Bundles of Euro bank notes overlaid by handcuffs and a sinister sillouetted character on the left.

Google Analytics: Is it legal?

24 Nov 2022

Barry Fisher - Technical Director

Written by
Barry Fisher
Technical Director

Crazy question, right? Google Analytics is a tool used by CMOs and marketing departments the world over. With a name like Google attached, it's hard to believe that a product could be considered illegal.

But, according to the Italian, Danish, Austrian and French governments - that might just be the case. In fact, if their citizens are visiting websites running Google Analytics (including the latest GA4), those websites may in theory be breaking the national data protection rules of that country.

That's a big deal.

Wait, what?

As many of you will be well aware - the EU works under the GDPR rules that came into effect in 2018. But with Google being a US-based company, Google Analytics came under fire because it requires transferring personal data to the U.S. for processing.

On 16 July 2020, the European Court of Justice issued the Schrems II judgement with significant implications for the use of US cloud services. This meant that US cloud service providers must verify their practices are compliant with the data protection laws of the recipient country, create their own risk assessment and confer with their customers.

This means that organisations that operate within EU markets must adhere to the rules of GDPR or face potentially significant fines and legal implications.

Is Google Analytics (GA4) GDPR compliant?

According to Simple Analytics, not exactly. At the time of writing, GA4 remains non compliant with GDPR regulations in Europe. Despite adding many privacy-oriented features, the US and the European regulators have yet to reach a consensus and as such Google is caught in the cross-fire.

The core issue held by European authorities at the core of the complaints is the supplementary measures required by the Schrems II ruling. No effective measures currently exist for Google's cloud-based services to ensure that EU data never leaves the territory due to US regulation that could enforce Google to disclose personally-identifiable information. As such, Google cannot yet sufficiently protect EU citizens' data against US surveillance laws.

So is GA4 illegal in Europe?

According to the Schrems II case, supplementary measures for data transfers must be individually evaluated. So regulators technically can't declare Google Analytics as unlawful. This is because a different website could implement stronger safeguards and use GA lawfully.

However, in practice, those supplementary measures are chosen by Google and accepted by every company that signs up for GA's Terms of Service. And it's not possible for a website to implement its own supplementary measures on top of Google's. There are very limited effective safeguards against state surveillance in the US, and none are compatible with GA.

What you should do next

Data protection is a continually changing landscape. We are always learning, exploring and planning how we can help bridge the gap between effective marketing strategy and compliance with all applicable laws, both nationally and across the globe.

If you're a data protection officer, you need to understand the risk, the likelihood and mitigation that might be required moving forwards. This may cause conflict within businesses as legal teams will want to play it safe, whereas marketing teams will want to know as much as possible about their traffic and their audience. But it is of critical importance that you make efforts to understand your circumstances and implement solutions to ensure compliance.

How we can help

If you're concerned, it might be time to talk to a data protection and privacy specialist who truly understands your company, your marketing strategy and your legal responsibilities. We cannot provide legal advice, but can offer guidance as to the topics that may be of interest to your marketing team and Data Protection Officer and how to follow industry best practices. As with all legal matters, we always recommend that you seek legal advice from a certified legal professional.

Pivale can help implement effective solutions but it's up to the client to do due diligence on your responsibilities and compliance laws within your national and international market.

Barry Fisher - Director

Get in touch about your project

Give us a call or send us an email to talk through your project

telephone+44 (0) 203 743 0887


Related articles

An isometric illustration of people stood on a deconstructed website.

How to make your website accessible for everyone

Calendar 2 Feb 2022 #Insights #Advice #User experience Accessibility is perhaps the most important and most ignored aspect of web development. Let's change that.

Read the article
A sign post with writing Which Way To Go in opposite directions with the WordPress logo on the left and the Drupal logo on the right.

WordPress vs Drupal

Calendar 12 Jul 2021 #Insights #Advice #Drupal #WordPress Explore the differences and pros/cons of both WordPress and Drupal.

Read the article
A boy looking very confused and scratching his head.

What is Pattern Lab and why should I care about it?

Calendar 11 Sep 2018 #Insights #Frontend Our front-end developer discusses why you and your business should be considering Pattern Lab for your next Drupal project.

Read the article

More recent articles

A girl grimacing in disgust.

What to consider when you're thinking about your webforms

Calendar 3 Nov 2022 #Insights #Advice Webforms are a great way to consolidate interest and turn your visitors into potential new customers. But we bet you hadn't considered the power, positive and negative, that a webform can have on your potential new customer's experience of your business.

Read the article
The ruins of a building in the middle of a field.

6 reasons not to use a standalone microsite for your Christmas marketing campaign

Calendar 27 Oct 2022 #Insights #Advice #Security & compliance #SEO We've compiled a list of the six reasons businesses shouldn't entertain the thought of a microsite - and they're pretty compelling.

Read the article
Pivale logo + Platform.sh logo

Platform.sh: affordable and ethical enterprise-grade hosting

Calendar 21 Sep 2022 #Insights #Advice Your hosting headache - and how it's costing you business

Read the article

Subscribe for email updates

1 Your details

2 Your interests

Please select which Pivale services are of interest to you:

3 Legal info

By subscribing, you acknowledge that your information will be transferred to our marketing platform for processing.

You can unsubscribe at any time by clicking the link in the footer of our emails. You can find out more in our privacy policy.