Subscribe to join thousands of other ecommerce experts
The new year started with a big bang in the digital world: The Austrian Data Protection Authority (Datenschutzbehörde) has ruled that the use of Google Analytics is illegal – albeit only in a specific case. Even Techcrunch is reporting on the decision in Austria. Thus many users are skeptical: Will other countries follow Austria’s example? Will Google Analytics ultimately be forbidden in Europe? Let’s take a look at the background of the groundbreaking ruling and what you can do to act on it. One thing up front: Things are not as bad as they may seem.
Table of Contents
Why is the use of Google Analytics deemed to be illegal?
In the case in question, an Austrian health focused online portal collected personal identifiable information (PII) on their website without the user’s prior consent and sent it to Google Analytics servers outside the EU. The PII consisted of a website- and user-specific client ID, the IP address (not anonymised) and browser parameters. As US intelligence services might access this data, that practice is unlawful and does not comply with the GDPR. The good news is that, according to our understanding, the use of Google Analytics per se is not forbidden – if implemented correctly. We will give you an overview on what to bear in mind in order to comply with the law.
How to approach customer data collection
The news about the use of Google Analytics being illegal sent a shockwave through the industry. Both Google Analytics users as well as end users are insecure regarding the correct handling of data. We have been advising our clients to collect and handle PII confidentially and transparently for several years. The trustworthy handling of customer data eventually is the basis of a good and healthy relationship between you and your customers.
How can you use Google Analytics in a compliant manner?
Google Analytics itself is not the problem and therefore not illegal. It’s about the correct implementation, as emphasised by Google as well recently. Therefore, we highly recommend you following these steps in order to avoid problems with GDPR and data protection authorities:
- Do not use Google Analytics without the user’s prior consent.
Be aware that not all consent banners are allowed! We highly recommend working with a professional partner in order to set-up a GDPR compliant consent solution.
- Make sure to accept new Data Processing Amendments (DPAs) in the account settings of Google Analytics. Also, transparency is key! Provide your customers a clearly defined data protection declaration (DPD) when sending data to providers outside of the EU.
- Activate IP anonymisation and make sure to never send personal identifiable information to Google Analytics, like mail addresses or phone numbers.
- Switch to Server Side Tagging (SST) as soon as possible! Data can then be processed in the EU before it is sent to the US and other third countries. With SST, you have maximum control over the data that is sent to Google Analytics and other tools. For example, you can redact the IP Address within the EU.
First of all: Don’t panic. Rulings like the one from the Austrian Data Protection Authority do not mean that Google Analytics is going to be banned in the EU. By implementing Google Analytics in a transparent and compliant way you are on the safe side regarding this and future decisions. Keep in mind to only use Google Analytics with the user’s consent, accept Data Processing Amendments, anonymise IP addresses, and switch to Server Side Tagging.
Find out more and get assistance
Do you want to learn more about this topic or need assistance to set-up Google Analytics in order to comply with the GDPR? We gladly conduct Google Analytics GDPR checks and can deliver important insights and advice on how to correctly implement Google Analytics.
For more information on Server Side Tagging our specialists are more than happy to help. Simply leave us a message – our Analytics & Tracking team is looking forward to working together with you.