countries (along with Austria) to rule that the use of Google Analytics is non-compliant with the GDPR and therefore sets a precedent in the EU. 

While other countries are still deciding whether or not they will follow suit, it's important to note that the French authorities' decision to approve the ban was based on EU law and the GDPR. 



The decision in France will likely influence other countries to set their own national rules deeming Google Analytics unlawful in accordance with GDPR. 

More likely than not, the CNIL’s ruling is a sign of things to come across the EU. Therefore, EU organizations, and international companies with a physical presence in the EU, should take time to understand what is happening in France, analyze the guidance, and plan accordingly to become compliant as quickly as possible.
 

How to use Google Analytics with a Server-side Proxy

If you’ve made the decision to continue using Google Analytics for data management and web analytics, Relay42 can serve as your server-side proxy to ensure that all data remains private and GDPR compliant.  Before reaching Google Analytics, all identifiable data is filtered through the proxy and is pseudonymized, making reidentification impossible. This Personally Identifiable Information (PII) consists of:

  • Link tracking in URLs
  • User identifier
  • IP address
  • Other identifiers (CRM, unique identifier…)
  • Fingerprint (browser, hardware…)
  • Referrals

Effectively, Relay42 can become the critical layer between your customers and Google, ensuring that only what is allowed to go to Google’s servers in the United States will reach them – nothing more. Without a proxy between your website and Google, your organization’s data management remains non-compliant.
 

Server-side Google Analytics with a Proxy: Is It Effective?

While Google Analytics is a useful tool, CNIL’s ruling has watered down how effective it can be for your organization. In short, in order to use Google Analytics and remain compliant, the data you send for analytical insight is far less useful.

By keeping the data of EU citizens safe, the Google platform that your marketers use for insights and strategy loses context. CNIL and the GDPR require anonymization (along with pseudonymization) which doesn’t allow Google’s servers access to contextual data.

Essentially, Google Analytics loses its impact in the following ways:

1. No information on returning visitors: All traffic reads as direct traffic because you cannot share the referer, nor UTMs. Nor can you use the same identifier to send user data to Google Analytics anymore. Thus every visitor, even if they’re returning, is counted as a new visitor.

2. Very basic performance information: Your organization is left with a performance counter without any contextual information about visitors: where they are (location), what they use (device), what their interests are (behavior). 

3. Lack of identifiers undermines marketing efforts: Should your marketing team continue with Facebook advertising or should they focus on another platform? Have your campaigns been effective, or are you gaining traffic from other avenues? There’s no way to know.


The End Goal of Compliance? Protecting User Privacy

GDPR is not just a set of rules that you need to follow. GDPR is a way to ensure that your company protects the data privacy rights of its users. 

The good news is, with Relay42 server-side we can make sure your Analytics tool set-up meets all the GDPR requirements stated by the CNIL.

And as more countries will follow the rulings in France, with maybe some slight adjustments to the advice provided by the CNIL, the Relay42 Customer Data Platform (CDP) offers flexibility to adjust the settings to your needs.