After reading this article, the current legal issues related to the use of Google Analytics will no longer hold any secrets for you.
You will be directly able to bring your tool into compliance to maintain the service !
The use of Google Analytics generates 3 issues : two of them are related to the compliancy (ePrivacy and GDPR) and one affects the performance of the tool :
Issue n°1: The deposit of GA cookies without consent
GA cookies (Universal Analytics or GA4) are not considered functional cookies and are not either exempted from consent because they don’t comply with DPA exemption criteria for measurement tools.
Therefore, they are subject to the ePrivacy Directive and to the legal basis of consent to authorize their deposit and use.
As a consequence, it is essential not to allow GA cookies to be deposited without prior consent, and to make sure at valid consent is collected before the Google Analytics solution is triggered.
This rule has been valid since the GDPR came into force, namely since May 2018. If a tolerance period for implementation had been agreed by the CNIL... It has been exceeded for a long time now...
Issue n° 2: The loss of statistics
As you may understand, without consent, the use of GA is prohibited.
But since the Google Analytics solution is a measurement tool, if it can’t use its cookies anymore, it can’t neither report statistics.
Indeed, issue n°1 automatically leads to issue n°2.
Not any website manager wants a formal notice by placing non-exempted cookies without consent, but no one wants to lose part of its statistics either !
Issue n°3: The illegality of transfers to the United States
“Things come in threes” as the saying goes ! Since February 10th, 2022, the CNIL has been giving website managers formal notice for their use of GA and therefore for illegal transfers of personal data to the United States.
This is an obvious GDPR topic and a responsibility entirely owned by the publishers. The latter take responsibility for the illegal transfers of personal data of European residents to the United States, because they are the data controllers !
What is the outcome for Google Analytics users?
Considering these three issues, the situation is tricky for website managers using Google Analytics.
Do not panic, however: the CNIL does not prohibit Google Analytics ; it prohibits its use in its standard versions (under UA & GA4) as long as the transfers are not secure.
Sirdata, a French company with more than ten years of experience in Privacy, offers you the “Sirdata Analytics Helper”.
The tool enables you to automatically respond simultaneously to the three issues by adding a simple script to your website :
Cookie management :
This is the easiest subject to solve.
There are several solutions, ranked below from the least beneficial to the most optimal :
a) Conditioning the firing of your the GA script(s) : in your source code or in your GTM
b) Activating the Google Consent Mode
c) Activating the Sirdata Analytics Helper
These three solutions will result into the blocking of GA cookies until the user has given his consent.
The 3rd option (c) is much more advantageous, because it is the only one that solves issue n°2 (loss of statistics) and n°3 (illegal transfers of personal data).
What is the Sirdata Analytics Helper's solution to automatically manage cookies ?
The service will automatically prevent the deposit of GA cookies until the user has given his consent based on the information sent by the CMP (Consent Management Platform) deployed on the website.
Here is a comparison of the existing ways of using Google Analytics :
“Without conditioning”, GA cookies are systematically deposited, i.e. before the user makes any choice through the CMP, and even in the event of a refusal. As a result, the statistics will still be visible, but the price to pay is the absolute non-compliance of the processing and collection of personal data by the website.
If conditioning or Google Consent Mode used, statistics of visits are lost when the user does not provide his consent.
The Sirdata Analytics Helper is the only solution on the market that allows you to maintain real statistics even when the user does not accept and/or continues without accepting.
These statistics are based on the processing of the user's personal data in an extremely secure and then anonymized format which enables Sirdata to base this processing on the legal basis of legitimate interest and no longer on the user's consent.
This 100% cookieless intelligent Sirdata technology allows the following method :
- In case of consent : use of a GA cookie
- Without consent : use of Sirdata Analytics Helper services
This means that all statistics can be maintained automatically in the Google console, unless the user objects to the processing based on legitimate interest via the CMP deployed on the website.
If he accepts, if he doesn’t make any choice, if he clicks on the close button “x”, if he clicks on “continue without accepting”, if he clicks on “set my choices” then “save”, the statistics will be maintained thanks to the Helper !
Cookieless by Sirdata is a technology in which Sirdata has been investing for more than four years.
Its protocol has been submitted to the CNIL and respects the privacy of users. It allows, within the framework of targeting, to respond to all marketing challenges according to the choice of Internet users and the constraints of browsers.
As part of the use of Google Analytics, it is the only solution on the market capable of maintaining statistics even when the user doesn’t make any choice or “continues without accepting”.
Transfers of personal data to the United States
On February 10th, 2022, the CNIL indicated that it had given formal notice to a website manager for the use of Google Analytics and therefore illegal transfer of personal data to the United States.
Since this statement of the CNIL related to the non-compliance of the transfer to Google Analytics to the United States, other Authorities in Europe have adopted the same conclusions and numerous complaints have been filed.
Here is what the CNIL recommends for the proxification :
Through the Analytics Helper, thanks to the management and control of its proxy settings, Sirdata offers website managers to secure their transfers of personal data to the United States according to the recommendations of the CNIL :
Personal data such as the IP address and the Google ClientID are automatically processed on the fly so that the statistics remain true without the data being able to be read or decrypted by Google and the intelligence services.
One thing is certain, there is no other way to secure these transfers.
It is necessary to use a third-party proxy and above all to break the possible identification link by Google and the intelligence services. This is means for Sirdata to maintain the individualization allowing the statistics, but also to prevent any identification.
You now have all the elements in hand to go on with using Google Analytics if you wish.
To sum up, it is fundamental to apprehend this question as a whole. Simply using a proxy is not enough. You have to ensure compliance with the ePrivacy directive (cookie management) while also ensuring compliance with the GDPR (transfer security) without forgetting the business aspect (not losing 30 or 40% of your statistics).
One last piece of advice: if you had to ask yourself one and only one question, ask yourself “Do I want to keep the Google Analytics tool?”
In general, the answer is yes, because it is a good tool often linked to Adwords campaigns, which allows fine measurement to know the source of traffic and measure performance.
Very often, starting from scratch, configuring a new tool and no longer being able to compare its statistics with previous years is unthinkable ! If you are one of the website managers who absolutely want to keep Google Analytics, the Sirdata Analytics Helper is the ideal solution.
If the answer is no : if the use of GA is not crucial in your strategy, it is better to change the tool to implement an exempted solution.
It is therefore essential to delete Google Analytics and above all not to keep it “in backup” because, in the event of an control, having a limited use of the tool will not be a valid justification.