Google Analytics Privacy: Austria Says “Nein” to Transatlantic Data Transfer
Facing a litany of privacy lawsuits, Google’s hottest fire is now in Austria. In December 2021, a small case focused on NetDoktor (think “Austrian WebMD”) put EU-US data transfer back on the radar of marketers and any organization that relies on Google Analytics for data collection. This single “Schrems II” ruling could have an impact on the use of Google Analytics in Europe and set a legal precedent impacting data privacy in the US.
The ruling could also affect any company outside of the EU that stores any EU data—not just Google Analytics data. That includes anyone using cloud services, including Amazon Web Services, Microsoft Azure, Square, and countless others.
You could say we’re keeping an eye on this one. And today we’re focusing on the Google Analytics lawsuit and what it means for businesses that rely on it to track their websites and apps.
Is Google Analytics GDPR Compliant?
At least one Austrian court says no. The December 2021 ruling found that, by passing PII data out of the EU to Google’s servers in the US, Google Analytics is in breach of General Data Protection Regulation (GDPR). All members of the European Union agreed to meet standards set by GDPR, an effort meant to tighten control on internet privacy and data collection. It may be only a matter of time before other EU member states follow Austria’s lead regarding Google Analytics’ Univeral Analytics and GA4 platforms.
NetDoktor isn’t the only reason Google Analytics is in the news, either. In the days before the ruling on that case, the website set up by the European Parliament to handle COVID-19 testing also violated GDPR, since it used Google Analytics and Stripe servers located in the US.
What’s the Big Deal?
The EU likely has good reason to be concerned about its citizens’ data being shipped overseas. As strict as their privacy laws have become, US regulations are much laxer, especially for non-citizens. Due to two pieces of legislation, the US government isn’t obliged to protect data pulled from people outside of the country as closely as it does for those living in the country. While there isn’t evidence that this difference in treatment has led to any breaches, it does leave the door open for government agencies to access massive amounts of data housed here in the US.
Privacy Shield: Invalidated
Privacy Shield is one of the rare cool names in digital infrastructure branding. This agreement was reached in 2016 and replaced earlier iterations of data transfer policy between the US and the EU. Privacy Shield set forth specific standards for how data is transferred, stored, and protected, and it didn’t exactly please privacy critics at the time. Legal analysts noted how little the agreement improved earlier concerns, including voluntary self-certification for US companies affected by the changes.
What It Means for Marketers Who Use Google Analytics
For marketers, this doesn’t mean anything… yet. This ruling would mainly impact marketers in Austria, or site owners with websites hosted in Austria, that use Google Analytics (GA). And the decision is far from final.
We may get a better idea of how the winds are blowing when this decision heads to appeal, but it’s a clear sign that marketers and organizations that rely on GA data should make plans for if (when?) such tools are banned across Europe and even the US.
(But remember, effects stretch far beyond GA into data storage in general, so it’s possible your IT team is already thinking about adjusting cloud storage if you store Austrian/EU citizens’ data in the US.)
First Party Cookies
If you can’t have someone else’s cookies, you’ll have to bake your own. Oneupweb took a look at how third-party cookies have crumbled in recent years as a result of legal action and that most valuable and changeable of forces: public opinion. First-party data comes straight from your users, on your digital assets, but it also means it’s your responsibility to gain consent from visitors.
New Tools from Google
Google is too smart to hope strongly worded blog posts will be enough to stem the tide. They’ve been evaluating strategies like FLoC, and now Topics, to offer more privacy to users without leaving marketers high and dry. With third-party cookies fading away in 2023 and Universal Analytics no longer being the default type of GA property, it’s worth setting up your Google Analytics 4 (GA4) properties to establish a firm baseline of data and allow for a seamless transition – plus learn all the new terms, tricks, and reporting options.
We set GA4 properties up for our clients in 2021, so if you need a hand, let's talk.
New Tools from Not-Google: Analytics Alternatives
Did you know other companies can do what Google does? Crazy. There are several alternatives to Google Analytics that support nearly identical reporting options and tracking capabilities. Some users find these alternatives to Google Analytics easier to use and customize. Make sure you double-check whether the tool you select is GDPR compliant from the first click; like Google Analytics, some require adjusting settings at setup, and even those adjustments may not fully ensure compliance. It might be worth comparing the Google Analytics privacy policy to the software options you’re considering.
Watching the Dominoes Fall
As marketers, we know that this is the tip of the iceberg. The privacy watchdog, noyb, that filed the NetDoktor suit didn’t put all their eggs in one Austrian basket. The organization has 100 cases submitted across Europe targeting Google, Airbnb, IKEA, and more. This is just getting started, so make sure you’re working with a marketing agency that can keep tabs on whatever comes next. Keep up with all things marketing with our Digital Digest newsletter (which is digital and delivered to your inbox, wink), or get in touch to talk tech, big ideas, and the latest on European data privacy policy.