The most vastly used statistics and analytics program on the market, Google Analytics is typically integrated into a website to measure site traffic by assigning a unique identifier (or cookie) to each visitor, such as the IP address associated with the equipment through which the user connects to the site. Since this identifier constitutes personal data under GDPR, any access to such identifier from a location outside the European Economic Area (EEA) is considered an international transfer of personal data under EU data protection laws.
As previously shared, international transfers of EU personal data trigger a host of compliance requirements for companies outside the EEA,1 and noncompliance can result in heavy penalties. With respect to such transfers made automatically via the use of Google Analytics, the consequences of non-compliance are now beginning to be seen. In 2020, the Vienna-based non-profit organization NYOB – European Center for Digital Rights – filed 101 complaints related to transfers of EU data to the United States through the use of Google Analytics. And in February 2022, the CNIL, in cooperation with its European counterparts, declared the use of Google Analytics to be illegal.
Google Analytics declared illegal in France
The CNIL’s decision was based on a review of Google’s business practices and its finding that Google was not satisfying the requirement that transfers of personal data outside the EEA be made with appropriate safeguards in place. Specifically, the CNIL determined that the additional measures being used by Google to control exports of EU personal data to the U.S. associated with its analytics functionality were insufficient to exclude the possibility of access to that data by U.S. intelligence services. As a result, they concluded that visitors to French websites using Google Analytics were being placed at risk. The operator of the website in question was given a one-month notice to comply with the GDPR by either ceasing to use Google Analytics or using a different analytics tool that does not involve data transfers outside the EU. The CNIL also affirmed that audience measurement and analytics tools should solely produce anonymous statistical data if the consent of the data subject is not obtained.
The CNIL’s findings have set a precedent in France, as well as for the rest of the EU. Moreover, given its alignment with the CJEU’s decision in Schrems II to invalidate the EU-U.S. Privacy Shield, it is reasonable to expect that other European data protection authorities will likely issue similar findings about the insufficiency of Google Analytics’ functionality to protect international transfers of EU personal data without certain safeguards.
Using Google Analytics in compliance with GDPR
The extraterritorial impact of the GDPR cannot be overstated. Every entity that processes the personal data of EU or EEA residents must comply with the GDPR, regardless of where it is based. When a U.S.-based company uses Google Analytics on a website accessible by EU/EEA residents, the personal data of its users is automatically stored via cookies placed on their browsers. Even if the company has no intention of reviewing or using such data, the mere fact that the data has been stored and will be processed outside of the EU/EEA is enough to trigger a GDPR violation.
The CNIL’s decision seems to imply that there is no way to safely use Google Analytics without violating the GDPR. However, there is a potential solution under GDPR Article 7, which allows processing when user consent is obtained. Specifically, companies may run any kind of cookie or tracker on their website that process personal data by requesting and obtaining the explicit and valid consent of their website users.
Another option for U.S. companies using Google Analytics on their websites is to simply block the access of EU/EEA residents to specific web pages where Google Analytics are enabled. In this situation, entry to a website would be gated by a questionnaire asking users where they are from. If a user indicates the EU or EEA, the site can then request express consent to the processing of their personal data. If consent is denied, the site can then block access to specific areas of the website.
If obtaining consent or restricting access is not feasible, U.S.-based companies may wish to consider use of a different web analytics platform to ensure their compliance with the GDPR. To that effect, France’s CNIL have identified a few alternatives which are more respectful of users’ personal data.2
Finally, It is important to highlight that the standard contractual clauses (SCCs) (a contractual-based safeguard) are NOT an option in this situation, if being used on their own, since they only bind the two contracting parties, not third parties such as a national authority with data access capabilities.3
For now, the use of Google Analytics in situations involving the personal data of EU data subjects remains complicated and somewhat ambiguous. It is also an evolving area of law, as more national authorities of EU Member States are expected to decide whether the use of Google Analytics under current conditions does indeed violate the GDPR and other EU law. It will be important for U.S.-based businesses to follow developments of the law in order to maintain compliance with all applicable privacy regulations. If you have questions about the use of Google Analytics or GDPR in general, please contact Stephan Grynwajc at firstname.lastname@example.org or 347-543-3035.
Stephan Grynwajc is admitted to the practice of law in the U.S., Canada, U.K. and in France/the European Union. He has served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU, UK and Canadian legal and regulatory landscape.
1 In the July 16, 2020 Schrems II decision, the CJEU invalidated the EU-U.S. Privacy Shield, the legal framework that had been relied upon to regulate transfers of personal data for commercial purposes between the EU and the U.S., forcing U.S. companies to find alternate mechanisms to safeguard such transfers in compliance with GDPR.
2 “Cookies: solutions pour les outils de mesure d’audience”, CNIL, 23 September 2021, online : < https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies-solutions-pour-les-outils-de-mesure-daudience > (accessed 23.05.2022)
3 The CJEU itself declared that the SCCs might not constitute sufficient means of ensuring the effective protection of personal data transferred to third countries. (CJEU, Schrems II, par. 126).