CNIL’s Google Analytics Ruling is a Big Problem for Businesses

Google Analytics is having a rough time in Europe. Despite the fact that in March of 2022, the EU and US began working on a new agreement to address privacy concerns over trans-Atlantic data flows, EU countries continue to find the current data protections Google provides inadequate under the GDPR. 

In February, France’s data protection agency CNIL found that using Google Analytics violates the country’s data privacy laws. In June, CNIL issued updated guidance that officially codified its findings and essentially eliminated the ability to use the platform, giving website operators one month to comply. In early July, the Italian Data Protection Authority (DPA) followed suit with a similar ruling, giving operators 90 days to comply or face penalties. 

The recent rulings will impact data privacy for marketing agencies and businesses, fundamentally changing how web performance is measured and reported. They also show that the evolution of the law is ongoing, and drive home the need for an agile strategy around data analytics. So what do you need to do? Let’s dive in – but first, let’s back up. 

Google Analytics vs. The EU

Ever since the EU’s General Data Protection Regulation (GDPR) went into effect in 2018, controversy has swirled around personal data and Google Analytics has been at the center of the controversy. This popular website monitoring tool is free for the standard version, easy to use and provides valuable insights, so it’s no surprise that about 35 million businesses currently use it. (Yes, million.) That includes about 4.2 million in the US and 1.7 million in the UK. 

Despite its popularity, trouble began for Google when the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield agreement in 2020. The Court was concerned that US law allows the government to request data from US companies – particularly Google – with no rights or redress for foreign citizens. 

Google worked to implement many of the guidelines provided by the European Data Protection Board (EDPB), including anonymizing IP addresses. But that didn’t stop the dominoes from beginning to fall. In January 2022, Austria was the first country to officially state that the use of Google Analytics was unlawful per the GDPR. In February, the Dutch data authority issued guidance that warned against the use of Google Analytics. 

Also in February, France’s CNIL brought several cases against specific website operators, ultimately ordering them to comply with GDPR – and setting the stage for the updated guidance issued in June. While the rulings in France and Italy don’t ban Google Analytics outright, they do put a heavy burden on companies who use the platform that will make it nearly impossible for them to comply.

How the EU Ruling Could Affect Your Business

After all that background, you might be thinking, “Well, the US isn’t in the EU, so I’m good, right?” Wrong. The GDPR and all of the subsequent rulings by individual countries affect not only the businesses that are headquartered there, but also any that do business within the EU. Plus, many American states are following suit with their own data protection laws, including California, which is home to nearly 40 million people (12% of the total US population!). 

All of these developments create a gray area when it comes to Google Analytics use for companies around the world. On top of that, GDPR compliance has made data from Google Analytics less reliable and harder to measure because there is limited to no visibility for users who do not “opt-in” to tracking.

It isn’t just Google Analytics, either. The GDPR and the newest American data privacy laws also affect the third-party data many businesses depend on for marketing. Database platform Oracle dropped its third-party data for EMEA back in 2020, while major web browsers including Apple’s Safari implemented privacy updates that affect tracking data. 

Google's Latest Privacy Updates

Google seems to recognize that the tide is turning against its current data practices. In September 2020 they announced a new Consent Mode available to advertisers and Google Analytics users. And in October of that year they officially unveiled Google Analytics 4 (GA4), which is currently available and will fully replace the previous iteration, Universal Analytics (UA), in June 2023. 

GA4 offers more privacy controls and data settings for businesses to choose from, and also incorporates some automatic changes, such as not using cookies and not storing IP addresses. It will also likely change your KPIs, as it eliminates some metrics, including bounce rate, while adding others. Integrated data collection, more detailed data controls and more detailed data segmentation will affect reporting. And most of all, GA4 requires a complete redeployment and has an entirely different interface, both of which will have a learning curve and require resources. 

GA4 addresses some key pieces of the puzzle for GDPR compliance, including IP addresses, but not everyone is convinced Google has solved all of its privacy issues – as seen with the recent rulings in Austria, France and Italy. Will the dominoes continue to fall? It may be wise to assume that they will. 

What You Can Do

The privacy law landscape is constantly shifting, and keeping up with the changes can be a challenge in itself. The latest rulings have created even more uncertainty, especially for large and complex B2B organizations, who can’t just snap their fingers and use a different analytics platform. 

It will take time and resources to comply with EU privacy standards, especially if there is no new formal agreement between the EU and the US on trans-Atlantic data flows and no protections put in place for US companies using Google Analytics. Now is the time to start thinking about your options. 

You may be tempted to simply adopt separate analytics tools for your US and EU customers, however this introduces new complexities. Google often doesn’t rank regional pages correctly, so users from outside the US may arrive at your US pages, or vice versa. This means that separating your analytics tools isn’t as easy as it appears, as you will have traffic arriving to all of your pages from all regions of the world. You would also need the ability to consolidate that separate performance data in order to get the “big picture” on your performance. 

You can also replace Google Analytics entirely. With the switch to GA4 coming up in a year, many organizations are already using resources to migrate to the new platform. From this view, it isn’t much of a stretch to instead use those resources to implement a whole new analytics platform.

Either way, if you’re concerned about GDPR compliance, the time to start evaluating possible tools is now. Although Google’s data harvesting and transfer infrastructure is vast, there are other options. The good news is that GDPR-compliant analytics platforms are popping up seemingly everywhere, including Fathom, Visitor Analytics and Matomo. The less-good news is that evaluating your options requires expertise, experience and most of all, time and resources. 

BOL can be a trusted partner as you create your go-forward strategy to help you maximize your visibility into performance data while complying with the law. We’ve also partnered with SafeGuard Privacy, a SaaS-based compliance platform that allows users to audit and comply with global privacy compliance laws and requirements.

Check out our Performance Reporting, Analysis and Insights page to learn more and Contact Us to get started.