“Google Analytics declared illegal” A panic wave like we haven’t seen since the introduction of the GDPR is rippling through the world of marketing. What is actually happening? And what should you do?
Let’s start with a simplified management summary: Under GDPR, you are not allowed to share personal data with the US, due to their privacy shield, but there is a legal escape. This escape has now been challenged by an Austrian organisation, claiming i.e. that Google Analytics still shares personal data to the US. This is now confirmed by the AU Privacy Authority. And although Google objects, as a result other EU authorities are now evaluating whether to also prohibit the use of Google Analytics. Many (advertising) platforms can be expected to follow.
Background
May 25th 2018, the GDPR comes into effect. A broad set of measures regarding data privacy, cookie consent being just one of them. July 2020, the EU Court of Justice (CJEU) rules transferring personal data to the US is in violation of the GDPR (the Schrems II ruling). As under US law, US intelligence services are allowed to access this data. This is violating the privacy of EU citizens, and prohibiting them to exercise their rights in regard to their data ownership.
Although this directly prohibits the use of tools like Google Analytics (GA) or advertising with parties like Google or Facebook. Big tech providers reply with the so-called standard contractual clauses, previously approved by the EU. Providing a new legal basis to make use of their software.
What just happened?
After the CJEU ruling, an Austrian based non profit organisation called NOYB filed a list of complaints to their privacy authority. As they felt most tech companies were still violating the GDPR, and the standard contractual clauses were not a good enough safeguard to EU citizens data. Because, do they indeed prevent US intelligence from being able to access the data?
The Austrian Privacy authority now decided the sharing of IP addresses or other identifiers to GA is indeed still in violation of the GDPR. These identifiers make it possible to recognise users, and therefore privacy is not protected.
Google published a quick response in which they explain on the one hand the many measures they have in place, but primarily highlight how although they offer the tools, it’s the users, so you as a company, that decide what data is being collected. So in short they are stating “don’t blame or punish us for how our users are (mis)using us”
Nevertheless, other privacy authorities, like the Dutch AP are now evaluating whether they agree and will also declare the use of GA in violation of the GDPR.
What’s next?
First of all we’ll have to wait and see what they decide, this is expected in Q1 2022. And if they decide against GA, whether Google once again is quick to the rescue with a legal response.
Truth is, it is not unlikely GA will indeed be prohibited in its current setup, and the remaining legal grounds are becoming quite thin. And although both we and Google can also expect to get a transition period to amend to the new situation. A technical response, in either further anonymising data, or physically keeping it within the EU is not as easily created, or approved.
So if this happens, what can you do? Because obviously, this will have a massive impact on what tech remains available to be able to do your digital marketing. In regard to analytics we distinguish 4 alternatives:
Please note: don’t rush into one of these, it’s advisable to wait for the developments of the upcoming days/weeks. Make sure to consult your next steps with your marketing but also legal partners.
What will the future bring?
GDPR, ITP, IDFA, CYEU, NOYB, it’s becoming hard to keep track of all the abbreviations in relation to data protection. Fact is that both from a legal and technical perspective, the amount of data you are allowed or able to process will only be limited further. For any company it is advisable to continue towards a first party data strategy.
Ask your users to share their data with you, make sure to have appealing benefits to convince them to do so. We will continuously have to accept the new reality in which the common understanding of privacy in the offline world is equally applied online.
Offline, I can just walk into any store, browse around and leave without the store owner being able to follow or market me. But if I feel triggered, if I have a question, I will reach out to a salesperson, have a personal conversation and possibly a transaction or business relation follows. Online, we’ll have to accept a similar anonymous volume, and shift our focus to helping those users that make themselves known to us.
Final remarks
Since the introduction of the GDPR, we are finding ourselves in an enormous grey area. And to be honest, steps like this one do help in getting a clear understanding on where the red lines are. They provide clarity to tech providers on how to follow this law, and on companies on what they are and are not allowed to do.
Whether or not we agree as marketeers on what’s happening, we all share an ethical responsibility on what we are making, and what we are using to do so. We will have to adjust. And when the dust of GDPR, ITP etc has settled down, things will be drastically different. The future will no doubt still contain data and digital marketing.
Personalisation with respect to privacy?
To be continued…
