(this post originally appeared in the Marketing in the Age of Privacy newsletter and on siobhansolberg.com)
Google Analytics is illegal.
You'll get a fine unless you switch to an alternative
You hear it everywhere.
Let's set the record straight.
Nothing is banned - the Data Protection Authorities don't have the authority to ban a tool or product.
But then what is the issue with Google Analytics?
This is where things get confusing.
is it Personal Data?
is it the transfer of data?
is it a data residency or data jurisdiction?
It's a bit of all.
Personal data encompasses a lot of data points - and I mean A LOT. Any unique identifier, IP address, location, email, name, etc. It's practically a guarantee that you are processing personal data within your GA account, especially if you are linking to other Google tools such as GoogleAds.
Then we have the transfer issue. In short, the US (where Google is based) is not considered an "adequate" country - a country that is not considered up to par in regards to it's data protection and human rights according to the EU.
What does that really mean? It means we are not allowed to send personal data to the US unless we enter into a contract with standard contractual clauses that provide the data subject with a number of safeguards and rights in relation to their personal data. (Google does this btw.)
But the rights and safeguards needs to be equal to that what the EU provide. And that is a problem mainly due to FISA (The Foreign Intelligence Surveillance Act).
FISA allows the US to gather data and information on non-US citizens from any company within the US - which leads us to the next issue.
Where the data is located does not matter as much as what laws the data is being governed by. Any US based company (such as Google) will need to hand the data to the US, if requested, regardless of where the data is actually stored.
To sum it up, it looks something like this:
Google Analytics collects personal data
Google transfers that data to the US (this is the case for UA, for GA4 its debatable)
Google is a US company so the US could have access to the data.
So now what?
So, what do you do now? Stick with Google Analytics and hope that the US-EU issues figure themselves out?
Believe Google when they say GA4 is privacy-focused and that's that?
Switch analytics providers?
It really comes down to what you business requires and your appetite for risk.
You'll need to ask your self a few questions:
What data do you really need?
List the data that you actually use. The data points you can action on. Not the "I want if/maybe....".
Something as simple as an agency site doesn't need much. eCommerce a bit more.
Look at your data and understand what you really need.
How valuable is that data to you?
What value does that data give to the business?
How valuable is that data to making decisions that affect the bottom line?
For example: For a company that relies heavily on Ads the data collected to understand the ROI of advertising campaigns have high value.
How much risk are you comfortable with?
How much risk are you willing to take?
Consider elements such as fines and what could happen if you are breached (this is a PR nightmare).
Weigh your odds
If, after the first question, you realise you don't need anything as complex as GA you've got the easy end of the stick; move on and find a simple alternative that gives you just what you need.
If you do need something such as GA4 and, none of the alternatives work for you, it's time to weigh your odds.
Does the value your data provides outweigh the risks?
A Note on Tools
Most tools do not work out-of-the-box. They all need some initial configurations to become compliant (yes, even GA).
CNIL guide on how to make GA compliant by using a proxy server
CNIL guidance and configuration guide for various analytics tools(mostly if you want to collect data before consent instead of relying on user consent)
Google support document on GA4 and it's EU privacy measures
A list of case summaries revolving around Google Analytics
What about consent?
Consent for cookies is an ePrivacy Directive issue. Protecting personal data of the user is GDPR. Above we focused on the GDPR issues around Google Analytics. Some SA's (Supervisory Authorities), France and Latvia for example, allow for a site to collect limited analytics data without consent arguing that basic audience measurement are strictly necessary - other SA's don't agree. Either way you will need to make sure you configure your analytics software to comply as out of the box it will not.
Choosing (or leaving) an analytics tool is never easy and it's always easier to go with the mainstream option. But do you really need all that data?
Data for data sake is worth nothing, a waste of space, and increases risk. Any measurement strategy should start with the data you need - not want. The data you will work with. The data that will drive your decisions. The data you will action on.
Once you have a strategy in place, a reason and purpose for the data, only then is it time to consider compliance and what tools are right for your use case.