Google Analytics cookies have recently attracted the attention of the experts, once again becoming a trending topic, not only firing up the now tepid GDPR, but also the spirits of supervisory authorities in EU member states, keen to safeguard the rights of their citizens.
The incompatibility between the European and U.S. privacy rules had been known since the first Schrems judgment in 2015, and on the heels of the latest positions taken by Austria and France, the Italian Data Protection Authority has now ruled on the issue:
“Any website using the Google Analytics (GA) service, without the safeguards provided by the EU Regulation, violates data protection law because it transfers user data to the U.S., a country that lacks an adequate level of protection”.
After numerous complaints that gave rise to a complex joint investigation, the unequivocal emerged: operators of websites that use GA, persist, by means of cookies, in sharing multiple items of user data. The data collected include:
- IP address of the user’s device (personal data that, even when truncated, can still be enriched through Google’s capabilities)
- information about the browser, operating system, and screen resolution
- language selected for navigation
- date and time of the website visit
The outcome of the investigations led to the cautioning of Caffeina Media S.r.l., which is required to verify compliance of its methods of use of cookies and tracking tools within 90 days, but the same requirement is extended, with the same timeframe, to include all Italian website operators.
To date, the judgment and subsequent press release suggest that Google Analytics 3 does not guarantee full GDPR compliance. The doubt persists because IP addresses, even though anonymised, could still be linked to other data collected during navigation, thus making it possible to identify the user also when data are transferred to the U.S..
The heart of the problem lies in the transfer of data which, once collected, are forwarded to Google LLC (U.S.) servers, where they are openly classified as accessible to government agencies such as the CIA and NSA.
Attempts to define the future scenario are hampered by the lack of definitive answers, and even when opting for GA4 additional security measures will be needed since it does not offer acceptable guarantees.
So what options do companies have?
1- Remain on Google Analytics, moving to GA4, managing the tracking upgrade from the previous version (which will be permanently decommissioned in mid-2023), trusting, as it seems, that in the coming weeks/months it will be adapted to comply fully with current European regulations.
2- Disable GA and replace it with another service that ensures management and storage of user data in compliance with European regulations, clearly simultaneously managing the retracking activity and possible migration of data history. One possible candidate is Matomo, chosen by “Web Analytics Italia”, a platform developed for public administration authorities by AGID (Agency for Digital Italy). Another possible solution would be to introduce a more comprehensive suite such as MAPP Intelligence, which is not simply an alternative, but an enterprise solution that offers multiple services for analysis and extrapolation of KPIs.
3- Create alternative solutions to prevent Google Analytics from tracking personal data and sending data to the U.S., this being as yet an impractical solution due to the time/cost/benefits ratio.
If you too are evaluating the best choice for your company, feel free to get in touch for a chat.
