Google Analytics is not GDPR compliant , let’s be clear about it

Google Analytics is not GDPR compliant: let’s be clear about it

The famous web analytics tool provided by Google is not compliant with the current legislation in the EU in the field of privacy. What are the steps to become compliant? Do alternative solutions exist?

After receiving a lot of requests for clarification by our clients for the position taken by the Data Protection Authority about Google Analytics, we wrote this article to provide some guidelines and support for those who need it.

The position of the Data Protection Authority about Google Analytics

On 23rd  June 2022, the Data Protection Authority has expressed its position about the use of Google Analytics, declaring that a website which uses Google Analytics services (GA), without the guarantees expected from EU Regulation violates the normative of data protection of users, because it transfers these data to the United States, a country lacking of an appropriate level of protection.
This affirmation remains valid even if the option to anonymize the IP address of the viewer is chosen. That’s because, even if the data is severed, it doesn’t remain anonymous, considering the capacity of Google to enrich it with other data in its possession. 
The Data Protection Authority brings to the attention of all italian websites operators, public or private, the illegality of transfers made to the United States through GA, informing that he will proceed, even on the base of specific inspection activities, to verify the conformity to the EU Regulation of data transfers carried out by the owners 

So, Google Analytics has to be removed from your website?

The position of the Data Protection Authority is reported to Google Analytics 3, known also as Universal Analytics (UA). For this version, that has been the standard type of property for websites before 14th October 2020, if no additional security measures are taken, there are no uncertainties: it must be removed.
The Data Protection Authority is silent about what are the technical measures that makes UA compatible with the GDPR regulation: these are at the expense of the owner of the treatment of every websites.

The problem is related even for the new version of Google Analytics, GA4?

GA4 does not share much on the technical side with UA, it is not a new release of the previous one, but it originates from a new project born in Google (contrary to the first one, result of an acquisition). First of all, it changes the model of measurement: Universal Analytics is based on sessions and page views, while the one of Google Analytics 4 is based on events and metrics. 
Starting from 30th of September 2023, UA will be “turned off”. The transition has started after a post on Google’s blog:
Prepare for the future with Google Analytics 4” on 16th March 2022. We have already talked about the news brought from Google Analytics 4 on our blog.

The characteristics of GA4 seem to take into account the European guidelines in the context of privacy and safety, but the Data Protection Authority is silent about this. The risk of switching to GA4, in a non-compliant situation (and then sanctionable) is real and the owners of websites should evaluate with attention the option of using GA4, and be aware of the risk that this decision could lead to.

So, what should I do?

The first step to avoid sanctions is to remove Google Analytics 3 (UA) from your own website.
For starting, find out if your website is linked to Google Analytics following our indications. 
We have published two guides on our blog about how to remove Google Analytics from a website made on CMS that we use, Drupal and Wordpress. 

In both cases, as indicated in the two posts, at the end of the process it will be needed to update privacy and cookie policies.

And then? If I remove UA how will I measure the result of the marketing actions on my website?

If you decide to not take the risk to do the update to GA4, there are other solutions that you can take to keep measuring your return of marketing actions, made to bring traffic to your website, in full respect of EU regulation,
Among these, in Archibuzz we chose Matomo. We installed the open source version of Matomo on our servers, and we decided to offer to our clients for free the use of Matomo for at least one year (excluding the work of integration), hoping that at this moment the Data Protection Authority position about GA4 will be clarified.

We remain available to clarify any doubts about this important issue, for anyone who needs support to disable Google Analytics from his own website and intends to switch to Matomo.