Google Analytics is in violation of GDPR. Are there any alternatives?

Introduction

Following in the footsteps of Austria, Italy, and France, Denmark has declared Google Analytics ‘unlawful’. This decision was recently announced by The Danish Data Protection Agency after assessing Pan-European cases surrounding Google Analytics’ use of data. What does this really mean for companies using Google Analytics, and what impact will this have?

To answer these questions, we need to start from the beginning.

The GDPR & Schrems II

In May 2018, the GDPR – General Data Protection Regulations – came into effect in EU law. This is one of the toughest security laws in the world and aims to protect users’ privacy. You can read in detail about the GDPR here.

A few years later, in 2020, the EU Court of Justice ruled that Facebook transferring user data to the US infringes the GDPR, known as the Schrems II ruling. This judgment was due to US law allowing intelligence agencies access to EU citizens’ data when transferred to the US – a direct violation of the GDPR.

The ruling essentially made the actions of Facebook and other tech companies like Google illegal. But the companies found a loophole. By providing a standard contractual clause that was previously EU-approved, they could legally continue running.

Austria, France and Italy

In January 2022, the Austrian Data Protection Authority ruled on a similar case to Schrems II. This time Google Analytics was in the spotlight. Due to no agreements between the EU and US regarding user data, Google Analytics couldn’t guarantee that Austrian citizens’ data would be protected. As a result, Google Analytics was considered unlawful.

Soon, the French and Italian Data Protection Authorities would make a similar decision when reviewing the Austrian case. Both ruled, under certain circumstances, Google Analytics is unlawful, allowing for a wider European consensus to build.

Following these rulings, the French Data Authority has advised companies to use a proxy server to avoid illegality. However, using a proxy is complicated and will produce non-usable data. Find out more about using a proxy server here.

What happens next? 

Many companies across Europe, not just Denmark, rely on Google Analytics to track, analyze and evaluate customer data. With this in mind, a transitional period is to be expected; therefore, no action is currently needed.

During this period, we also predict no technical response, increasing the anonymizing of data or physical response, as in keeping the data within the EU. Although there’s talk of Google storing data in Germany, making this happen is complex and time-consuming.

Therefore, let’s look at some alternative options for the future.

Choose a different analytics company

Any company that stores EU citizens’ data outside the EU will likely face compliance issues. Therefore, these data tracking companies are best avoided.

Here is a short list of alternatives to Google Analytics:

Matomo

  • Store user data on the cloud in Germany
  • Import data from Google Analytics
  • Free with add-on purchases
Google-Analytics-is-in-violation-of-GDPR
Matomo

Fathom Analytics 

  • Store data on European servers
  • Data is protected and complies with GDPR
  • Easy installation and friendly UI.
Google-Analytics-is-in-violation-of-GDPR
Fathom Analytics

Plausible Analytics 

  • A cookie-free tool that complies with GDPR
  • European cloud infrastructure
  • Friendly UI
Google-Analytics-is-in-violation-of-GDPR
Plausible

Site Improve

  • Based and founded in Denmark
  • Track visitor behaviors
  • 100% data ownership
Google-Analytics-is-in-violation-of-GDPR
Site Improve

Cloud-hosted analytics provider 

This is where your company can store data in a different place to the data company’s location. For example, although Matomo is a company located in New Zealand, through cloud storage, companies can create a complete set of EU-based data analytics by storing data on Matomo’s German servers.

Google-Analytics-is-in-violation-of-GDPR
Site Improve

Self-hosting analytics platform 

Avoid the risk of third parties outside the EU being completely banned across Europe. Instead, use a self-hosted solution like PostHog or Piwik. You’ll be in charge of hosting and maintenance and have some access to professional reporting capabilities through the software hosts.

PostHog-Google-Analytics-is-in-violation-of-GDPR
PostHog

Wait for Google’s response 

Google will not drop the EU market. Through either a short-term legal solution or a longer-term technical solution, Google will find a way to remain. In the meantime, we have to sit tight.

Google has already announced that Google Analytics Universal will be retired in July 2023, releasing an upgrade, Google Analytics 4, in March. As Google Analytics 4 was built with the user in mind, focusing on protecting personal data, this could be the answer to the GDPR rulings.

The software is not reliant on cookies and IP addresses, and all user information is presented as hashed data. But the problem still remains – the transfer of data to the US. This is where Google Analytics clashes with the GDPR and becomes unlawful.

What does your future hold?

The way companies track data will continue to change. As the law catches up with big tech advancements, the amount of data you can store or process will be restricted further. We believe because of this, there will be many companies moving toward a first-party data strategy.

first-party data strategy would involve asking clearly, not in hidden terms and conditions, for customers to voluntarily share their data. This strategy, along with tighter regulations, is a step towards privacy online mirroring privacy offline: only allowing data to be stored if users reach out to companies – beyond visiting a webpage or entering a search term.

Our final thoughts on Google Analytics’ ruling 

With these recent rulings, authorities clarify the law to tech companies on what is and isn’t allowed. By doing so, the rulings shape the future of data collection, aiming to create a more secure digital world whilst pressuring companies to address their ethical responsibility for collecting, transferring and using data.

New regulations like the GDPR will continue to require many companies to adjust their practices, changing how data is collected. However, as long as there’s the internet, the future will still contain data, and Google is guaranteed to be part of that future.

Other Insights