Bundles of Euro bank notes overlaid by handcuffs and a sinister sillouetted character on the left.

Google Analytics: Is it legal?

24 Nov 2022

Barry Fisher - Technical Director

Written by
Barry Fisher
Technical Director

Crazy question, right? Google Analytics is a tool used by CMOs and marketing departments the world over. With a name like Google attached, it's hard to believe that a product could be considered illegal.

But, according to the Italian, Danish, Austrian and French governments - that might just be the case. In fact, if their citizens are visiting websites running Google Analytics (including the latest GA4), those websites may in theory be breaking the national data protection rules of that country.

That's a big deal.

Wait, what?

As many of you will be well aware - the EU works under the GDPR rules that came into effect in 2018. But with Google being a US-based company, Google Analytics came under fire because it requires transferring personal data to the U.S. for processing.

On 16 July 2020, the European Court of Justice issued the Schrems II judgement with significant implications for the use of US cloud services. This meant that US cloud service providers must verify their practices are compliant with the data protection laws of the recipient country, create their own risk assessment and confer with their customers.

This means that organisations that operate within EU markets must adhere to the rules of GDPR or face potentially significant fines and legal implications.

Is Google Analytics (GA4) GDPR compliant?

According to Simple Analytics, not exactly. At the time of writing, GA4 remains non compliant with GDPR regulations in Europe. Despite adding many privacy-oriented features, the US and the European regulators have yet to reach a consensus and as such Google is caught in the cross-fire.

The core issue held by European authorities at the core of the complaints is the supplementary measures required by the Schrems II ruling. No effective measures currently exist for Google's cloud-based services to ensure that EU data never leaves the territory due to US regulation that could enforce Google to disclose personally-identifiable information. As such, Google cannot yet sufficiently protect EU citizens' data against US surveillance laws.

So is GA4 illegal in Europe?

According to the Schrems II case, supplementary measures for data transfers must be individually evaluated. So regulators technically can't declare Google Analytics as unlawful. This is because a different website could implement stronger safeguards and use GA lawfully.

However, in practice, those supplementary measures are chosen by Google and accepted by every company that signs up for GA's Terms of Service. And it's not possible for a website to implement its own supplementary measures on top of Google's. There are very limited effective safeguards against state surveillance in the US, and none are compatible with GA.

What you should do next

Data protection is a continually changing landscape. We are always learning, exploring and planning how we can help bridge the gap between effective marketing strategy and compliance with all applicable laws, both nationally and across the globe.

If you're a data protection officer, you need to understand the risk, the likelihood and mitigation that might be required moving forwards. This may cause conflict within businesses as legal teams will want to play it safe, whereas marketing teams will want to know as much as possible about their traffic and their audience. But it is of critical importance that you make efforts to understand your circumstances and implement solutions to ensure compliance.

How we can help

If you're concerned, it might be time to talk to a data protection and privacy specialist who truly understands your company, your marketing strategy and your legal responsibilities. We cannot provide legal advice, but can offer guidance as to the topics that may be of interest to your marketing team and Data Protection Officer and how to follow industry best practices. As with all legal matters, we always recommend that you seek legal advice from a certified legal professional.

Pivale can help implement effective solutions but it's up to the client to do due diligence on your responsibilities and compliance laws within your national and international market.

Barry Fisher - Director

Get in touch about your project

Give us a call or send us an email to talk through your project

telephone+44 (0) 203 743 0887

email[email protected]

Related articles

A mockup of an ecommerce site home page.

Do you have a home page content strategy?

Calendar 2 Nov 2021 #Insights #Advice #User experience How to make an effective home page.

Read the article
A large padlock integrated in to a circuit board.

Five reasons why you need ongoing website maintenance

Calendar 10 Mar 2022 #Security & compliance Ongoing security maintenance is essential to the longevity of your website or application.

Read the article
An infinite swirling clock.

Websites as an Investment Part 4: What happens if I wait?

Calendar 24 Feb 2016 #Advice The clock is ticking and time is money. It turns out that delaying your new website could actually be costing you money. We try and break down why that is.

Read the article

More recent articles

Protective mother deer with her fawn looking into the distance.

Green lights and red flags for inter-agency collaborative working

Calendar 2 Jan 2024 #Insights #Advice #User experience #Drupal #WordPress Most responsible agencies have working relationships with fellow branding, marketing or creative agencies who have a particular skill set that can knock the socks off their clients when they partner up.

Read the article
Businessman with a unicorn head.

Why you need to STOP hunting for the unicorn

Calendar 10 Oct 2023 #Insights #Advice Let’s face it - recruitment is hard. And it’s not getting any easier. Inundated with CVs, but nothing that quite fits the bill. Know the feeling? You’re not alone.

Read the article
A mess of plugs and cables looking very dangerous.

Where businesses are going wrong with managing multiple websites

Calendar 11 Sep 2023 #Insights #Advice #Security & compliance #User experience #SEO #Drupal #WordPress Why you might have ended up in a multisite muddle.

Read the article

Subscribe for email updates

1 Your details

2 Your interests

Please select which Pivale services are of interest to you:

3 Legal info

By subscribing, you acknowledge that your information will be transferred to our marketing platform for processing.

You can unsubscribe at any time by clicking the link in the footer of our emails. You can find out more in our privacy policy.