Google turned from a quirky startup in the early 2000s to the biggest advertising platform in the world. It's a big data-cruncher that collects tons of data points to provide advertisers with the most accurate information.
The more information Google can gather on a website visitor, the more accurate it can display these personalised ads. As a result, they provide more value for the advertiser that is paying Google.
Data collection is one of Google's primary sources of revenue, which is why the company is facing many troubles currently.
Since then, data collection practices by advertising giants like Google have been under a microscope, and this year some EU member states banned Google Analytics.
It started with the invalidation of the privacy shield in July 2020. This is referred to as the Schrems ii ruling that concluded that data transfer to the US can violate the GDPR law unless certain additional measures are taken.
Google qualifies as an "Electronic communication service provider" and is therefore obliged to share data with the US intelligence service if requested. This means that the protection of personal data on EU citizens cannot be guaranteed when data is sent to Google Analytics servers overseas.
Even anonymising personal data will not fix this problem, given Google's ability to enrich this with other data points to single out an individual website visitor.
The Schrems ii ruling did not lead to immediate action by data protection agencies. However, after 101 complaints were filed by the NOYB organisation against websites using Google Analytics and Facebook Connect, things started to change. The European Data Protection Board established a task force to look into these complaints, and after that, different data protection authorities started issuing decisions and other outcomes.
More EU member states are likely to follow suit. AP (The Netherlands) has started an investigation that will conclude at the end of 2022. In the meantime, they updated their website, stating that the use of Google Analytics may be banned. It is very likely the AP will rule in the same way as its counterparts in Austria, France, and Italy.
Thousands of businesses have chosen to use Google Analytics over the past years, which can change very quickly based on the decision of the Data Protection Authorities of the EU member states.
But the implications of banning Google Analytics are broader than merely the cessation of using Google Analytics.
The decisions made by the Data Protection Authorities state that the use of Google Analytics is unsafe because it transfers personal data to the US without proper safeguards.
Although not all vendors that send data to the US are unsafe to use, it is crucial for you to assess them.
Google Analytics is a data processor and a vendor. Other examples of processors are Slack, Mailchimp, Helpscout, etc. If your business uses any of these services, it makes you the data controller. And based on the GDPR, as a data controller, it is your responsibility to screen your processors, ensuring they provide adequate data protection.
In other words, as the data controller, you should only get and stay in agreements with vendors that are GDPR compliant and can demonstrate their compliance. Otherwise, the authorities can punish not only your vendors but also you as the controller.
Firstly, for businesses in Austria, France, and Italy, using Google Analytics is against the law, and you should find another solution.
Secondly, you should ensure all your vendors are compliant with GDPR. And you should do so regularly. If your vendors transfer personal data to the US, it is important to make individual assessments of them, called Transfer Impact Assessments.
Lastly, if you find out your vendors are not compliant with the GDPR and do not protect your data responsibly, it is necessary to choose a new vendor.
Finding reliable vendors and vetting them is essential to maintaining GDPR compliance. And finding information about your vendors can be time-consuming and tiring, but it pays back. There are many factors to take into account before you make a decision.
You should compile all relevant information on your vendors' GDPR compliance activities, including their names, addresses, contact information, and privacy statement. Additionally, you will need to locate their impact statements, certificates, Schrems II compliance efforts, and more. Although investing time and resources in such a task may sound unpleasant, being aware of whether enough protection has been put in place to protect your data may shield you from much worse scenarios.
Google Analytics is already banned in a few EU countries, and it's highly likely that other EU member states will reach the same conclusion this year. We would therefore recommend to start looking for a Google Analytics alternative.
There are a few privacy-friendly alternatives that could replace. One of them is Simple Analytics. They are based in The Netherlands and are cookieless by design. According to them, they don't store any personal data and are compliant with GDPR. There is a free trial so that you can try it out.
Sign up for a regular dose of news and updates from the legal landscape.