What is Google Analytics?
Google Analytics has always been the most popular web analysis service in the world to monitor traffic, conversions and many other useful data for companies and marketers. It is free, provides vital statistics and is simple and intuitive in its main features. The way it works is quite simple, once you paste the tracking code into your website's source code when a visitor enters the site and views a page, the tracking code loads into the visitor's browser. Collects and sends data to the Google Analytics server by identifying the pages viewed and providing information such as how long a visitor stays on your site and which links they have clicked on. The tracking code relies on Internet cookies on the visitor's browser to collect information. Since cookies collect data, Analytics will not work on a user browser that has blocked these cookies.
Google Analytics 4, which will go live next year, is the new measurement and tracking upgrade launched by Google. It comes with a completely different interface from the previous version (which, as we will see, remains active anyway) and offers users a different approach to monitoring, much more interactive and based on different parameters. The change in the interface is very powerful and results in a clear change of perspective.
GDPR in Google Analytics
In recent weeks we are discussing possible solutions and changes to the Google Analytics settings in order to meet the requirements of the GDPR but in general the information collected on visitors is transferred to the United States, a country deemed to lack an adequate level of protection or the United States.
On 7 June 2022 the CNIL (Commission nationale de l'formatique et des libertés) sent a formal warning to various organizations to comply with the use of Google Analytics, due to the transfer of data to the United States without sufficient guarantees for the rights of European users. What are the consequences for organizations and what does it mean?
It is worth reiterating first of all that Google Analytics 4 (GA4) is a software that is radically different from the current Google Analytics (also called Universal Analytics or GA3); in fact, on paper, GA4 has powerful features that allow it to protect users' privacy in a much more detailed and accurate way than GA3.
Not surprisingly, the CNIL - the French Data Protection Authority - has put pen to paper the necessary measures to be taken to use Google Analytics 4 and Server-Side tracking in compliance with the GDPR regulations. In short, the CNIL specifies that the use of a proprietary proxy server upstream of the native proxy server in Google Analytics 4, that is an intermediary server located in Europe on which user data can reach, is an effective solution to comply with the provisions. European regulations regarding privacy, because it prevents users' personal data from arriving directly on Google's servers first in the EU and then on servers located in the USA.
What does the Google Analytics Privacy Garante say?
Let's start from the watershed event that raised a heated debate and confrontation in Italy: on 23 June 2022 the Garante for the protection of personal data, following in the footsteps of the Austrian and French authorities, published a provision, with which it declares illegal the transfer of personal data outside the European Union carried out by users of Google Analytics.
"The website that uses the Google Analytics service, without the guarantees provided by the EU Regulation, violates the data protection legislation because it transfers user data to the United States, a country without an adequate level of protection."
This was stated by the Privacy Garante at the conclusion of a complex investigation launched on the basis of a series of complaints and in coordination with other European privacy authorities. From the investigation of the Garante, it emerged that the managers of the websites that use Google Analytics collect, through cookies, information on the interactions of users with the aforementioned sites, the individual pages visited and the services offered. Among the many data collected, the IP address of the user's device and information relating to the browser, the operating system, the screen resolution, the selected language, as well as the date and time of the visit to the website. This information was found to be transferred to the United States.
In declaring the unlawfulness of the processing, it was reiterated that the IP address constitutes personal data and even if it were truncated it would not become anonymous data, given the ability of Google to enrich it with other data in its possession. On this occasion, the Authority draws the attention of all Italian managers of websites, public and private, to the illegality of transfers made to the United States through Google Analytics, also in consideration of the numerous reports and questions that are being received by the 'Office. And invites all data controllers to verify the compliance of the methods of use of cookies and other tracking tools used on its websites, with particular attention to Google Analytics and other similar services, with the legislation on the protection of personal data.
Are there enough additional guarantees to continue using the Google Analytics tool alone?
None of the additional guarantees presented to the CNIL in the context of the formal notice would prevent or render ineffective the access of US intelligence services to the personal data of European users when exclusively using the Google Analytics tool.
The explicit consent of the interested parties is one of the possible exceptions provided for some specific cases by article 49 of the GDPR. However, as indicated in the guidelines of the European Data Protection Board on these exemptions, they can only be used for unsystematic transfers and cannot constitute a permanent and long-term solution, as the use of a waiver cannot become the general rule.
The future of the GDPR In Google Analytics 4
Google has announced several data protection improvements for the new Google Analytics 4 (GA4) which are described by Google under "EU-centric data and privacy".
GA4 will allow controls at national level and customization options that will allow to minimize the data collection of a specific visitor. In summary, the following privacy changes have been announced that on paper should make the tool compliant with the GDPR:
• GA4 will process all data from end devices within the EU to servers in the EU.
• GA4 processes IP addresses for geolocation, but no longer stores IP addresses, it uses them in a volatile manner but does not register them in their system.
• GA4 allows the deactivation of Google signals to prevent the connection with Google accounts.
• GA4 allows you to configure the granularity of the geographic and device data collected (eg screen resolution that requires consent).
The EU-US data transfer ban certainly remains: According to the Patriot Act, the Foreign Intelligence Surveillance Act (FISA) and the Clarifying Lawful Overseas Use of Data Act (Cloud Act), US authorities have access to all company data Americans. Even if it is archived in the EU. Therefore, in theory, the location of the storage in the EU does not solve the real problem that the EU data protection regulation is guaranteed for EU citizens.
How can companies proceed with Google Analytics 4?
If you decide to use Google Analytics 4, here are some actions you can take to be as compliant as possible:
1. Limit the collection of certain data (such as data on location, device or operating system) for some countries, in order to further limit the tracking power of Google Analytics.
2. Use an internal Google Analytics assessment to determine if some or all of the metrics are needed by your business. The GA4 console allows you to disable the collection of Google Signals data. It should be borne in mind that disabling Google Signals involves limitations especially in the advertising field:
- Remarketing lists based on analytics data are not possible.
- No ad reporting features
- No demographic and interest data
- Only limited conversion templates and reporting in Google Ads
3. Consider proxy servers. By using a proxy server it may be possible to avoid direct contact between the user's PC and Google Analytics.
4. Insert the Google Analytics 4 clause in the privacy policy.
5. Always ensure and request explicit and transparent consent (no longer among the "essential / technical" cookies without consent), even if it seems that explicit consent for non-EU transfers can only be used for "occasional" transfers , which doesn't really seem like the use case for cookies on a website.
Conclusions
The new measures are a step in the right direction from the point of view of data protection, it must be understood whether the innovations made to Google Analytics 4 will be sufficient.
It is not yet clear how the operation of this new version will solve the main problem, namely the transmission to Google of data of identified or identifiable data subjects. For example, through scripts and the use of various identifiers, whether pseudonymized or anonymized. This would refer to the same underlying criticalities of the previous Analytics, if not disproved by a different, detailed analysis of the data flows that radically excludes the use of personal data. The entry into force of a new political agreement on data transfers between the EU and the United States will certainly also be needed.
60% of European citizens buy online; global e-commerce turnover in Europe is worth $ 732 billion; spending on digital advertising alone in Europe is estimated at 57.64 billion dollars in 2022.
The European digital sector involves hundreds of thousands of companies and workers (technicians, consultants, e-commerce managers, SEO experts, web marketers, web analysts, specialists on Facebook Ads, Google Ads, Youtube, etc.) who first undergo person the serious situation of uncertainty that has arisen.
Companies should therefore carefully evaluate the evolution of the situation and understand whether it is worth switching from Universal Analytics to GA4 or switching to an alternative EU solution that does not depend on either EU-US agreements or user consent.
If you are looking to stay up to date with the latest social media news and best business practices, contact E-Business Consulting, a digital marketing agency active since 2003, and request a free quote!