Why Google Analytics isn’t illegal, and other facts

I sat down with some of our data and analytics experts to get their answers to the most pressing questions around the subject, to separate fact from fiction and to provide some clarity around the next steps.

So, what is going on?

The proceedings and outcomes of several authorities in the EU have had much interest from brands and the digital industry in the past two years. Since GDPR came into force in May 2018, the collection and storage of data has been at the forefront of marketers’ minds, all wanting to ensure that they don’t fall foul of the regulations. Many platforms, like Google, use servers in the US for programs such as Google Analytics, and they collectively embraced Privacy Shield, a mechanism that allowed companies to move data from the EU to the US, which had originally been deemed as GDPR compliant.

But in July 2020, the CJEU ruled that the Privacy Shield was invalid because of US surveillance laws. Following the ruling, Google updated its Google Ads Data Processing Terms to incorporate SCCs. In Aug 2020, a non-profit called NOYB filed 101 complaints against websites in 30 EU & EEA member states. This is why we are seeing multiple complaints in multiple countries, and supervisory authorities are now starting to come to the same conclusion.

What’s the issue?

Adrien Hug-Korda, Group Data Protection Officer

The issue is that data, including personal data, collected on any given website within the EU by Google Analytics is sent to the US, where privacy laws do not provide a level of protection equivalent to that of the GDPR. Supervisory authorities in the EU have concluded that Google, as a result of US surveillance laws, may have to share such data with US intelligence agencies and that the technical and operational measures the company had implemented were not sufficient to guarantee the privacy of EU residents.

So, is this the end of Google Analytics in the EU?

Adrien Hug-Korda, Group Data Protection Officer

In short, no. The authorities have stated that the “supplementary measures” implemented by Google and the available technical documentation regarding some of the existing privacy controls – such as the IP anonymisation feature – were not currently sufficient to consider that Google Analytics fully complies with the GDPR. However, solutions do exist. For instance, Google might introduce additional security measures which may lead to the SCCs being fully applicable and the EU authorities’ fears alleviated, or the EU and the US may agree on a new mechanism that will allow businesses to once again transfer data to the US.

Does this only impact Google Analytics?

Daniel Smulevich, VP Analytics

No, it will affect many US-based tools, as the issue relates to the potential access by US intelligence agencies to personal data. Any company that was relying on the Privacy Shield between the EU and US will be affected. Whilst the current legal proceedings are centred around Google, I suspect that other platforms are looking at ways to mitigate risks for their clients.

What is Google doing to rectify the situation?

Nelson Chouissa, Senior Data & Insight Director

The biggest issue facing Google is where the data is being processed and preprocessed. In order to get closer to true GDPR compliance, they must ensure that all EU data is not accessible to US surveillance agencies.

Google is currently working on a solution within GA4 that will allow data to be anonymised before it is processed by the US servers. It’s important to note that privacy is a key consideration within GA4. Google designed and built GA4 as a tool that would be agile and flexible enough to withstand current and future privacy legislations

How is the situation going to evolve?

Francois de Broissia, Data & Analytics Director

Right now, we can’t predict what is going to happen, as there are so many factors at play. My recommendation to clients is that they should take the time to prepare for multiple scenarios. I’m working with my clients to map out likely scenarios based on how it all plays out and then working with them to implement solutions that are cost-effective, efficient and mitigate risk.

What is the first thing I should do right now?

Francois de Broissia, Data & Analytics Director

The first thing to do is take a step back. Don’t get caught up in the speculation and panic. Nothing gets solved in haste, and you are more likely to make a mistake.

We are saying to clients that you need to mitigate the risk with anticipation. We’re actively working with some of our clients to identify solutions that will work best for them based on their business goals. A change of tool is not an easy task, there are a lot of associated costs that should be identified, whatever the final decision is.

It is possible to adjust the Google Analytics setup in a way that temporarily reduces risks for little cost. These changes do not provide a guarantee or conformity but can help prepare you for any future decisions, but also to show to the authorities that you are doing all you can to protect user privacy.

What is everyone doing right now?

Per-Yann Munck, Data & Analytics Director

We are saying to clients that you need to mitigate the risk versus the reward. We’re actively working with some of our clients to identify solutions that will work best for them based on their business goals. Some clients have weighed up the risks involved and are moving onto different analytics tools that will change their measurement capabilities. 

Most are taking a pause and using our expertise to understand where their weak spots are and we are working together to provide future-proof solutions. We have a number of Jellyfish products available that are specifically designed to reduce risk.

In the long run, moving towards GA4 (and letting go of Universal Analytics) is also key. Any optimization by Google will be done on GA4, but the data model is also a huge added value that can help clients gain flexibility with their setup.

Adapt, don’t hack

Alex Davies, VP Analytics

If I could only say one thing to anyone concerned about these rulings, it would be to be flexible and adapt to the changes as they come in. Respecting user privacy should be at the heart of measurement. Don’t try to hack the system or find workarounds for old processes. Whilst this will solve your issues in the short term, they won’t work in the long term and you will have to invest more time and money in the future. Remember, adapt, don’t hack!

Another case for remaining agile

Dan Smulevich, VP Analytics

While the news around GA not being compliant is very topical right now, the conversation will keep moving and it’s likely that new factors will come to light around GDPR compliance. Just a few days ago, NOYB (None Of Your Business) filed a second wave of complaints directed at deceptive cookie banners. This may mean that in order to be GDPR compliant, cookie banners should opt for an easy YES/NO approach. When these are implemented, consent rates decline steeply, requiring advertisers to rely more than ever on conversion modelling solutions to bridge the gaps in data. Very few platforms have the data and capabilities to ensure advertisers can retain their measurement and analysis capabilities. Google Analytics 4 is one of these. To me, this is a sign brands should remain with Google Analytics. As we’ve said previously in this article, it’s important to remain agile, and making hasty decisions now, like removing GA, could cause further issues down the line.