The Danish Data Protection Agency (Datatilsynet) recently issued a press release stating that the use of Google Analytics in its standard form “cannot be used lawfully”.
This statement is very much in line with previous rulings in Austria, Italy and France earlier this year. For more information on this, check out Is Google Analytics coming to an end?
The new ruling in Denmark is an important one given the widespread use of Google Analytics in Denmark and the fact that many businesses strongly rely on the tool for reporting, analysis and marketing activation purposes. Here is our take on some frequently asked questions:
FAQ
Does this ruling cover Universal Analytics, Google Analytics 4 or both?
Datatilsynet has clarified that the ruling covers both Universal Analytics and GA4.
How can I become compliant if I already use Google Analytics?
There are two options, according to The Danish Data Protection Agency:
1) Switch to another privacy-safe provider
This is simple enough and may be a good solution for some companies. However, it is likely to be a costly alternative, as it requires a considerable investment both in the technical implementation (recreating reports, dashboards, BI integrations etc.) and internal training. In addition to that, good Google Analytics alternatives also require payment of a license fee. You can download our free guide of alternative analytics platforms right here.
2) Adjust your current Google Analytics setup to a reverse proxy (server-side tracking).
For most companies, this is not a viable solution. The Danish Data Protection Agency recommends stripping out so much information and features that the resulting Google Analytics setup would be useless for 99% of users.
However, you may be among the selected few for whom this alternative makes sense. We wrote another really useful guide to help you tackle the cookieless world with server-side tagging, which is also available for download.
Didn’t the EU and the US already find a solution for GDPR-compliant transfer of private data?
In a way, yes. But it’s not ready yet. The EU and the US agreed on a new Trans-Atlantic Data Privacy Framework (TADPF) back in March, but the agreement needs to be translated into law before it’s enforced, and that will take some time. Current expectations are set for a solution in March 2023, but there are still a lot of unknowns in this process.
What do you recommend then?
For many companies, it might make sense to move to a server-side tagging approach.
This won’t make you compliant unless you go to the extreme that The Danish Data Protection Agency recommends. However, it does grant you additional control of the data you collect and certainly moves you closer to compliance. It’s worth noting that this approach comes with a series of advantages, such as better page load speed, better data quality (e.g. extension of cookie lifetime) and easier integration with other first-party data. The mere effort to remain or become GDPR compliant can be enough to accommodate the authorities’ requirements, according to the statement below, which you can read in full here.
The Danish Data Protection Agency naturally takes into account in its assessment of a case to what extent an organisation is actively taking steps in bringing its processing operations in compliance with the law
The Danish Data Protection Agency
In conclusion
At the end of the day, you need to make your own risk assessment. However, there is an argument to be made that you will reduce your risk by taking steps like server-side tagging, even if it doesn’t necessarily make you 100% compliant. For some companies it may also make sense to consider a new analytics tool to ensure compliance right away.
In our opinion, it doesn’t seem likely that this ruling will be enforced in the near future. Another possibility is that the situation can solve itself with the maturity of the Trans-Atlantic Data Privacy Framework. But it is a good idea to (re)consider your whole approach to data collection and the tools you use for it.
DEPT® can help you steer through this new reality by supporting your overall strategic approach to data collection, as well as the hands-on implementation and adoption of relevant technology such as server-side tracking or a new web analytics tool.
Note: This article has been updated to reflect clarification from The Danish Data Protection Agency that their ruling covers both Universal Analytics and GA4.
Visit this page to see our full scope of Data services or get in touch below.
More Insights?
View all Insights
Questions?
Data & Intelligence Director