Google Analytics in Europe: How to ensure GDPR compliance

The rules of the data privacy game have turned on a dime, affecting the ability of European businesses to accurately evaluate their performance and adequately assess their marketing efforts. With the prohibitions that have appeared, the usual ways of working are no longer possible, leading to the loss of valuable data that will never be replaced.

The tremendous change in digital analytics started with a ban on using Google Analytics in some European countries and ended with a new data privacy framework between the EU and the US. According to recent decisions by European data protection authorities, Google Analytics has become illegal to use for website operators in several countries. Since implementing Google Analytics is now seen as a breach of Chapter V of the GDPR, European businesses have been confronting a crisis.

However, in March 2022, the situation changed, so let’s try to finally determine what problems have arisen with data privacy and what European businesses can do to secure their marketing analytics.

Over the last couple of years, a lot of events have happened in the field of data privacy and Google Analytics. For European businesses, these changes in gathering and applying data have meant the end of the golden era of tuned-up, advanced marketing analytics. Limitations and prohibitions in data use make it impossible to apply established workflows. We’ve gathered and mapped out all the information we have to see how all these changes started and where we’re at now.

In 2020, the non-profit organization NOYB filed 101 complaints against European Economic Area (EEA) websites that applied Google Analytics or Facebook Connect. After this, EEA data protection authorities started issuing rulings forcing EEA website operators to stop using these services on the grounds that they do not comply with the General Data Protection Regulation (GDPR).

The problem was in the method of applying Google Analytics in Europe, as it stores gathered data about EU residents (user behavior data) on a US-based cloud service. The sticking point was — and still is — that the safeguards taken by Google are insufficient at preventing US intelligence services from accessing the personal data of EU residents. According to European data protection authorities, these overseas data transfers violate the GDPR.

So far, two court cases have been heard. The first was an Austrian case (December 2021), followed by a French case less than two months later (February 2022). The summary of these cases is that there is no adequate protection of EU residents’ personal data along with illegal transfer of their personal data to US-based services. For example, unique user ID numbers, IP addresses, and browser parameters aren’t sufficiently protected by the standard protection clauses that Google offers.

Similar cases across other European countries could have a domino effect in suppressing the use of Google Analytics (and similar services). As there are already modeled responses and reactions to these complaints on violating data privacy, it’s possible that more European authorities will soon follow the suit, resulting in a complete ban on Google Analytics (and other tools) in Europe.

Then, on March 25th, 2022, after more than a year of negotiations, the US and EU announced an “agreement in principle” on a new legal framework for GDPR-compliant transfers of personal data from the EU to the United States. The Trans-Atlantic Data Privacy Framework addresses concerns raised by the Court of Justice of the European Union in the Schrems II decision of July 2020 and guarantees the highest standards of privacy and data protection. Google is looking forward to certifying its processes under the Trans-Atlantic Data Privacy Framework at the first opportunity. Still, it remains an “agreement in principle,” with details and timing yet to be confirmed.

Nobody can predict the future, and as the digital landscape is fast-changing, businesses should be prepared to protect their data processing workflow.

Due to complaints by NOYB, many European Economic Area (EEA) data protection authorities want to force EEA website operators to stop using Google Analytics altogether. Those suffering from such decisions are European businesses that want to implement online technologies in order to grow their business revenue and improve their overall performance.

Right now these businesses are in a weak position, as they’re waiting for the politically hot topic of international data transfers to be settled with some logical resolutions. Let’s not forget that despite data transfers issues, other dangerous risks to data privacy are present globally, such as cyberattacks and ransomware.

At the moment, the problems that occur with the use of Google Analytics are as follows:

• Websites that cannot comply with the GDPR will pay heavy fines if they continue to transfer sensitive user data to US-based services.
• Without applying Google Analytics, marketers are afraid they won’t be able to evaluate their marketing performance.
• To change their marketing analytics solution, businesses will spend lots on learning and implementing a new product.

Let’s see what can be done to solve these issues and how companies can avoid even bigger problems in the future.

Note: The NOYB project provides guidelines for companies. Especially for smaller EU companies that are not certain about US surveillance laws or whose US partner falls under these laws, there are free guidelines and model requests on the noyb.eu website.

Of course, this state of affairs is unpleasant for many businesses and violates long-built work processes. However, there’s no reason for despair, as this is certainly not the end of the world, and there are ways out.

First of all, we should start by mentioning that Google Analytics can be implemented in two ways. Accordingly, the way it’s implemented influences its compliance with the GDPR. The two methods are:

Usually, websites apply the client-side mode, which means using JavaScript code on the website’s pages, setting cookies, generating client IDs, and transferring the obtained data to Google Analytics for producing the website’s statistics.

Let’s see what steps should be taken when using Google Analytics in client-side mode. There are both technical and legal things to check to ensure compliance with the GDPR.

1. Start with proper user consent. You should inform users that their data (device information, tracking IDs, IP addresses, etc.) will be not only gathered but transferred to US-based services. Moreover, it should be stated that users can withdraw their consent at any time.
2. Implement IP anonymization. (For Google Analytics 4 properties, IP anonymization is enabled by default.)
3. Check that both the data sharing option and the signals option in Google Analytics are deactivated.
4. If you’re using proprietary User IDs, ensure there’s no permission for user identification.

Important! Don’t forget to check the legal state of affairs. Check all contracts you sign, as all contracts signed by companies in the EMEA region should be concluded with Google Ireland Limited and not Google LLC. Then, check the TIA covering data transfer between Google Ireland Limited and Google LLC.

The second variant is implementing a server-side mode. It’s more discreet, as this mode allows you to move tags off the website (both advertising and measurement) and transfer them to a secure server container. Also, by applying server-side tracking, users’ IP addresses are automatically anonymized before the information is shared with Google’s reporting tools. In short, it means there’s no direct communication between the user and Google. Information is collected by the publisher’s server and then forwarded to Google for analysis.

Though many businesses may be under the impression that no Google Analytics means no analytics at all, that’s not true. There are other ways to implement advanced marketing analytics, and the OWOX BI team provides safe solutions for both collecting and storing data.

What is OWOX BI?

OWOX BI is a marketing analytics solution that automates delivery of data from siloed sources to your analytics destination, ensuring your data is always accurate and up to date.

Among the main advantages of working with data using OWOX BI are the following:

• All data is stored in Google BigQuery with full GDPR compliance. OWOX BI’s server-side tracking provides secure first-party data collection on your personal domain. The tracking process is compliant with Schrems II and the GDPR.
• Familiar Google Analytics data schema. You get the well-known Google Analytics Universal data schema for hits and session transformation. It takes just a few minutes to easily set up tracking using your current Google Analytics settings.
• High-quality data collection. Remain unaffected by ad blockers and get complete raw data with explainable quality. Collect each hit in your Google BigQuery EU storage in near-real time and without sampling.
• Effective marketing and data analysis. In 2023, a significant portion of information about the effectiveness of advertising channels will no longer be available due to the demise of third-party cookies and reduced cookie lifetimes. You can minimize losses with OWOX BI server-side tracking, collect first-party data, and merge it with marketing data in your storage.

What are the steps you can take with OWOX BI to save your marketing analytics?

As most businesses prefer to ensure that both data collection and storage are happening in the EU region, OWOX BI avoids using Google Analytics. In detail, the OWOX BI data flow looks like this:

1. Collect data from the website in the classic Google Analytics format. Since this data format is familiar, it’s possible to reuse thousands of existing SQL queries.
2. Collect raw data into Google BigQuery storage in real time. The obtained data belongs to you and is stored in the EU zone you’ve selected.

To sum up, OWOX BI allows every marketer and analyst to continue their work and apply analytics solutions that satisfy the company’s legal department:

• Ensure compliance with the GDPR while working with sensitive data.
• Avoid losing time and resources on reprocessing data or learning and adopting a new tech stack.
• Keep your website’s existing markup, as the implementation time alongside time to value periods are really short.

The situation with Google Analytics being banned and the upcoming Trans-Atlantic Data Privacy Framework still needs to be clarified. However, regardless of the outcomes, it’s best to protect your business now without waiting for a better time in the future. There are obvious steps you can take to minimize the risks, ranging from making legal preparations and ensuring user consent to moving away from US-owned service providers.

OWOX BI server-side tracking provides secure first-party data collection that’s compliant with Schrems II and the GDPR. And the cherry on top is the ability to minimize losses resulting from the demise of third-party cookies and reduced cookie lifetimes.