On September 21st, 2022, the Danish Data Protection Authority (DPA) issued a press release stating that the continued use of Google Analytics without additional measures is not compliant with the GDPR. Since Personal Data (as defined by the GDPR) can in theory be transferred to Google servers physically located in the U.S, supplemental measures must be adopted by companies who use Google Analytics. This issue applies regardless of whether the old version (Universal Analytics/ UA) or the new version (Google Analytics 4) is used.
Currently, Google does not have any built-in features in either of these two versions that will fully prevent the transfer of Personal Data. Google has over the past year added multiple features to increase data controls in Google Analytics 4 to align with the GDPR requirements, including an IP anonymization feature. In the press release, the DPA stated that these features alone do not prevent the transfer of Personal Data to the U.S. and that a continued use of the tool requires additional measures outside Google Analytics.
As Google’s largest partner, Acceleration is in daily contact with Google’s senior management about the current situation. Google’s stance is that the press release from the Danish DPA is not a ruling but is considered to be guidelines. While it is not for Acceleration to provide legal consultancy, we encourage all advertisers, as a first step, to assess their company risk profile (which may differ from company to company and industry to industry) and consider whether to take immediate action – or hold on and wait.
Wait or Immediate action?
Google recommends advertisers to wait and not make any rushed decisions; the issue with Personal Data being sent to servers in the U.S. will automatically be solved with the upcoming Trans-Atlantic Data Privacy Framework (Framework). There is no set date as to when this Framework will become effective but, when approved by the European Commission, data transfers to the U.S. that are covered by the Framework will be compliant with the rules under the GDPR. This article indicates that the US executive order on the Framework may already be published within a few weeks and that the Framework, when ratified by the European Commission, may be ready by March 2023. Furthermore, Google is expected to add additional features to increase data controls further.
These are arguments for taking a waiting position which is illustrated by Solution #1 in the image below.
Solution #1 illustrates “as is” where data is sent directly to Google Analytics from an advertiser’s website. If the data is still being sent to the old version of Google Analytics, consider whether to migrate to the new version, Google Analytics 4.
Solution #2 is a “server-side” solution which the DPA mentions in its press release as a viable solution. It entails quite technical measures as it is based on a “proxy server” which means using an additional server that de-identifies the information before the transfer to Google Analytics and, thereby, no Personal Data will be transferred to the U.S.
This solution has been communicated as the best approach by other European data protection authorities, however, this solution will not provide for the same level of data and insights and basic insights, such as simple data showing which campaign activity or publisher that sent users to the advertiser’s website, will no longer be available. Therefore, the analytics tool will not be as effective, and it will be difficult to make the same level of informed decisions based on the available data.
Solution #3 is to a) find a European-owned analytics provider that does not store or share data in the U.S. (now or in the future) or b) send the website data to the advertiser’s own data warehouse instead of an external analytics provider.
The advantage of a data warehouse is the opportunity to combine the advertiser’s historic data with future data. If an external analytics tool is chosen, it will most likely entail starting from scratch as no historic data will be available. For many advertisers, a proprietary data warehouse and dashboard can be a more effective solution. This can also serve as a temporary solution until the Framework is in place. Once the Framework is finalized, data collected via the dashboard and stored on EU servers can be ingested into Google Analytics so year-on-year data for comparison will still be available. Besides different user interfaces (UI), the only differences compared to both the old and new versions of Google Analytics is that the activation capabilities (e.g. remarketing) and the demographic insights will be lost. All other capabilities will remain.
We have tested this solution internally with success so we know that it is a possible solution and can also help get you started if you choose Solution #3.
No matter which of the 3 solutions you consider the best fit and choose to proceed with, Acceleration can help with both technical consultancy and implementation. Reach out to Michael Hein Krogh, Executive Director of Platforms email@example.com if you want to hear more.
For further information, see the official statement and Q&A from The Danish Data Protection Authority here: