Europe has been hit with a series of Google Analytics restrictions, underscoring the critical importance of GDPR compliance. Several incidents occurred in different countries, but the most widely spread incidence was related to the regulations in Italy, France, and Austria, where data protection regulators said that using Google Analytics is not GDPR compliant.
This article will discuss the regulations prohibiting European users' data transfer to US companies. We will also cover how you can use Stape Europe to set up an EU proxy server for server GTM that will help make the use of Google Analytics GDPR compliant.
The legal story of data sharing between EU and US companies started in 2016 when the European Commission approved the Privacy Shield (a legal framework that regulates data transfer for commercial purposes between US and EU companies). This framework has since faced scrutiny from European Data Protection Authorities.
In 2020, the European Court of Justice's ruling that declared Privacy Shield disabled sent shockwaves through the digital world. This happened because US law does not offer sufficient personal data protection for European residents, violating data protection regulations.
This ruling extensively discussed Google services (like Google Analytics or Google Fonts), highlighting the crucial need for robust measures to ensure the safety of EU user data.
European Data Protection Authorities have declared that asking for user consent (or standard contractual clauses) on the site and triggering a US-based intelligent tracking tool based on user consent won’t make it GDPR compliant.
Google Analytics is a free tool from Google that helps website owners see how their website is doing. It shows them who’s visiting the site, what pages they’re looking at, and where they’re coming from. This info helps businesses understand what’s working on their website and what isn’t so they can make changes to improve it and get more out of their marketing efforts.
Google Analytics gathers information about website visitors and how they use the site. It works through a tiny bit of code added to each webpage, which tracks each visitor and sends the data to Google. Google processes this information and shows it in an easy-to-read dashboard, giving website owners insights into traffic, user engagement, and conversion rates. This helps them see what users are doing on their site, track important goals, and make smart decisions to improve their website and online impact.
The General Data Protection Regulation (GDPR) is a data privacy law introduced in 2018 by the EU to protect people's personal data and give them more control over it. GDPR applies to any organization handling people's personal data in the EU, no matter where the organization is based.
It requires companies to follow strict rules on collecting, using, and storing personal data, including getting explicit permission from users before doing so. Following GDPR is important for companies in the EU, as it helps protect user privacy and builds customer trust.
GDPR compliance is essential for Google Analytics because it ensures that the collection and processing of personal data from EU residents adhere to the General Data Protection Regulation . Non-compliance can lead to hefty fines and significant damage to a company’s reputation. Beyond the legal implications, adhering to GDPR builds trust with users, showing them that their privacy is taken seriously. This trust is crucial for fostering long-term relationships and maintaining a positive brand image. By being GDPR compliant, businesses can demonstrate their commitment to protecting user data, which is increasingly important in today’s digital landscape.
The two most famous incidents related to data transfer of EU users to the US were in Italy and France, as investigated by data protection authorities. Let’s start with the French one.
The French data protection authority (CNIL) received complaints from French users who asked if the use of Google Analytics (an intelligence tool that belongs to the USA company) complies with the GDPR rules.
The CNIL stated that French websites using Google Analytics resulted in a data transfer of European users to US companies. This violates the GDPR rules since US companies do not provide enough evidence that the personal data of EU users is safe. Besides that, the CNIL has confirmed that Google’s implementation of SCCs is not enough to meet the GDPR requirements.
The situation in Italy is similar. The Italian SA regulator received questions from several users on whether a particular Italian site’s use of Google Analytics falls under the GDPR. After lengthy investigations, the Italian regulator warned companies to stop using Google Analytics or set up GA in a GDPR-compliant way within 90 days.
Similarly, the Dutch data protection authority has also investigated complaints against Google Analytics.
Besides that, the Italian regulator released a public notice that they received multiple complaints about the data transfer to the US companies. All Italian website owners should consider this when implementing US-based intelligent tracking tools. Otherwise, penalties may be applied.
Non-compliance with GDPR in the context of data transfers of EU users to US companies, mainly when using Google Analytics, is a significant concern. The potential penalties and the impact on user trust make this a crucial issue for website owners and digital marketers to address.
Understanding what methods do not make Google Analytics GDPR compliant is crucial. For instance, data encryption, a commonly used method, has limitations that may not guarantee user data protection, as the Italian regulator explained.
1. Data encryption
The Italian regulator says transferring encrypted data is unacceptable and can’t guarantee user data protection. Encryption technology expects encryption keys on Google’s side to be used to see and process raw user data. So, as long as the encryption key is available to the Data importer (in this case, Google), this method cannot be considered GDPR compliant.
2. Built-in Google Analytics features that remove IP
Google tried to adapt to the EU privacy rules by implementing features designed to anonymize user data. EU regulators said that in practice, such technologies as redacting user IP addresses might have close to zero effect on preventing user identification, mainly because Google constantly processes IP addresses.
3. User consent
Google Analytics is still not GDPR if a user consents to analytics cookies. They stated that consent and data transfer to US companies are different. User consent does not help fix the issue with data transfer outside the EU.
According to regulators, using an EU proxy server is a possible solution. This proxy server aims to break the interaction of US intelligence tracking tools with user browsers. One way to implement such a proxy server is to use Google Tag Manager.
Additionally, setting up a data processing agreement with your analytics provider is crucial to outline responsibilities and ensure compliance with GDPR.
Proxy servers have to meet a set of criteria. The two most important are:
While the point about EU-registered companies is clear, you can quickly check where a company is registered on their website or by checking public register directories. The second point might need to be clarified.
The main misunderstanding concerns the use of Google Cloud for sGTM. You can’t use Google Cloud as a proxy server for your sGTM. When setting up a proxy server (which can be a Google Tag Manager server), not only should the server zone be in Europe, but the physical server must also be located in Europe and owned by a European company. Google is not an EU company, which does not satisfy two main criteria.
The bad news is that using a 100% EU proxy server for your server Google Tag Manager is insufficient. You must remove any user data used to fingerprint or identify users by the analytics platform. You must also pseudo-anonymize user data before sending it to the US tracking tool.
To ensure GDPR compliance, it is essential to manage the data collected from users carefully.
1. IP address
You must remove the IP address from the request to prevent it from being used to identify users. Simply cutting the IP address will not work, as it can still be used to identify areas where the user is.
2. User identifiers
When a user visits your site, Google generates a unique client ID that identifies the user's browser-device pair and is stored in cookies. The client ID generated by Google must be removed, though you can still use a randomly generated client ID.
3. External referrer
You must remove any data about the website the user visited before landing on your site. Usually, this data carries information on whether visitors landed on your site by clicking a link in someone’s blog post, organic search, etc.
4. URL parameter
Often, URL parameters contain information (utm_parameters) about the source, medium, campaign, or click ID. Besides that, some websites insert user data (like email, name, phone) into the URL. No matter what URL parameters your site carries, it must be removed.
5. Any data that can be used for fingerprinting
Various data can be used for fingerprinting; there is no clear information on what data regulators consider suitable for fingerprinting. However, it may include browser, device, model, language settings, screen resolution, etc.
6. Cross-site identifier
Any ID can identify the same user on a different website. It might be a user ID, user ID in CRM, email, etc.
7. Any data that could be used for user identification
Any information about the user.
There is no way to automate removing all the parameters described above for now. All these must be manually replaced using the server Google Tag Manager interface.
We created a new product - European Server GTM Hosting. Stape Europe is a European company (registered in Estonia) that uses Scaleway, a 100% EU cloud server provider, to host server GTM containers.
Using tools like Google Consent Mode can also help adjust data collection based on user consent, ensuring compliance with GDPR.
We cover all questions related to the EU-owned proxy server. When setting up an sGTM container using Stape Europe, you do not transfer any data to the US company since Stape Europe is an EU-registered company, and we use servers physically located in Europe.
Unfortunately, we do not have a solution for automated user data removal. Our team is working hard to implement features that will help to remove PII automatically, or at least we will make your life easier by removing some of the PII automatically.
Here are some more ways in which Stape can help you reach GDPR compliance:
1. Anonymizer
Anonymizer power-up is available for all Stape users. Its main goal is removing or anonymizing user data from Google Analytics 4. An anonymizer hides users' personal info, which helps with privacy and meeting legal requirements like GDPR. If you’re using it, ensure the data passing through it follows privacy rules.
A consent banner is needed to get users’ permission to collect their data. It should clearly explain what data you’re collecting and why, and be set up in line with laws like GDPR.
3. Geo Headers
Geo headers give you data about where the user is located. This is useful for targeting and making sure you follow local laws on data protection. Just make sure they’re set up correctly.
Server-side tracking might solve your issues if you set it upright. But it’s important to talk to your legal team to ensure you’re fully compliant with the laws.
A lot of work must be done to make Google Analytics GDPR compliant. It might be a real pain if you are unfamiliar with server-side tracking. Implementing Google Analytics 4 with proper configurations can also help maintain GDPR compliance.
The good thing is that with Stape Europe, you do not need to worry about an EU proxy server. You can access data anonymously in the server's Google Tag Manager interface.
How would Google Analytics data look after you remove all the required information? Will it be sufficient to analyze user behavior, site performance, etc.? Well, we will have fewer data. But this is a new reality we need to get used to.
Either you decide to stay GDPR compliant and receive less data about website visitors, or you need to pay attention to these rules and risk receiving warnings or fines for transferring user data to the US.
Though there were cases related to data transfer in Italy, France, and Austria, some other European countries have already started to discuss similar regulations. If you implement server-side tracking, we suggest immediately removing the part about data transfer to the US. Do not wait until the same cases happen in your country; you must redo the setup.
If you have any questions, feel free to contact us. The Stape team can help you set up an EU proxy server. Our team of experts is always happy to help new users get started by tracking them and guiding them along the way.
Stape has lots of tags for server GTM! Click on Try for free to register and check them all.
