Google Analytics: Is it legal?

But, according to the Italian, Danish, Austrian and French governments - that might just be the case. In fact, if their citizens are visiting websites running Google Analytics (including the latest GA4), those websites may in theory be breaking the national data protection rules of that country.

That's a big deal.

Wait, what?

As many of you will be well aware - the EU works under the GDPR rules that came into effect in 2018. But with Google being a US-based company, Google Analytics came under fire because it requires transferring personal data to the U.S. for processing.

On 16 July 2020, the European Court of Justice issued the Schrems II judgement with significant implications for the use of US cloud services. This meant that US cloud service providers must verify their practices are compliant with the data protection laws of the recipient country, create their own risk assessment and confer with their customers.

This means that organisations that operate within EU markets must adhere to the rules of GDPR or face potentially significant fines and legal implications.

Is Google Analytics (GA4) GDPR compliant?

According to Simple Analytics, not exactly. At the time of writing, GA4 remains non compliant with GDPR regulations in Europe. Despite adding many privacy-oriented features, the US and the European regulators have yet to reach a consensus and as such Google is caught in the cross-fire.

The core issue held by European authorities at the core of the complaints is the supplementary measures required by the Schrems II ruling. No effective measures currently exist for Google's cloud-based services to ensure that EU data never leaves the territory due to US regulation that could enforce Google to disclose personally-identifiable information. As such, Google cannot yet sufficiently protect EU citizens' data against US surveillance laws.

So is GA4 illegal in Europe?

According to the Schrems II case, supplementary measures for data transfers must be individually evaluated. So regulators technically can't declare Google Analytics as unlawful. This is because a different website could implement stronger safeguards and use GA lawfully.

However, in practice, those supplementary measures are chosen by Google and accepted by every company that signs up for GA's Terms of Service. And it's not possible for a website to implement its own supplementary measures on top of Google's. There are very limited effective safeguards against state surveillance in the US, and none are compatible with GA.

What you should do next

Data protection is a continually changing landscape. We are always learning, exploring and planning how we can help bridge the gap between effective marketing strategy and compliance with all applicable laws, both nationally and across the globe.

If you're a data protection officer, you need to understand the risk, the likelihood and mitigation that might be required moving forwards. This may cause conflict within businesses as legal teams will want to play it safe, whereas marketing teams will want to know as much as possible about their traffic and their audience. But it is of critical importance that you make efforts to understand your circumstances and implement solutions to ensure compliance.

How we can help

If you're concerned, it might be time to talk to a data protection and privacy specialist who truly understands your company, your marketing strategy and your legal responsibilities. We cannot provide legal advice, but can offer guidance as to the topics that may be of interest to your marketing team and Data Protection Officer and how to follow industry best practices. As with all legal matters, we always recommend that you seek legal advice from a certified legal professional.

Pivale can help implement effective solutions but it's up to the client to do due diligence on your responsibilities and compliance laws within your national and international market.