Is Google Analytics legal in Europe?

Simplified European regulatory context

The two main topics on the European regulatory side are :

• The RGPD, which requires the request for consent to use cookies or trackers. Part of the audience will therefore not be tracked at all if they have not agreed to tracking.

• The ePrivacy directive , which concerns the transfer of personal data to the United States. Here it may be necessary to remove Google Analytics to avoid a breach.

Recent updates

🆕 July 10, 2023 the European Commission adopted a new adequacy decision concerning the United Statesrecognizing that the 🇺🇸 United States now guarantees a level of protection equivalent to that of the European Union for personal data transfers. A priori, GA4 is therefore no longer in the sights of the authorities and is no longer legal to use.

The CNIL has implicitly given its opinion on the matter by redirecting all the pages on its site that mentioned, directly or indirectly, the illegality of Google Analytics 4 to this page (which confirms its legality):

Data transfers to the United States: the European Commission adopts a new adequacy decision July 10, 2023,

❗️Attention however, to remain vigilant about data confidentiality and take appropriate measures, such as proxification, to ensure compliance with data protection regulations.

European countries arbitrate against Google Analytics

The European Union requires companies to handle users' personal data lawfully, fairly and transparently.

🇪🇺 In Europe, the use of Google Analytics is presumed authorized ✅ provided that its use complies with the General Data Protection Regulation.

⚠️ Some European countries, however, have arbitrated against the use of Google Analytics in its standard configuration, due to compliance issues with the RGPD according to their interpretation. This is the case for Austria 🇦🇹, Italy 🇮🇹, France 🇫🇷 and the Netherlands 🇳🇱.

In all cases, website owners must obtain users' consent 🍪 and take measures to protect their privacy (anonymization of personal data). They must provide users with detailed information on data collection and use via Google Analytics.

☝ Remarks
1. No French company 🇫🇷 has yet been sanctioned for using Google Analytics.
‍2. You can "proxify" Google Analytics in server-side to meet CNIL requirements.

The main reasons for CNIL's concerns

The problem of IP addresses before GA4

Google Analytics does not store individual IP addresses, but the data is transferred to the USA for processing, making it possible to determine the geolocation of users. The IP pseudonymization feature masks only the last two digits, which is insufficient for two reasons:

• Pseudonymization is performed after transfer, which does not solve the problem.

• Pseudonymization is reversible, so it's best to opt for anonymization by providing a new IP address.

The CNIL refuses to allow Google to transfer IP addresses to the USA, despite Google's undertaking to delete or anonymize them immediately upon receipt.

☝️ Google has updated GA4 to stop the transfer of IP addresses outside the EU.

Anonymization or pseudonymization of client_id is not sufficient

The CNIL fears that Google could re-identify users by crossing several sources of information, which is reasonable given Google's capabilities.

💡 However, it is possible to set up a proxy to perform all the pseudonymization and anonymization work upstream, so BEFORE any export to the USA.See : Proxyfication of Google Analytics: a good idea?

So what are your options?

In short, Google Analytics, including GA4, is prohibited in its current configuration, due to data transfers to the USA.

1. Do nothing

Do nothing, simply migrate to GA4 and respect user consent with a well-configured CMP. In reality, the risk is low, and you still have one month to comply.

2. Implement Google analytics in accordance with CNIL recommendations

Migrate to GA4 server-side only, minimizing personal data. If the CNIL sends out automatic formal notices for the use of Google Analytics script, you could be in trouble.

If you are audited by the CNIL, you can defend yourself by arguing that you are in the process of deploying a solution that complies with their recommendations, and by showing "patte blanche". You still have one month to comply.

3. Proxify Google analytics

The only way to comply and continue using GA would be to use a proxy to mask the data before sending it to Google Analytics.

Google Analytics and data transfers: how to bring your audience measurement tool into compliance with the RGPD | CNIL

The Court of Justice of the European Union (CJEU), in its ruling of July 16, 2020, invalidated the Privacy Shield, a scheme that provided a framework for personal data transfers between the European Union and the United States.

→ See also our article Google Analytics proxyfication: a good idea?

4. Replace Google analytics

Finally, there are a number of possible alternatives that can be put in place to guard against regulatory risks. See our article on The best alternatives to Google Analytics.

The alternatives to Google Analytics for audience analysis are serious and have similar functionality. However, if you choose to switch to GA4, you'll lose the native connection with other Google tools such as Google Ads and Merchant Center, as well as the ability to export raw data to Google BigQuery.

Our recommendation

Depending on your risk exposure, we recommend the following two approaches:

1. Continue to use GA4, but in a configuration that respects user privacy as far as possible. Google has already made great strides in terms of privacy with GA4 and data localization in Europe.

2. Set up an alternative solution to prevent an inspection and build up a data history. See The best alternatives to Google Analytics.

‍

Frequently asked questions

What are the risks of keeping Google analytics as it is?

🟢 The risk is low: if the CNIL gives you formal notice, you'll have one month to comply. What's more, since July 10, 2023 The European Commission 🇪🇺 has adopted a new adequacy decision, recognizing that the 🇺🇸 United States now guarantees a level of protection equivalent to that of the European Union for personal data transfers. A priori, GA4 is therefore no longer in the sights of the authorities, and is no longer legal to use.

Do organizations have a deadline for compliance?

⚠️ Yes, but the deadline is not long.Organizations put on formal notice have one month to comply with the RGPD and justify this compliance to the CNIL.

💡 This period may be renewed at the request of the interested parties.

Are there sufficient additional guarantees to continue using GA?

✅ Yes, but under certain conditions: a solution involving a proxy server can be set up to avoid any direct contact between the surfer's terminal and the measurement tool's servers.

⚠️ Google Analytics proxification can have a significant impact on the data collected. Google Analytics collects data on users' interactions with a website, including IP address, geographical location and browser type. However, when traffic is routed via a proxy, the IP address collected may be that of the proxy and not that of the user, which makes it difficult to collect accurate data on geographical locations and may cause inconsistencies in analysis data.

Could encryption be a sufficient additional guarantee?

✅ Yes, but under certain conditions.

Google's data encryption is insufficient, as it retains the possibility of accessing individuals' data in clear text. For encryption to be sufficient, encryption keys should be kept under the exclusive control of the data exporter, or other entities established in a territory offering an adequate level of protection.

Is it possible to set Google Analytics to transfer only anonymous data to the United States?

✅ Yes, but under certain conditions.

Google uses pseudonymization measures rather than anonymization. Although it offers an IP anonymization function, this does not apply to all transfers. Unique identifiers can make data identifiable when combined with browser or operating system metadata. The EDPS recommends pseudonymization, but only after analysis to avoid re-identification of data subjects.

Why Google Analytics more than the others?

It's a real question, and we don't have the answer. We believe that the CNIL is concerned that Google could indirectly re-identify users by cross-referencing numerous sources of information. Relatively few other data analysis solutions possess such a capability.

But what about all those American CRMs that hold personal data?

Yes, but what if the user agrees to the transfer of their data to the United States?

⚠️ Not really. According to Article 49 of the GDPR, data transfers may be permitted to third countries or international organizations if the data subject has given his or her explicit consent and has been informed of the risks.

However, this exemption does not apply to recurring transfers such as those carried out with Google Analytics. It is reserved for exceptional cases, such as a small e-mailing campaign over a limited period.

Are there alternative tools?

✅ Yes, there are alternative tools.

The CNIL has published a list of audience measurement tools that can be exempted from consent when properly configured.

⚠️ Please note that the consent exemption is specific to France 🇫🇷

This list includes tools that do not require user consent, in accordance with Article 82 of the French Data Protection Act, as they have been configured to provide only the information essential to the service.

☝ There are few options in realityExcludingsolutions with US capital (such as Piano analytics) or hosted on US servers (such as Piwik Pro and Matomo Cloud on AWS), only self-hosting (self-hosted Piwik Pro) and open source (Matomo) remain available.