Bundles of Euro bank notes overlaid by handcuffs and a sinister sillouetted character on the left.

Google Analytics: Is it legal?

24 Nov 2022

Barry Fisher - Technical Director

Written by
Barry Fisher
Technical Director

Crazy question, right? Google Analytics is a tool used by CMOs and marketing departments the world over. With a name like Google attached, it's hard to believe that a product could be considered illegal.

But, according to the Italian, Danish, Austrian and French governments - that might just be the case. In fact, if their citizens are visiting websites running Google Analytics (including the latest GA4), those websites may in theory be breaking the national data protection rules of that country.

That's a big deal.

Wait, what?

As many of you will be well aware - the EU works under the GDPR rules that came into effect in 2018. But with Google being a US-based company, Google Analytics came under fire because it requires transferring personal data to the U.S. for processing.

On 16 July 2020, the European Court of Justice issued the Schrems II judgement with significant implications for the use of US cloud services. This meant that US cloud service providers must verify their practices are compliant with the data protection laws of the recipient country, create their own risk assessment and confer with their customers.

This means that organisations that operate within EU markets must adhere to the rules of GDPR or face potentially significant fines and legal implications.

Is Google Analytics (GA4) GDPR compliant?

According to Simple Analytics, not exactly. At the time of writing, GA4 remains non compliant with GDPR regulations in Europe. Despite adding many privacy-oriented features, the US and the European regulators have yet to reach a consensus and as such Google is caught in the cross-fire.

The core issue held by European authorities at the core of the complaints is the supplementary measures required by the Schrems II ruling. No effective measures currently exist for Google's cloud-based services to ensure that EU data never leaves the territory due to US regulation that could enforce Google to disclose personally-identifiable information. As such, Google cannot yet sufficiently protect EU citizens' data against US surveillance laws.

So is GA4 illegal in Europe?

According to the Schrems II case, supplementary measures for data transfers must be individually evaluated. So regulators technically can't declare Google Analytics as unlawful. This is because a different website could implement stronger safeguards and use GA lawfully.

However, in practice, those supplementary measures are chosen by Google and accepted by every company that signs up for GA's Terms of Service. And it's not possible for a website to implement its own supplementary measures on top of Google's. There are very limited effective safeguards against state surveillance in the US, and none are compatible with GA.

What you should do next

Data protection is a continually changing landscape. We are always learning, exploring and planning how we can help bridge the gap between effective marketing strategy and compliance with all applicable laws, both nationally and across the globe.

If you're a data protection officer, you need to understand the risk, the likelihood and mitigation that might be required moving forwards. This may cause conflict within businesses as legal teams will want to play it safe, whereas marketing teams will want to know as much as possible about their traffic and their audience. But it is of critical importance that you make efforts to understand your circumstances and implement solutions to ensure compliance.

How we can help

If you're concerned, it might be time to talk to a data protection and privacy specialist who truly understands your company, your marketing strategy and your legal responsibilities. We cannot provide legal advice, but can offer guidance as to the topics that may be of interest to your marketing team and Data Protection Officer and how to follow industry best practices. As with all legal matters, we always recommend that you seek legal advice from a certified legal professional.

Pivale can help implement effective solutions but it's up to the client to do due diligence on your responsibilities and compliance laws within your national and international market.

Barry Fisher - Director

Get in touch about your project

Give us a call or send us an email to talk through your project

telephone+44 (0) 203 743 0887

email[email protected]

Related articles

The ruins of a building in the middle of a field.

6 reasons not to use a standalone microsite for your Christmas marketing campaign

Calendar 27 Oct 2022 #Insights #Advice #Security & compliance #SEO We've compiled a list of the six reasons businesses shouldn't entertain the thought of a microsite - and they're pretty compelling.

Read the article
A girl grimacing in disgust.

What to consider when you're thinking about your webforms

Calendar 3 Nov 2022 #Insights #Advice Webforms are a great way to consolidate interest and turn your visitors into potential new customers. But we bet you hadn't considered the power, positive and negative, that a webform can have on your potential new customer's experience of your business.

Read the article
A well designed room featuring a large piece of wall art featuring a bee hive and the Pivale Assemble: Multisite Solutions branding.

The smarter way to manage many websites

Calendar 17 Jun 2020 #Press #Advice Do you crave the agility and speed of smaller market players? What effect would it have if you could work faster and smarter? Make this dream your new reality.

Read the article

More recent articles

Pivale logo + Platform.sh logo

Platform.sh: affordable and ethical enterprise-grade hosting

Calendar 21 Sep 2022 #Insights #Advice Your hosting headache - and how it's costing you business

Read the article
A sky scene with indecipherable technical information overlaid for effect indicating cloud hosting

3 reasons your choice of website host isn't just an IT issue

Calendar 16 Aug 2022 #Advice #Security & compliance Choosing the web infrastructure that supports your website is of paramount importance. And given that your choice of website host underpins the ability of your business to exist online, it's fair to say you need to make a well-informed decision about your hosting service.

Read the article
A roll of blueprints

Why documentation and processes could stop your website from failing at a critical moment

Calendar 29 Jun 2022 #Advice #Security & compliance Do you have documentation in place so that, when changes to your website are needed, there is a clear process to be followed whether by your in-house developers or your outsourced digital marketing partners?

Read the article

Subscribe for email updates

1 Your details

2 Your interests

Please select which Pivale services are of interest to you:

3 Legal info

By subscribing, you acknowledge that your information will be transferred to our marketing platform for processing.

You can unsubscribe at any time by clicking the link in the footer of our emails. You can find out more in our privacy policy.