Proxyfication of Google Analytics: a good idea?

Google Analytics and data transfers: how to bring your audience measurement tool into compliance with the RGPD?

Reminder of the problem

The use of Google Analytics is subject to two legal constraints due to the directive ePrivacy and by extension the RGPD: the consent of cookies and trackers, as well as the illegal transfer of personal data to the United States.

⚖️ Find out more about regulations: Is Google Analytics legal in Europe?

The CNIL proposal: proxyfication

In June 2022, the CNIL recommended the use of proxyfication and specific measures to correctly use GA4 in compliance with European directives and the RGPD :

Audience measurement and data transfers: how to bring your audience measurement tool into compliance with the RGPD?

In its ruling of July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield, a framework for the transfer of personal data between the European Union and the United States. The U.S. legislation does not offer sufficient guarantees against the risk of authorities, notably intelligence services, gaining access to the personal data of European residents.

Proxyfication of Google Analytics mainly consists of replacing certain information by the proxy server that may be involved in generating a fingerprint, and deleting any other data that may lead to re-identification as a CRM base ID.

1. Do not transfer the IP address to the measurement tool's servers.

2. Replace user ID with proxyfication server.

3. Delete external referrer information and parameters contained in collected URLs.

4. Process information that can be used to generate a footprint

5. Do not collect any cross-domain tracking or deterministic identifiers.

6. Delete any other data that could lead to re-identification.

⚠️ Applying a proxyfication strictly in line with CNIL recommendations can render your analysis tool virtually obsolete.

But fortunately, some of these legal constraints are debatable and can be solved by technical manipulation.

Criteria for compliant proxyfication

The CNIL has presented several measures it deems necessary for the process to comply with the RGPD. We'll list them here along with the consequences, as well as our recommendations.

Do not transfer the IP address to the measurement tool's servers.

Anonymize IP addresses. Anonymizing only the last 3 characters is sufficient. This will still allow us to deduce the region in terms of accuracy.

⚠️ Google Analytics will not be able to deduce the origin of users at city level. Depending on the case, this can be a problem for certain activities.

💡 Configure the proxy so that it can itself deduce the geolocation of your visitors from the IP address.

Replace user ID with proxyfication server.

The CNIL considers that Google does not provide sufficient proof or guarantees that it does not cross-check this data with other third-party data. It is this vagueness that poses a problem for the CNIL.

💡 Add an encryption key before the proxyfication server sends the ID .

Delete external referrer information and parameters contained in collected URLs.

Rather than limiting the "referrer" to the domain name, the CNIL asks that the name of the "referrer" be deleted. The same applies to campaign UTM parameters (source, medium, campaign, etc.).

⚠️ Inability to collect user data. This is a real problem for most players.

💡 Keep the referrer's domain name and any UTM parameters that do not allow identification.

In fact, many of the analytics solutions recommended by the CNIL not only have access to data elements from the referrer, but also do not require user consent!

Please note that if you cannot pass the gclidYou'll need to tag your Google Ads campaigns with UTMs, as auto-tagging will no longer be possible.

Process information that can be used to generate a fingerprint, such as user-agents.

Unnecessary User Agent information must be removed.

⚠️ The impact will remain limited (e.g.: specific phone model or browser version).

Do not collect any cross-domain tracking or deterministic identifiers (CRM, unique id).

⚠️ Loss of the origin of visits and inability to enrich and cross-reference your data to follow the user across several domains or perform certain analyses.

👉 Add an encryption key before the proxyfication server sends the ID .

💡 As long as the user's consent is given and the IDs are encrypted, so they cannot be used by Google for further data cross-referencing, we believe it is not necessary to prevent cross-domain tracking.

Delete any other data that could lead to re-identification.

Recommendations were also made concerning the conditions under which the proxy 🇪🇺 is housed.

Our opinion on Google Analytics proxyfication

In all cases, we must ensure that the user's consent is respected.

Then, it may be useful to take certain liberties as long as you can justify it. Proxyfication, yes, but not in the strict sense of the CNIL, otherwise your tool is virtually unusable.

Finally, setting up server-side data collection is also a good practice for controlling what is sent to partners (see: ITP/ETP Safari, iOS14 and server-side).

To go further : GA4 vs CNIL's RGPD: legal use impossible? Is Google Analytics illegal under RGPD standards? Here's how to use GA4 in compliance with CNIL recommendations!