User Privacy Heats Up As Google Analytics Declared Illegal In The EU

In this guest post, Hoang Nguyen (main photo), chief data and technology officer at Howatson+Company, argues the EU outlawing Google Analytics is set to have reverberations around the globe…

The Europeans are strictly enforcing non-compliance to the GDPR, and American big tech is not immune. If you follow tech blogs, your feed would have been full Thursday last week as Google Analytics was declared illegal in Austria. But there’s more to the story than the headline suggests, and more Australian companies need to be doing to prepare for a digital world that is becoming more private as each year passes.

What you need to know

• US and European privacy legislation is increasingly in conflict with each other.
• America’s Cloud Act requires all US companies to store data in the US and must provide access to that data to US intelligence services.
• The GDPR protects Europeans against how their personal information is collected and stored and expressly prevents European citizens from being surveilled by any foreign company (America included).

• Google Analytics is in breach of the GDPR

• In August of 2020, an Austrian Google user was personally identified by Google after using an Austrian health website. This person brought a claim against Google to the Austrian Data Protection Authority.
• Google analytics provides a setting in Google accounts to stop Google from evaluating use of third-party website in detail, which suggests Google is able to merge usage data with an individual. This data is then stored in the US and is a violation of GDPR.
• Last week, an Austrian court ruled the data transfer as illegal and therefore Google in breach of GDPR.Other European courts, especially Germany and the Netherlands are expected to make similar findings in the coming months.
• This has implications for Google, and companies that operate in Europe who use Google Analytics.
• Companies operating in Europe must determine if running Google Analytics on their websites will risk a penalty for violating the GDPR.

• There is a simple process for you to be GDPR compliant in EU while using Google Analytics

• The Dutch Authority for Personal Data has updated its guidance on the “privacy friendly set up of Google Analytics.”
• We have outlined an approach to maintain marketing intelligence while ensuring privacy compliance below.

The deeper story for IT professionals

“Google Analytics declared illegal in the EU” is a sensational headline. And with the majority of European websites running GA, are we soon to return to the dark ages of website analytics? We believe the likely implications of the ruling will be far less dramatic. A closer review of court documents suggests the issue is configuration related, not the product itself. That’s less exciting but regardless, non-compliant use of GA across the EU creates vulnerability to large fines from European authorities.

Let‘s understand the configuration issue further. As stated in the court documents, “due to a possible configuration error, the respondent did not activate the IP anonymisation function in all cases.” By not anonymising the IP address, the user could be identifiable, thus is considered PII, which under the GDPR is a major breach.

Fortunately for the citizens of the EU, should US intelligence services have accessed the non-compliant data in question, the value associated with identifying the European citizen is not reversable.  Court documents stated, “it is not to be expected that US authorities would have additional information that would enable them to identify the data subjects behind the first party cookie values ‘gid’ and ‘cid’ or behind an IP address.” The site in question also possesses “no authentication system and did not use a user ID function.” Therefore, these identity values are not traceable back as PII.

What happens now? If you’re an Australian business operating digital assets in the EU, do you need to pull GA down tomorrow? Best to seek your own legal guidance on that question, but we suggest some immediate actions:

• Review your platform configurations, especially ID synchronisation, data collection and sharing options. This preparation must span your entire mar-tech platform.
• Review and update your privacy policy and ensure that all data and platform processing is properly audited.
• Prepare for and have a contingency plan for data analytics and behaviour collection plans. If not in response to this court ruling and the rise of European GDPR compliance rulings, then for vendor mechanisms such as Apple’s ITP and IDFA, and the imminent death of 3rd-party cookies. One option is to use an edge-based analytics service that is privacy-first, non-cookie based, and immutable to the ad-blocking and analytics tool. Another solution is to have the system and platform collect and process authenticated traffic data that is secured, consent-based, and compliant.

The commercial internet is younger than the age the average Australian buys a home loan. Google itself is only 24. While it’s unimaginable to live without the internet, we’re only just starting to regulate it and reduce its by-products of harm. Privacy is an area governments can legislate and are increasingly holding brands and tech companies to account. If you haven’t invested in people and processes to ensure your privacy compliance, now is the time to do so.