New GDPR-proof alternatives to Google Analytics and cookies: Part 1

Are there any alternatives to Google Analytics? 

The use of Google Analytics (hereafter GA) has been restricted by national data protection authorities in an increasing number of European countries for several years. 

Austria, France and most recently Italy have caused quite a stir. It is not yet certain whether Google Analytics will also be banned in Belgium, although it is very likely that it will.  

On July 1, 2023, Google itself will pull the plug on Universal Analytics and Analytics 4 will definitely take over the torch.  Analytics 4 is an attempt by Google to be GDPR-compliant after all. The question, however, is whether Analytics 4 will be effective in doing so. 

But why is GA being banned?

Part 1 of this blog will discuss the issues surrounding GA and the GDPR. In part 2 of the blog, we will show you how to prepare for a possible ban of GA in Belgium. We figured out for you which affordable and GDPR-compliant analytics services are good alternatives to GA. 

What's the issue with Google Analytics?

We have seen articles appearing for months claiming that GA goes against the provisions of the GDPR, but why is this the case?

It is important to note that when using GA, personal data is transferred to the United States. The data sent includes: IP addresses, browser data and user identification data.

Until a few years ago, there was a U.S.-European treaty available, the so called ” Privacy Shield,” which regulated data transfers to the U.S.

This treaty was declared invalid in the famous SchremsII ruling of July 16, 2020. To notice the loss of the Privacy Shield, Google has begun working with Standard Contractual Clauses (SCCs). These are clauses that can be used on a voluntary basis to demonstrate compliance with data protection requirements.

Privacy Commission (“Datenschutzbehörde” or “DSB”)

The Austrian Privacy Commission (“Datenschutzbehörde” or “DSB”) is the first national data protection authority to rule against Google Analytics ‘ practices . This ruling followed the 101 complaints by the organization Noyb (NOT Your Business) of Austrian Max Schrems, against the websitewww.netdoktor.at

DBS: Google’s SCCs insufficient for GDPR compliance

This is because of the following reasons:

  1. Since Google is a “provider of electronic communication services,” it is subject to US law 50 US Code § 1881 (b) (4). Under these regulations, the U.S. intelligence community can require Google to give them access to Google’s data.
  2. The measures taken in addition to the SCCs are not sufficient to protect personal data as no possibility is foreseen to exclude monitoring and access to personal data by U.S. intelligence agencies

In addition, the DBS alsodetermined that GA , due to a technical error, had theIP addressof visitors was not anonymized.

Even without thethem technical error, the DBS felt that GA was not adequately protecting personal data. The DBS highlights that in the privacy measures that Google affects, such as the anonymize of the IPaddress, still talk about the processing of personal data.

Indeed, there is still the possibility that the remaining data could be combinedwith a unique profile. This combination makes it easy to trace the data back to a naturally identifiable individual.

This is certainly the case when one considers the sea ofdataGoogle possesses when the user, while surfing theInternetis logged in with a Google account.

In summary, we can identify the following problems with GA:
  • The data processed by Google should be considered personal data, even when privacy measures such as IP anonymization are in place.
  • The processing of this data in the U.S., as a result of U.S. law, is undoubtedly in violation of the GDPR, because the intelligence agencies of the U.S., can access this data without requiring the prior consent of the user

This statement boils down to the fact that the use of GA in Europe illegal should be illegal since it goes against GDPR provisions.

Ontwerp zonder titel-130

Will analytics 4 solve Google's problems?

Universal Analytics was released in 2012 and is now practically the Internet’s standard web analytics tool.  Consequently, most websites use GA. 

On July 1, 2023, that will change: Google has announced the phasing out of Universal Analytics. So companies that still want to use Google Analytics will soon have to switch to Google Analytics 4. (Hereafter: GA4) 

The new version of Google’s tool was developed in 2020 and differs from Universal Analytics in notable ways .  

What is GA4 (alternative to GA) all about?

GA 4 revolves aroundfirst-party cookies set by Google itself. It also uses an event-based model: it tracks specific user actions, such as clicking on a link or viewing a page, and links them to a single user. 

Universal Analytics instead revolves around third-party cookies and uses a session-based model that tracks user activity during a single visit to a Web site. 

Google claims: Google Analytics 4 (alternative to GA) will be more privacy-friendly than predecessor!

Google therefore hopes the new tool will solve Google’s legal problems regarding data transfers 

This , unfortunately, is not the case. Google tried to advertise GA4 as a step toward a cookie-free and privacy-friendly web analytics model. This is a lie, their new analytics tool is anything but cookie-free.  

GA4 forgoes third-party cookies and uses first-party cookies called Client ID. Like the third-party cookies used by Universal Analytics, GA 4’s cookies contain a unique identifier called Client ID.

For this reason, they are personal data under the GDPR. So GA 4 still transfers personal data to the US. 

User-ID also used by GA4 ? (alternative to GA)

GA4also usesanidentifier called User-ID. User IDs are not cookies, but another tool GA uses to track users across devices . They are personal data because they allow individual users to be distinguished among Web site traffic.

 The same goes for the unique ID, another parameter processed by GA to generate a User ID . 

Transferring personal data to the US is also an issue . Google Analytics 4 does not solve this. In fact, the Google Analytics 4 setup still transfers personal data to the US. 

Conclusion

Google fails to provide GDPR-friendly solution with GA4. Therefore, it is advisable to provide an alternative to GA for your business. In Part 2 of this Blog , we will present some affordable and GDPR-friendly alternativefor GA discuss 

Delen:

Meer berichten

GDPR And Public Administration

Introduction: In the digital age we live in, managing personal data is becoming increasingly challenging, especially for government agencies that manage a

cybersecurity in 2024

Cybersecurity Measures In 2024

Introduction: After a challenging 2023, which saw notable events both in cybersecurity and globally, we now turn our gaze to what 2024

Meer info: