A couple of months ago European data protection authorities stated that Google Analytics violates GDPR by passing identifying data from the EU to the US. Many companies are now thinking and discussing how to make sure that their Web Analytics setup is GDPR-friendly in the future without breaking their data collection. This, of course, does not apply only to Google Analytics, but also to other platforms and companies that transfer similar data from the EU to the US.
Especially IP addresses and some of the tracking IDs are seen as something that violates the EU-US data transfer for personal data when passing them to Google servers. Even though Google Tag Manager offers the possibility to anonymise the IP address, it is not enough. That’s because anonymisation happens after the data is transferred to Google servers and US authorities have access to this data.
Google has responded by stating that they are working on adding additional controls so that customers could customise the data to match the compliance objectives.
Also, it is possible that the EU and US would agree on a contract that enables identifying data transfer to US companies. There have already been some positive signs and if it succeeds it will remove the Google Analytics GDPR issue, but time will tell if it is enough.
Find the best option for your future data collection purposes
I would not recommend making any rushed decisions. You should rather stop and think about the best solution in the long run. I encourage you also to consult your company’s legal team to make the best and most GDPR-friendly setup for your data collection purposes. This case is quite new, and it still has a lot of open questions. I think everything depends on how Google and other companies can react to this and whether the EU and US can adjust a contract regarding web analytics data transfer.
I have discussed this topic with multiple companies, and it is a tough question especially if you have a Google marketing stack integrated with a Google Analytics setup. If Google Analytics is integrated with multiple marketing and data collection algorithms and platforms it would require a lot of technical setups to replace it with other tools and most likely you would lose some of the benefits.
There are three main options to consider if you are a Google Analytics user:
Option 1. Wait for Google’s updates and make sure you have GA4 set up
Since Google has already mentioned the new upcoming features, those who are relying on Google stack on advertisement and have marketing tools integrated with Google Analytics data, might prefer the option to wait for Google’s response. Changing the web analytics tool might mean a big investment to adjust the marketing and data collection setup.
Waiting for Google’s response and possible updates would be an easy option without additional investments, but the web analytics setup would still not be fully GDPR compliant if the EU and US can’t agree on a new contract.
These users who stick with this option should make sure that the setup is as GDPR-friendly as possible. This means that cookie consent is integrated correctly with the analytics setup and the new version of Google Analytics (GA4) is implemented since it has slightly better features for GDPR such as a shorter data retention period.
Also, new upcoming features will apply only to GA4 since Google has now informed that GA4 will not store IP addresses in the future and it will have country-specific privacy controls.
Google is shutting down Universal Analytics and it will stop collecting data on July 1, 2023 so now is the time to start building GA4 setup if you already haven’t.
Option 2. Start building Google’s new server-side tagging setup
A new server-side tagging feature from Google came out of beta at the end of last year 2021. Google Server-side tagging means that an additional endpoint in a server environment is created between the browser and 3rd party vendor endpoints.
When customers interact with pages, some third-party tags (such as web analytics and ad scripts/tags) can be loaded directly into the server container instead of the browser providing faster pages, better security for data, and the possibility to control what data and in which format it will be sent to 3rd party vendors. It also enables 1st party context for cookies with a server that runs on a subdomain and the possibility to extend cookie lifetime.
The internet is moving closer to a cookieless space, and Google server-side tagging will give you a good base for future data tracking and collection.
There are also some limitations since it would require a server license that has costs and some technical knowledge to set up the server and connect the server domain with your website.
Option 3. Change the Web Analytics setup to an alternative tool that has servers in the EU area
Web Analytics tool that stores the data in the EU area enables GDPR compliant data setup without EU-US data transfer issues. There are quite similar tools to Google Analytics such as Matomo Analytics and tools for more advanced usage such as Piwik Pro. Both tools enable the possibility to collect more comprehensive data than Google Analytics with GDPR limitations but would require a license with costs, in addition, to setup investments. Also, if you are using the Google marketing stack there are no direct integrations and might require a more technical setup.
There is not a ‘one size fits all’ type of solution. Every company needs to think about their requirements and needs for data collection as well as how to build the data tracking solutions in a GDPR-friendly way.
Solita is working with companies to help them to collect GDPR compliant web analytics data and integrate it with other tools to enable data usage in business growth. If you are wondering how to proceed with this topic or need help with building GA4, server-side tagging, or a new web analytics tool setup, do not hesitate to contact us.