Austrian data regulator, Datenschutzbehörde, recently found Google Analytics to be in violation of EU’s General Data Protection Regulation (GDPR) laws. It was revealed that data collected through GA from NetDoktor, a European medical news website, maintained inadequate protection against American intelligence agencies. Following the infamous Privacy Shield ruling in 2020, and a breach in European Parliament's Covid-19 Website in 2021, this is the third instance of GA operating an illegal mechanism to transfer data across borders in recent years.
What’s especially worrying is that there was nothing uncommon about the way NetDoktor had been using Google Analytics. Like millions of other GA users around the world, NetDokter places third-party cookies on visitors so as to be able to capture user behaviour. The problem is inherently with Google Analytics, as all this data then travel’s back unchecked to the tech giant’s servers in the US.
Europe is increasingly agitated with the manner in which this exported data is being transported and stored. US surveillance laws* protect foreign data far less rigorously than they do domestic data. The uncomfortable implication of this is that, in theory, US surveillance agencies have the authority to harvest massive amounts of personal data sourced from big tech companies like Google, Facebook, and Microsoft.
*Refer Section 702, Foreign Intelligence Surveillance Act & Executive Order 12333
After the episode in Austria, 30 other European countries are currently investigating the prevalence and extent of Google Analytics compliance violations. While any firm decision is yet to be made, the law is explicit in its stance. At least as it stands, it is impossible to conform to GDPR while actively using Google Analytics. The Dutch (Autoriteit Persoonsgegevens) and German Data Protection Authorities are strongly considering banning Google Analytics in the form that it currently exists. It seems only a matter of time before the rest of Europe follows suit.
If there’s one thing to learn from NetDoktor’s complacency, it’s this — don’t be complacent like NetDoktor. Google Analytics is illegal in Europe. Google Analytics is not GDPR compliant. Ignoring privacy rules and regulations may result in expensive fines and damaged brand reputations. If your website is Austria-based — or even serves Austrian citizens — you should ditch Google Analytics immediately. For other EU-based websites, it is highly encouraged to replace Google Analytics with a 100% GDPR compliant tool before local authorities inevitably tighten enforcement.
Factors.ai is the #1 privacy-first Google Analytics alternative for your consideration. We provide end-to-end marketing analytics and revenue attribution using absolutely no third-party cookies. We’re also 100% GDPR, CCPA, and PECR compliant. Additionally, we recently secured SOC2 compliance — satisfying the Trust Services Criteria based on Security, Availability, Processing integrity, Confidentiality, and Privacy. Book a Demo with us to learn more about Factors.ai.
Get the latest best practices in Marketing Analytics
delivered to your inbox. You don't want to miss this!!