Ever since the EU brought the GDPR into force in 2018, companies have been scrambling to adapt. Since it applies to companies of all sizes, it goes without saying that smaller companies have been very heavily burdened.
However, just this month, one of the giants of the online world, Google, has come under fire because of the IP address tracking built into Google Analytics.
As we do with all our big news, we’ll break it down into a 30-second summary here:
What? In a recent Austrian court ruling, it was decided that the transfer of personally identifiable information (PII) of European Union citizens to Google Analytics’ US-based servers was in violation of the GDPR.
Why? The Safe Harbor and Privacy Shield laws that had legally protected the transfer of EU data to the US have lapsed. However, no new regulations have come into effect in the meantime.
Does this affect me? If you use Google Analytics (or another US-based third-party application that stores data) and operate your site in any of the European Union countries, then yes.
If that’s all you needed to know, then glad we could keep you up-to-date on this developing issue.
However, it is a bit of a sticky issue. So, if you want to get more information on the background and potential repercussions across the board as they relate to online privacy regulations, keep reading.
Disclaimer
Of course, before we get any further into it, it’s important to note that we are not legal professionals in any regard. This is just our interpretation of current events as they pertain to digital marketers and not legal advice. If you have any questions about how this ruling or GDPR, in general, applies to your business, please consult a lawyer who specializes in this space.
Join the Optily newsletter!
Stay up-to-date on platform changes, digital marketing tactics, and industry news. We promise we won’t spam!
Why is this happening just now?
You might be wondering why this is a new development. After all, GDPR has been a thing for four years now and Google Analytics has been active for the better part of two decades. So why is the ruling just coming about now?
Well, as we briefly mentioned in the introduction, the recent development is the end of the Safe Harbor and Privacy Shield laws. These laws protected companies that transferred data from the EU to the US, ensuring that European data protection laws would be respected in the US.
The issues with data transfer laws
However, in 2015, the European Parliament deemed that the Safe Harbor laws were not in fact truly protecting the data of EU citizens. This was mainly because of US government access to data and a lack of transparency on how Europeans could voice grievances. As a result, these laws were invalidated by the European Court of Justice.
The following year, the US and EU governments addressed these concerns and implemented the Privacy Shield agreement. It provided more protections for EU citizens and still allowed the free transfer of data internationally. However, similarly, this agreement was also invalidated by the ECJ in 2020.
As a result, the most recent case involving a company using Google Analytics in Austria resulted in the court ruling that the software was in violation of the GDPR because the PII, in the form of IP addresses, was stored on Google’s US-based servers. Restating that because the data is housed in the US, government surveillance agencies may have access to the data.
What is Google’s response?
This wasn’t a case directly targeting Google itself, unlike the 2020 case that ended Privacy Shield which was Data Protection Commissioner v Facebook Ireland. This was simply a company that was running Google Analytics within the EU, without the proper cookie and consent bits as well. (While this is a key point, it stands that even with all the necessary permissions and consent for each user, simply transferring data to the US would most likely still have been ruled to be a violation in and of itself.)
However, Google issued a press release reiterating that they are simply a tool. They said that individual companies ultimately have the power and responsibility to ensure the data they collect with Analytics is properly protected.
There are numerous settings and recommendations that Google offers users in order to ensure compliance with local privacy laws.
What does this mean for digital marketing?
As it currently stands, Austria has more or less declared any third-party that stores PII in the US to be in violation of the GDPR. PII includes data like such as IP addresses, names, email addresses, etc. They haven’t explicitly banned the use of Google Analytics itself. Although it was the application in question in this case, so the implication is clear.
Since precedent has been established with this case, it is very possible that other cases across Europe that are still in process will follow suit with similar decisions in the coming months. It’s not completely off base to think that in the coming months and years this decision could affect everything from Facebook Pixels to Cloudflare.
What do we do now?
First of all, relax. Everything is still fresh and settling. For now, if you are operating in the EU, review your Google Analytics settings.
A good first step would be to anonymize IP addresses so they are never stored or shared.
Of course, make sure you have your cookie pop-up set up as an opt-in. And definitely don’t collect any data until the person has said ok.
Sure, you could also just pull the plug entirely on Analytics and have no tracking. However, that makes it really hard to run an online business.
Watch this space for more developments in the coming months. And again, if you have any questions on the legal specifics for your business, please contact a legal professional.