The Italian Supervisory Authority (SA) recently ruled that Google Analytics was non-compliant with EU data protection rules. They banned the popular analytics tool, finding that the protections Google applied were not sufficient to address the risk, and the use of Google Analytics violates the bloc’s data protection rules over the data export issue.(1) Compounding the trouble, an e-Commerce website using Google Analytics without the safeguards set out in the EU GDPR violates data protection law putting any e-Commerce business at a major risk. “Now more than ever, small and mid-size companies need to own their data,” explains Mikel Lindsaar, StoreConnect CEO. “Everything they collect from their customers should end up in their own store and database, making them compliant with GDPR.”
Also Read: Disqo Launches Outcomes Lift for Cross-Platform Ad Measurement
France and Austria have also deemed the tool illegal, and Denmark is the latest EU country to do so. Technically, the Schrems II case in 2020 made data transfers between Europe and the U.S. illegal. However, that case found the existing agreement, the Privacy Shield, between the U.S. and the EU was not compatible because the American law allows its government to requisition client data from companies on national security grounds, something which is prohibited under GDPR (General Data Protection Regulation).(2)
Businesses using Google Analytics must therefore have a technical understanding of their data flows, including where the data is going, who is receiving the data and how the data is protected. Cookies are also used to track data, but they are not the only means of collecting and transferring data. Google Analytics and similar services can receive personal data through other means. For instance, a website or app could still send personal data to Google via HTTP parameters or browser/device fingerprinting, among other means, to track users across web properties. That is why it’s essential a technical analysis is conducted to learn which of these types of services are used by a website or app and what mitigations are needed.(3)
Millions of European businesses are poised to be affected by the banning of Google Analytics, resulting in several possible scenarios. The first is a total ban of Google Analytics in Europe, leaving American companies unable to operate in the EU. Another possibility is United States-based tech companies switch to storing and consolidating data in Europe to ensure they’re compliant with GDPR. But that goes against the CLOUD Act that requires American service providers be able to provide U.S. authorities with any domestic or international data, when asked, that is stored in their servers. A third option is EU businesses find an alternative to Google Analytics, while a final possibility is enforcement of the Innovation and Choice Online Act that targets big tech companies for potential antitrust and consumer choice violations.