In May, the E.U.’s General Data Protection Regulation (GDPR), the most significant revision to data privacy rules in more than 20 years, went into effect. It gives users more control over their personal data and allows regulators to penalize offenders up to 4% of global turnover.
According to the French data protection body CNIL, Google Analytics violates the General Data Protection Regulation (GDPR) since it sends the personal information of European internet users to the United States. The severity of the observed violations of the fundamental GDPR principles of transparency, information, and consent justifies the magnitude and publicity of the penalties.
The regulatory investigation was prompted by numerous complaints against Google Analytics and by the E.U. privacy advocacy organization noyb in August 2020. Although Google’s analytics tool has been the first to get DPA rulings, the problem is not exclusive to Google or analytics tools and might impact many other U.S.-based firms with E.U. clients.
France claims on Google Analytics
France’s data protection agency, the CNIL, has amended its recommendations for its users following a ruling earlier this year that found the use of Google Analytics by a local website to violate E.U. legislation.
It also acknowledged that it had since sent formal notifications to other businesses requesting that they modify their use of Google Analytics. The legal dispute centers on Google’s transfer of user data to the United States for processing. This export of personal data lacks adequate legal protections due to a 2020 ruling by Europe’s top court invalidating an essential data transfer agreement due to the possibility of unauthorized access to Europeans’ data by U.S. Intel agencies. This legal dispute affects the use of the widely known analytics tool throughout the E.U., not just in France.
Since then, the E.U. and the United States announced a political agreement on a substitute transfer mechanism. The basic conclusion is that E.U. websites have two options: alter how they use Google Analytics or risk regulatory enforcement, which may include a directive to change their procedures and a monetary fine for violating it. Because there are fewer valid justifications for not having implemented the required adjustments, the likelihood of penalties for non-compliance is probably increasing as regulatory guidance on the subject becomes more specific.
Google Analytics may no longer be used in the EU
A specific French website that was the focus of a GDPR complaint is the subject of the urgent order to stop using Google Analytics. However, according to CNIL, it has spoken with its “European counterpart” DPAs, and they generally concur with the decision. Unfortunately, that might result in Google Analytics becoming inoperable throughout the E.U. unless adjustments are made to how it functions.
Google Analytics gathers a range of data on website visitors, including the sites they access and the links they follow to get there. However, no personal information is visible to the webmaster except for an extensive geographic location. Instead, the goal is to learn more about the website’s most popular material and drive conversions.
That in and of itself raises a GDPR issue, but one that might be handled if the site visitor is informed of this procedure and requested to give their consent.
The Problem with Google Constant Mode
Google Analytics tagging has typically been set up to wait until a user has explicitly consented for cookies to be accessed and personal data to be collected to meet explicit consent requirements and opt-out requirements.
This action is required because each time a Google Analytics tag is used, it will read and write cookies to the user’s browser and get specific anonymous device identification from the cookie. With MagicPixel’s server-side tagging, companies can host their data in the European Union instead of international data transfer to the U.S. We have native integration with various consent management platforms to ensure data collection, processing and sharing is in compliance at all times.
This “out-of-the-box” conduct subjects the tags to pertinent privacy law and necessitates active user consent. Without the placement and access to cookies and the gathering of specific user identities, there hasn’t been a way to collect solely fully private interaction data.
The fact that this data is being sent back to Google’s U.S. servers is what might drive G.A. out of Europe. That results in an unresolvable clash with the Schrems II ruling, which would necessitate Google making major changes to how the service operates.
MagicPixel can help you anonymize or remove PII before sending data to GA to stay compliant. For all marketing and personalization requirements, our no-code Tagging platform unlocks the real potential of server-side tagging.
Utilizing the real-time data tracking features of MagicPixel, you receive far more precise data and all of the user behavior insights related to your website and helps you stay compliant at all times. Book a demo now, and we will get back to you in no time.