"Before answering a question
you should always light your pipe"
Phrase attributed to Albert Einstein
Anyone who works in the digital world will surely have heard of the recent measure of the Garante della Privacy (Privacy Guarantor) which, ruling on a case dating back to 2020, assessed an implementation of Google Analytics Universal on an Italian site as non-compliant with the GDPR. Numerous newspapers and almost all Linkedin members hastened to report the news, often with alarmist or catastrophic tones (e.g. 'Banned the use of Google Analytics' from Il Sole 24 ore, 23 June 2022). Many companies contacted us to find out how to act, understandably worried and confused. Digital Pills has chosen to refrain from publishing hit-and-miss content, preferring to take the time to load up the proverbial pipe and produce quality content that could shed light on the subject without riding on the mood of the moment.
Before we begin, a necessary disclaimer: this article is intended to provide an accurate view of the current situation; it is not to be considered as legal advice, it is provided for informational purposes only, and should be used at your own risk. In order to draft this content, we have talked with legal advisors, read the Garante's provision (the Italian Data Protection Authority) in depth and numerous other documents (listed in the 'sources' section at the end of this article).
TLDR - The very short summary for busy people
The measure that triggered this fuss refers to a case from 2020, and concerns a gossip site that had implemented the old version of Google Analytics without adequate technical precautions to prevent the transfer of personal data to the USA. By Garante's own admission, this was a 'minor violation'.
If properly configured, the new version of Google Analytics (4) can prevent the transfer of personal data to the US. Moreover, all companies that for various reasons decide to stop using Google Analytics have numerous alternatives available to replace it.
Whatever your choice, we are available to support you in adapting your tracking system. In our opinion, this could be an excellent opportunity to upgrade the data collection systems in your company and make them 100% GDPR compliant.
The regulatory environment for non-professionals
The legislative basis for this issue stems from the Schrems II judgment, in which the European Court of Justice ruled that the previous commission decision 2016/1250 (EU-US Privacy Shield) was invalid and recognised the possibility of interrupting or prohibiting the transfer of personal data to third states if the conditions for complying with the same European protection standards were not guaranteed. The US represented the most natural casus belli because: 1) current US laws allow government agencies (e.g. NSA/CIA) access to data held by US companies 2) most of the technology giants are based in the US, which therefore have access to the personal data of millions of European citizens.
- The most important concept is the following: the problem is not the transfer of data in the broad sense, but the transfer of personal data. Article 4 of GDPR UE/2016/679) makes it clear that:
"Personal data" means any information relating to an identified or identifiable natural person."
Around this (apparently) simple definition, the Data Protection Working Party created Opinion 4/2007, which clarifies what is to be considered personal data and what is not. Example 15 specifies that an IP address is to be considered personal data, since it allows the identification of a person by reasonable means.
On the contrary, the cookie that Google Analytics uses to function is not to be considered as personal data because:
- It is a first-party cookie, which can only be read by the domain that set it and which changes for each site visited. It is therefore not possible to collect information on browsing behaviour between different websites - not even for Google.
- It falls into the case of pseudonymised data because it is random and unpredictable and the number of possible pseudonyms is so large that the same pseudonym can never be randomly selected twice (see Page 18 of Opinion 4/2007).
- The possible indirect identifiability of the user by combining other data (e.g. user ID, transaction ID, etc.) is not feasible by Google, and therefore not even by US government agencies.
The measure of the Garante that caused a stir was based on the fact that the website under investigation transferred its IP address to Google (and thus to the USA). In a note, it is also specified that the IP anonymisation system subsequently activated (and offered as an option within Google Analytics Universal) is not sufficient to guarantee adequate protection, since anonymisation takes place within Google's servers.
The regulatory environment for non-professionals
The legislative basis for this issue stems from the Schrems II judgment, in which the European Court of Justice ruled that the previous commission decision 2016/1250 (EU-US Privacy Shield) was invalid and recognised the possibility of interrupting or prohibiting the transfer of personal data to third states if the conditions for complying with the same European protection standards were not guaranteed. The US represented the most natural casus belli because: 1) current US laws allow government agencies (e.g. NSA/CIA) access to data held by US companies 2) most of the technology giants are based in the US, which therefore have access to the personal data of millions of European citizens.
- The most important concept is the following: the problem is not the transfer of data in the broad sense, but the transfer of personal data. Art. 4 of GDPR (UE/2016/679) makes it clear that:
"Personal data" means any information relating to an identified or identifiable natural person."
Around this (apparently) simple definition, the Data Protection Working Party created Opinion 4/2007, which clarifies what is to be considered personal data and what is not. Example 15 specifies that an IP address is to be considered personal data, since it allows the identification of a person by reasonable means.
On the contrary, the cookie that Google Analytics uses to function is not to be considered as personal data because:
- It is a first-party cookie, which can only be read by the domain that set it and which changes for each site visited. It is therefore not possible to collect information on browsing behaviour between different websites - not even for Google.
- It falls into the case of pseudonymised data because it is random and unpredictable and the number of possible pseudonyms is so large that the same pseudonym can never be randomly selected twice (see Page 18 of Opinion 4/2007).
- The possible indirect identifiability of the user by combining other data (e.g. user ID, transaction ID, etc.) is not feasible by Google, and therefore not even by US government agencies.
The measure of the Garante that caused a stir was based on the fact that the website under investigation transferred its IP address to Google (and thus to the USA). In a note, it is also specified that the IP anonymisation system subsequently activated (and offered as an option within Google Analytics Universal) is not sufficient to guarantee adequate protection, since anonymisation takes place within Google's servers.
Google Analytics can be implemented in different ways, which has an impact on its assessment under the GDPR. Consequently, the fact that the authority found the implementation non-compliant does not mean that other Google Analytics implementations are also non-compliant.
The website owner is therefore ordered to adapt the system within 90 days, without administrative or criminal sanctions. As mentioned above, the measure itself makes it clear that this is a 'minor violation'.
Google's response and Google Analytics 4
First of all, it is worth mentioning that the measure of the Italian Data Protection Authority is only the latest one in a long series, and has in fact replicated the Austrian one of December 2021 and the French one of February 2022 without any particular novelty. Already in January 2022, Google wrote that 'Google has been offering Analytics to companies around the world for over 15 years, and in all that time has never received data access requests from government agencies'. It does indeed seem strange that one of the world's most powerful intelligence agencies needs to know his favourite articles on Cosmopolitan in order to identify John Smith.
The case examined considers a site that in 2020 was using the old version of Google Analytics, without taking advantage of many of the data anonymization options available today. In the meantime, the latest version of Google Analytics has been released (version 4, which will be the only one available from July 2022), which already includes by default many options to mitigate the impact of data collected under GDPR. In particular:
- GA4 deletes all IP addresses collected from EU users before recording the data through EU domains and servers.
- It is possible to disable Google Signals, the advanced data enrichment option offered by Google.
- GA4 is 100% integrated with Consent Mode, the system for collecting and respecting user consent with respect to cookies.
- It is possible to disable the collection of certain detailed data such as city, browser version, etc.
In addition to all this, GTM server-side, Google's server-side tag management tool, has also been available for a couple of years. This is a further (and very powerful) means of guaranteeing the total anonymisation of collected data, because it allows a 'screen' to be inserted between the user and Google, selectively filtering any information sent to Analytics and thus guaranteeing its total security.
How to act? Possible solutions
Avoiding unnecessary and harmful scaremongering, companies can adapt in order to avoid running the risk of encountering measures similar to the one analysed in this article. The good news is that, in our opinion, they can do so without giving up on the quality and depth of such important data as web and app analytics.
We’ve been working in this field for many years and we know and have worked on a very broad spectrum of tools and scenarios. We have therefore identified 5 main scenarios from which it is theoretically possible to choose. The important thing is that a long-term strategy, accompanied by a deep technical knowledge of the solutions and tools, is driving this. We will briefly illustrate these scenarios below.
- GTM server with Universal Analytics. This is the option we would least recommend, but which is theoretically feasible. Remember that the old version of Google Analytics will be discontinued in July 2023; therefore, we’re not for investing in this tool for such a short time frame. By using GTM server-side (or another server-side tag management system), it is possible to anonymise the IP address before it reaches Google's servers - thus averting the scenario covered by the Garante's order.
- GA4 client side. Thanks to the numerous options provided by GA4, it is possible to set up the tool with a number of settings that significantly limit the GDPR impact of tracking. (data sharing options off, deactivation of Google Signals, implementation of Consent Mode, etc).
- GA4 with GTM server. For the ones who want to play safe, it is possible to combine the flexibility of GA4 with the power of server-side GTM and thus implement more advanced tracking where all anonymisation is done server-side. Over the past 12 months we have worked on many server-side GTM implementations across Europe, and can therefore testify to its great effectiveness and reliability.
- Piwik or other tool with data storage in the EU. The recent fuss has made web analytics tools that did not enjoy significant market share in the past rise, and also old, forgotten tools are back. We are talking about Piwik, which guarantees the storage of all user data within the European Union. Having also implemented many of these solutions, we would like to warn of a significant disadvantage: compared to Google Analytics, these are more rudimentary software tools that have less potential when it comes to analysis and data collection.
Self-hosting of advanced tools. Companies that are more advanced in terms of analysis and data collection have been using much more complex solutions integrated within their data stack for several years now. We are talking about tools such as Snowplow, which offer far more advanced functionalities even than Google Analytics, but which, on the other hand, require considerable technical expertise to manage and maintain them. Even in this case, evaluating the best solution requires careful analysis, and this should always start from the company's needs: we have implemented numerous projects of this type, so we are at your disposal for any requests for clarification or questions.
Whatever solution you choose, we will never get tired of repeating that it must start with a careful analysis of your company's needs and level of maturity. Always be wary of those who propose a 'copy and paste' solution that should fit everyone. In this world, there is no such thing as one size fits all!
Conclusion
This content took several days to complete. It is our attempt to reassure those who follow and appreciate us that this is not the time to get overwhelmed and make hasty decisions - which one would surely regret in the long run.
Once again, let us recall that it is not Google Analytics as such that is illegal, but its non-GDPR-compliant implementation. We therefore recommend that you take this opportunity not only to review your data collection system from a GDPR-compliant perspective, but to enhance it and - why not - get better and more reliable data.
In conclusion, we also invite you to consider in-depth analyses of the software currently in use in your company; if it is true that the crux of the matter is the transfer of personal data (email addresses, telephone numbers, first names and surnames, etc.) abroad, it is important to ask not only whether Google Analytics is implemented in accordance with the law, but also whether the various CRMs, email marketing systems, customer support and so on are.
Sources and insights
- Data Protection Authority measure - full text
- How to legally use Google Analytics in Europe - Vischer
- Opinion 4/2007 on the concept of personal data
- GA4 Privacy Functions
- Schrems II
- More information on Schrems II
- GDPR (UE/2016/679)