On 23 June 2022, the Guarantor for the protection of personal data published a Decision, whereby it declared illegal the transfer of personal data outside the EU carried out by users of Google Analytics (see link to the press release here).
In this Decision, the Authority holds that the transfer of data by Google to its servers in the United States – in particular with regard to IP addresses – could, in theory, make it possible for the US secret services and/or Google itself to cross-reference the data in order to trace a single European citizen and their online activity.
All this comes at a historic time when other Authorities – such as those of France and Austria – had already raised doubts about the use of Google Analytics. Obviously, this measure has wide implications and, in general, it is a very complex issue, but let’s try to provide some clarity and dispel some of the rumours presently circulating.
Does Google Analytics record your IP address?
Yes and no, Google Analytics sends the IP address to its servers to estimate the city from which the user connects and apply any filters (such as the exclusion of internal traffic), but then deletes this data, rendering it no longer available. However, the Guarantor raises the issue that Google’s servers are in the United States, so the data transfer does occur, regardless of whether the data is then deleted.
Is Google Analytics IP anonymisation not enough?
No, the Guarantor has explained that truncating the IP (which is de facto what GA proposes) is not enough to anonymise it. In fact, like others before him, the Italian Guarantor is concerned about the possibility of cross-checking the data in Google’s possession which, even if only theoretically, would make it possible – even with anonymised IP – to trace data back to a single European citizen.
In the light of this decision by the Guarantor, should I therefore remove Google Analytics?
On possible option would be to keep Google Analytics installed but with the necessary changes to adapt to the Guarantor’s decision (e.g.: consider whether to implement server-side tagging).
In any case, each data controller will have to carry out their own assessment, always bearing in mind the likelihood of new agreements being reached between Europe and the United States regulating this issue.
The important thing is to analyse your processing and the measures implemented, as well as evaluating updates to the tool.
Is Google Analytics 4 equally impacted by this decision?
It would seem not; according to Google, the concept of privacy was built-in to GA4 at the design stage and Google apparently already took care of implementing very important changes months ago:
- Google Analytics 4 does not store IP addresses, but uses them for some features, such as filters and geolocation
- Google Analytics 4 data generated by devices in Europe is processed in Europe
- In the GA4 console it is possible to limit the collection of some data (such as location, device or operating system data) for some countries, so as to further limit the tracing power of GA
Is it advisable to switch to GA4 now?
Although it does not yet have all the functions of Universal Analytics, the new Google platform is certainly already much more responsive to these problems: we recommend, in fact, already starting the installation of GA4 and considering the idea of maintaining a dual setup. Having both platforms active – Google Analytics 4 and Universal Analytics – would allow data collection in parallel, thus avoiding the loss of important data when, next year, GA4 becomes Google’s only measurement tool (here you can find an in-depth analysis of the potential of Google Analytics 4).
For each setup, it will be necessary to carry out an assessment and find the right solution to continue tracking user behaviour in order to ensure a data-driven approach to digital strategy. However, our advice is always to consult your DPO to ensure the assessments and settings are correct.
This article was written by Luca D’Aguanno, Digital Analytics Specialist.