Google Analytics Processing Data in US – is this a problem?

January 2022

Austrian DPA has found that continuous use of Google Analytics violates GDPR

Once again, Google is under fire from a regulator in Europe. This time in Austria. 

The Centre for Digital Rights (noyb), which is based in Austria and led by Max Schrems, filed 101 model complaints following the Schrems II decision in 2020. 

Following the complaint about Google Analytics, the Austrian regulator has determined that the continuous use of Google Analytics violates GDPR: 

“The Austrian Data Protection Authority (DSB) has decided on a model case by noyb that the continuous use of Google Analytics violates the GDPR. This is the first decision on the 101 model complaints filed by noyb  in the wake of the so-called “Schrems II” decision. In 2020, the Court of Justice (CJEU) decided that the use of US providers violates the GDPR, as US surveillance laws require US providers like Google or Facebook to provide personal details to US authorities. Similar decisions are expected in other EU member states, as regulators have cooperated on these cases in an EDPB “task force”. It seems the Austrian DSB decision is the first to be issued.”  Source noyb

What does Google Analytics do?

Google Analytics operates by using cookies to capture information about website visitors. Google Analytics is free to use and it’s ideal for businesses who want to know more about:

  • Who visits their website
  • How their website is used
  • What’s popular on their website, and what’s not
  • Whether visitors return to their website

What information does Google capture?

You are likely to see a range of Google cookies that do different jobs. Here’s a short list showing some possible cookies that might be used:

  • _ga: Used to distinguish users and retained for 2 years
  • _gtd: used to distinguish users and retained for 24 hours
  • _gat: Used to throttle request rate and retained for 1 minute
  • AMP_TOKEN: Contains a token that can be used to retrieve a Client ID from AMP Client ID service and retained from 30 seconds to 1 year
  • _gac_<property-id>: Contains campaign related data for the user. This is used when Google Analytics and Google Ads are connected and retained for 90 days

These cookies range from simple identification to remarketing and advertising cookies which allows you to track and remarket individuals through Google Ads. The more one strays into using this data for remarketing, the more intrusive the data capture becomes. 

What does this mean in reality?

Since the advent of GDPR, the burden to demonstrate that consent has been freely given has become greater. 

In the UK, when the ICO published their cookie (and other technologies) guidance in 2019, many large websites became instantly non-compliant. The requirement to demonstrate that consent had been freely given had become stronger. 

The ICO also clearly highlighted that Performance Cookies (such as Google Analytics) required consent to be used. 

Since 2019, companies have used a variety of methods to notify users about the existence of Google Analytics cookies. Some compliant, some less so. 

It is also clear that many have taken a risk-based approach to what they should do. The ICO’s own guidance provides a level of ambiguity on the topic:

The ICO cannot exclude the possibility of formal action in any area. However, it is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals. The ICO will consider whether you can demonstrate that you have done everything you can to clearly inform users about the cookies in question and to provide them with clear details of how to make choices. Source: ICO

What are the issues?

  1. Google is a data processor unless you enable data sharing with Google Ads at which point you become a shared controller – ensuring that your privacy policies reflect these differing relationships is important. 
  2. Google stores most data in USA – since Privacy Shield became illegal this has presented some problems. Google is relying on SCC’s but the main concern is that the US has surveillance laws that require companies such as Google to provide US Intelligence agencies with access to their data. 
  3. Google does use data to improve their services. For a user, this can sometimes seem creepy. 

What could Google or US government do?

A rather obvious solution would be for Google to move the processing of EU data outside the US to server centres in Europe where the US government cannot exercise the same surveillance rights as in the US. 

Alternatively, the US government could introduce better protection for private citizens. Although this was unthinkable under the previous presidential regime, it may be conceivable under Biden/Harris. It still feels like a long shot. 

Realistically it’s quicker and more realistic for the Google’s of this world to set up data centres in Europe. Saas providers such as Salesforce addressed this issue years ago and it feels like it’s about time Google and Facebook did too. 

What should you do? 

  1. Make sure you have correctly set up your cookie banner on your website. Technically, visitors should opt-in to Google Analytics and this permission should be captured before any processing takes place
  2. Provide a clear explanation of what data you are collecting and what that data is used for in an accessible cookie notice supported by a coherent privacy policy. 
  3. Make sure you describe all the Google cookies you are using – from simple tracking through to remarketing and advertising. Ideally each cookie would be included including the technical details, duration and purpose.
  4. If you use Google Analytics a number of settings have been introduced that help protect privacy:
    • Turn on the IP anonymising tool. It removes the last three characters of the IP address and renders the address meaningless. 
    • Make use of the data deletion tool – this is a bulk delete tool and can’t be used for one user
    • Introduce data retention policies – there is a default setting of 26 months before data is deleted but maybe you can delete data sooner. 
    • Consider the use of alternative tracking tools that do not rely on the use of cookies or transferring data overseas. A quick search resulted in a non-exhaustive list of analytics tools that don’t rely on cookies. There will be other suppliers: 
      • Fathom
      • Plausible
      • Simple Analytics
      • Insights
      • Matomo

In conclusion

  • At the moment, this finding by Austrian DPA does not apply in the UK. However it’s possible other DPAs may follow suit. 
  • Having said that, there are plenty of lessons to learn about how to work with Google Analytics and other US-based companies who insist on holding data in the US
  • It’s essential that your cookie notice and privacy policy clearly set out what tools are being used and what data is being processed. This is particularly important if you are linking Google Analytics to Google Ads for remarketing. 
  • Given that the world is slowly turning against cookies, maybe now is the time to start looking at less intrusive performance tracking solutions. 

 

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.