Google Analytics and GDPR: resources and alternatives
introduction
With much discussion in recent weeks, here is an update and some explanations to try to better understand the latest recommendations from the CNIL regarding GDPR compliance.
On February 10, 2022, in a statement mentioning the Google Analytics tool, the CNIL stated:
“[…] analyzed the conditions under which data collected through this tool is transferred to the United States. […] considers these transfers to be illegal and requires a French website manager to comply with the GDPR and, if necessary, to stop using this tool under the current conditions.
a bit of context and history
Between 2016 and 2020, the “EU-US Privacy Shield” agreement protected data transfers from the Analytics platform. However, on July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield agreement, citing:
“the risk that US intelligence services may access personal data transferred to the United States if the transfers were not properly regulated.”
On August 17, 2020, echoing the CJEU ruling, the NOYB association filed 101 complaints with the 30 EU and EEA member states against 101 European companies still using Analytics.
anonymization: Is it sufficient?
While the CNIL’s clarifications regarding data anonymization published in May 2020 raised doubts about the compliance of Analytics when the functionality is activated, the latest investigations by the national commission have shown that the current mechanism is insufficient, despite additional measures taken to regulate data transfer.
Collecting data and complying with the law is possible and easier than you might think.
To reconcile data collection / usage tracking – in a continuous improvement approach – with compliance with the law / data privacy, Gardeners has selected 3 alternatives to Google Analytics:
- at internet
- abla.io
- matomo (Main service deployed at Gardeners)
Amazon Web Services, Microsoft Azure, Google Cloud… What will be the effects and consequences of the decisions made by the CJEU/CNIL on these platforms and their services? Given the absence of major European players, the question remains open.
article author
Published in march 2022
Michel Volland
Director of Consulting and Data Hero at Gardeners, digital marketing expert, GDPR, and metrics.