The European Data Protection Organization NOYB's complaints have prompted various European data protection authorities to express concerns about the use of Google Analytics. These complaints have led to a unified stance among authorities, questioning the legality of data transfers to the USA. European data protection authorities have started issuing warnings to website operators and, in some cases, imposing fines, such as a recent penalty of 1 million euros. This has sparked an examination of the privacy challenges associated with using Google Analytics, considering the statements of supervisory authorities in the context of the new EU-U.S. Data Privacy Framework (DPF).
Google Analytics Overview
Google Analytics is a website and app usage analysis tool offered for the European market by Google Ireland Ltd. The legal assessment differentiates between Google Universal Analytics and Google Analytics 4 (GA4). Since July 1, 2023, data processing through Google Universal Analytics has ceased, making GA4 the standard version to consider.
The key differences between Google Analytics 4 and Google Universal Analytics can be summarized as the following:
- Anonymize-IP: IP address truncation is now mandatory and limited to EU servers.
- Tracking without Cookies: GA4 is designed to function without cookies in the future, aligning with Google's plan to phase out support for third-party cookies in the Chrome browser.
- AI Analytics: GA4 introduces AI-driven predictions and customer segmentation based on both historical behavior and AI models.
- Multi-Stage User Identification: GA4 attempts to identify users through Google Signals, even without a User ID. This involves manual matching, potentially using customer lists with assigned IDs.
- Cross-Domain Tracking: GA4 retains the capability for cross-domain tracking via cookies.
While GA4 aims to move away from cookie-dependent tracking, current integrations still largely rely on cookies, making GA4 and Google Universal Analytics similar in this regard.
Cookie Tracking in Google Analytics
User consent for Google Analytics results in the storage of various Google cookies with unique IDs on the user's device. This enables device recognition, facilitating the transmission of various data to Google servers for behavioral analysis.
European data protection authorities have criticized multiple aspects of Google Analytics over the years. Key concerns include data transfers to the USA, compliance with Schrems II rulings, the feasibility of obtaining consent for such transfers, and doubts about Google Analytics' legal classification as a data processor.
Several European data protection authorities have taken action against the use of Google Analytics, citing concerns and issuing warnings. Recent decisions include fines, with each decision generally based on the 101 complaints submitted by NOYB across EU member states.
Impact of the EU-U.S. Data Privacy Framework
The adequacy decision on the Data Privacy Framework for the USA, effective July 10, 2023, facilitates data transfers to certified recipients in the USA, including Google. Using GA4 instead of Google Universal Analytics may mitigate previous concerns about data transfers to the USA, thanks to this framework. However, full GDPR compliance for Google Analytics remains uncertain, with potential data transfers to other third countries.
While Google positions itself as a data processor for Google Analytics, suspicions persist about Google using the data for its own purposes, potentially leading to a joint responsibility scenario with website operators. Despite the Data Privacy Framework, risks and penalties remain for website operators if Google is found to benefit from data processing.
Regardless of data privacy adequacy and responsibility issues, Google Analytics data processing must be justified. Consent is often required, and obtaining it involves challenges related to cookie consent, GDPR compliance, and potential revocation implications. The intricate interplay between GDPR and the Telemedia Act (TTDSG) highlights the need for careful consideration in implementing and managing consent for Google Analytics.
In conclusion, despite the EU-U.S. Data Privacy Framework, Google Analytics users face ongoing challenges related to data privacy, adequacy, roles, and consent. Navigating these complexities requires a thorough understanding of the legal landscape and careful implementation of consent mechanisms.