Google Analytics Processing Data in US – is this a problem?
Austrian DPA has found that continuous use of Google Analytics violates GDPR
Once again, Google is under fire from a regulator in Europe. This time in Austria.
The Centre for Digital Rights (noyb), which is based in Austria and led by Max Schrems, filed 101 model complaints following the Schrems II decision in 2020.
Following the complaint about Google Analytics, the Austrian regulator has determined that the continuous use of Google Analytics violates GDPR:
“The Austrian Data Protection Authority (DSB) has decided on a model case by noyb that the continuous use of Google Analytics violates the GDPR. This is the first decision on the 101 model complaints filed by noyb in the wake of the so-called “Schrems II” decision. In 2020, the Court of Justice (CJEU) decided that the use of US providers violates the GDPR, as US surveillance laws require US providers like Google or Facebook to provide personal details to US authorities. Similar decisions are expected in other EU member states, as regulators have cooperated on these cases in an EDPB “task force”. It seems the Austrian DSB decision is the first to be issued.” Source noyb
What does Google Analytics do?
Google Analytics operates by using cookies to capture information about website visitors. Google Analytics is free to use and it’s ideal for businesses who want to know more about:
- Who visits their website
- How their website is used
- What’s popular on their website, and what’s not
- Whether visitors return to their website
What information does Google capture?
You are likely to see a range of Google cookies that do different jobs. Here’s a short list showing some possible cookies that might be used:
- _ga: Used to distinguish users and retained for 2 years
- _gtd: used to distinguish users and retained for 24 hours
- _gat: Used to throttle request rate and retained for 1 minute
- AMP_TOKEN: Contains a token that can be used to retrieve a Client ID from AMP Client ID service and retained from 30 seconds to 1 year
- _gac_<property-id>: Contains campaign related data for the user. This is used when Google Analytics and Google Ads are connected and retained for 90 days
These cookies range from simple identification to remarketing and advertising cookies which allows you to track and remarket individuals through Google Ads. The more one strays into using this data for remarketing, the more intrusive the data capture becomes.
What does this mean in reality?
Since the advent of GDPR, the burden to demonstrate that consent has been freely given has become greater.
In the UK, when the ICO published their cookie (and other technologies) guidance in 2019, many large websites became instantly non-compliant. The requirement to demonstrate that consent had been freely given had become stronger.
The ICO also clearly highlighted that Performance Cookies (such as Google Analytics) required consent to be used.
Since 2019, companies have used a variety of methods to notify users about the existence of Google Analytics cookies. Some compliant, some less so.
It is also clear that many have taken a risk-based approach to what they should do. The ICO’s own guidance provides a level of ambiguity on the topic:
The ICO cannot exclude the possibility of formal action in any area. However, it is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals. The ICO will consider whether you can demonstrate that you have done everything you can to clearly inform users about the cookies in question and to provide them with clear details of how to make choices. Source: ICO
What are the issues?
- Google is a data processor unless you enable data sharing with Google Ads at which point you become a shared controller – ensuring that your privacy policies reflect these differing relationships is important.
- Google stores most data in USA – since Privacy Shield became illegal this has presented some problems. Google is relying on SCC’s but the main concern is that the US has surveillance laws that require companies such as Google to provide US Intelligence agencies with access to their data.
- Google does use data to improve their services. For a user, this can sometimes seem creepy.
What could Google or US government do?
A rather obvious solution would be for Google to move the processing of EU data outside the US to server centres in Europe where the US government cannot exercise the same surveillance rights as in the US.
Alternatively, the US government could introduce better protection for private citizens. Although this was unthinkable under the previous presidential regime, it may be conceivable under Biden/Harris. It still feels like a long shot.
Realistically it’s quicker and more realistic for the Google’s of this world to set up data centres in Europe. Saas providers such as Salesforce addressed this issue years ago and it feels like it’s about time Google and Facebook did too.
What should you do?
- Make sure you have correctly set up your cookie banner on your website. Technically, visitors should opt-in to Google Analytics and this permission should be captured before any processing takes place
- Make sure you describe all the Google cookies you are using – from simple tracking through to remarketing and advertising. Ideally each cookie would be included including the technical details, duration and purpose.
- If you use Google Analytics a number of settings have been introduced that help protect privacy:
- Turn on the IP anonymising tool. It removes the last three characters of the IP address and renders the address meaningless.
- Make use of the data deletion tool – this is a bulk delete tool and can’t be used for one user
- Introduce data retention policies – there is a default setting of 26 months before data is deleted but maybe you can delete data sooner.
- Simple Analytics
- At the moment, this finding by Austrian DPA does not apply in the UK. However it’s possible other DPAs may follow suit.
- Having said that, there are plenty of lessons to learn about how to work with Google Analytics and other US-based companies who insist on holding data in the US
- Given that the world is slowly turning against cookies, maybe now is the time to start looking at less intrusive performance tracking solutions.