Privacy is such a huge concern at the moment, and especially Google Analytics. It’s time to actually run through this with you guys. And really explain what are the issues that are coming up for Google Analytics, why I removed Google Analytics, probably going back to 2018, when GDPR first came in, and I was very unsure as to whether Google Analytics would be actually seen as compliant. If you prefer video just click play below, if you prefer reading just scroll on by!
Playing this video loads a YouTube embed in privacy-enhanced mode.
It looks now that I feel quite vindicated in that quite dramatic decision that I made to say that I was not happy to use Google Analytics until I knew for sure that it was going to be compliant. At the time, we had no cases; we had no court cases coming through European courts, so we didn’t have any precedent legally speaking.
This year in 2022, we can see court cases coming through. I think that for business owners who are not working in tech, it’s a minefield, and every now and then they’re just getting bombarded with something or they’re noticing something that like, oh, Google Analytics is illegal. What does that mean? And should I delete it? What am I supposed to do? But we also have web designers and web developers like myself, that are setting up Google Analytics for clients, we might be managing Google analytics and reporting for our clients.
What should we tell clients to do?
What should we be advising our clients to do is the other side of this so and it’s also such a legal minefield. Disclaimer, at the beginning of this, I am not legally trained, I am not a legal expert. I’m just trying to come at this from an educated standpoint. I’m going to be going through some pages that are on the internet, I’ll be including the links in this article.
There are three places that have some interesting precedent being set. So we’re going to go France, Austria, and Italy, and Italy being the most recent country to show us a court case where they are actually setting precedent that using Google Analytics in the EU is illegal under GDPR. And that websites using it are not compliant.
We’re also going to go into what are the alternatives that you could use if you do decide to remove Google Analytics? What are the possible benefits of that? And what are the other tools you could use. So make sure you stay tuned until the end, mainly for the Google algorithm but also, because that’s where all the good tips will be.
This is the Simple Analytics blog. And I actually had not known that Italy also had a court case and only for finding this blog. So they are on the same page as me, which is why it’s time to move away from Google Analytics, and I have done it, I feel a lot better for it. And I’m going to make the case that you also can move away from Google Analytics and be all the better for it as well and your websites.
Google Analytics is one of the best free tools Google has ever created. 55% of the existing websites on the internet use an analytics tool, and 85% of those using analytics at all on their websites, use Google Analytics.
So of all of the websites that are using analytics, 85% are using Google Analytics, which is really an incredible percentage. We see this a lot obviously working in SEO, that Google dominates certain areas, one of those things would be organic search, and the other would be around Google Analytics as well.
With the privacy issues going on and the change to GA4, which I’m going to discuss as well after we go through these court cases. Italy was the third country to ban Google Analytics officially. And the news broke on June 24, during careful examination concluded that Google Analytics violated GDPR law, which is very, very interesting. And that was only a week after in France, we already had another guideline being published and again, legal precedent being set there.
France ruling on Google Analytics
We’re going to start off with the France decision here on the cnil.fr website. There’s a unique identifier assigned to each visitor on your Google Analytics, and this identifier, constitutes personal data. And that’s really interesting for GDPR. The associated data is transferred by Google to the United States. And this is where the issue is.
It seems that looking at, you know, the plethora of court cases that we have now, when the data is being transferred to the United States, and assessment has actually been made on the ability of servers in the United States to keep their customers data, or whatever data they’re storing completely private. The assessment is that that’s impossible to do because that data can be actually requested from the server under national security laws that they have over there.
So the conclusion seems to be that because it’s actually being transferred onto a US server, and because in the US, they can actually request the private data of those individuals, and they have laws that will facilitate that, that then means that this data is not adequately protected under GDPR.
The CNIL concludes that transfers to the United States are currently not sufficiently regulated. Concerning transfers to the United States, the transfer of data can only take place if appropriate guarantees are provided for this flow in particular. So they are essentially saying, we would have been happy to let the data be transferred to the US. If we felt that on a US server, it was still protected adequately. And so however, the CNIL found this was not the case. Indeed, although Google has adopted additional measures to regulate these transfers in the context of the Google analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services.
As a website owner, you have to be aware that when you’re running Google Analytics, on your website, you are collecting data through Google Analytics of the people visiting that website. And that data is not remaining in the EU or on an EU server; it is being transferred outside of the EU area. It’s ending up on a US server. And the protections on the US server are not enough to adhere to that high standard of GDPR.
Austrian ruling on Google Analytics
The Austrian DPA was the first in Europe to decide on one of these complaints. Although the decision is not yet legally binding, in light of the ECGs ruling, it can be accepted that other European DPS will issue similar decisions. And that’s kind of what we’re seeing happen now. And so key messages from this decision, the Austrian DPA held that, and these are the two findings:
The first, that data collected by Google Analytics is considered personal data under the GDPR. That’s interesting in itself and the IP addresses, there’s a way with Google Analytics where you can anonymize the IP addresses (older versions of GA needed this to be enabled manually) and what from what I’ve read, the way that the IP addresses are anonymized isn’t enough because obfuscating the last few characters of the IP address, or whatever was being done there, it actually isn’t considered enough.
At one point before these cases came in, we might have thought that using Google Analytics would be okay, under GDPR if we use the anonymized IP address, because that would mean that it wasn’t traceable to a person, what we’re actually finding is that the authorities are not happy with the way in which the IP addresses are obfuscated. And they’re also saying that because it’s Google, and because they have other information about that user that they’re linking to the IP address, that because you put all of it together as a profile of one person. And that is too much that that is now becoming personally identifiable information or PII.
The second, again this is related to the transfer of the data onto a US server and the US server not being considered private enough or protecting privacy enough. So again, they talk about user identifiers, IP address, and browser parameters; these are all the things that Google Analytics will collect. Because they could they contain unique reference numbers, and that’s an interesting one so Google are using unique reference numbers, to link all of that data together to make it identifiable to one person and other more general information. A digital footprint can be created that allows the user to be identified. And so again, they’re not able to give a green light to Google Analytics in the EU.
Italy ruling on Google Analytics
So we’re going to move on to Italy, which was the most recent one. So this was Italian SA bans the use of Google Analytics citing no adequate safeguards for data transfers to the USA, a website using Google Analytics is without the safeguards set out in the EU GDPR.
The Italian SA came to this conclusion after a complex fact-finding exercise it had started in close coordination with other EU data protection authorities following complaints it had received. The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer.
The Italian SA reiterated that an IP address is personal data, and would not be sufficiently anonymized given Google’s capabilities to enrich search data through additional information it holds. So this, again, can be quite a Google specific kind of a problem.
Delete Google Analytics
I had already stopped using analytics when GDPR first came in, but I know that a lot of you reading probably are still using it. A lot of your clients are still using us. A lot of you just have business websites where it’s running, and you are just trying to learn more. I’m going to go into other reasons why maybe now is a good time to get rid of Google Analytics, and actually just try a privacy friendly different service or a competitor.
So one of these reasons you might have heard this already but Universal Analytics from Google is actually being sunsetted, if that’s the right term. So Universal Analytics (UA) is what we all know well, and this is the version of Google Analytics that we’ve been using for years and years. Google haven’t come out and said why they have a very new version of Google Analytics (GA4) that won’t actually be compatible with Universal Analytics anymore?
But I imagine it’s for all of the reasons that we’ve just gone through in the EU countries, I think Google are just trying to clean up how they’re collecting data. And they’re going to make some kind of effort to be compliant in the EU, again, it remains to be seen, I don’t know that they’re going to store that EU data on EU servers. And I don’t know how far they’re prepared to go to get that business back or how many people have actually deleted Google Analytics and how much of a threat it is to their business, all of these things, I don’t know.
Google Analytics 4 (GA4)
Everybody will have to migrate to what they’re calling GA4. This is a new iteration of analytics and both systems will not be compatible with each other. I think that is to do with how the data has been traditionally collected under the older version of analytics, which is quite interesting that it has to be a whole new system that is completely not compatible with the old system.
GA4 will be more reliant on AI to kind of get that more advanced level of information that we used to get from tracking people quite invasively, which Google potentially will not be able to do anymore. And that’s not just an EU thing that’s a societal shift as well, I think customers and people that are using web browsers are demanding privacy, they do not want to be tracked around the internet.
So just to be aware of for yourself, if you are using an older version of analytics, and you haven’t updated it, yes, that will be going away in 2023. And you will need to move on to GA4. Google Analytics four is our next generation measurement solution. And it’s replacing Universal Analytics on July 1 2023. And standard Universal Analytics properties will stop processing new hits.
Until July 1 2023, you could continue to use and collect new data in your Universal Analytics properties, I wouldn’t actually advise that personally. If you’re in the EU area, I would say there’s an issue with how that data is actually being collected. So in my opinion, you cannot afford to wait until July 2023. I think it’s taking a risk to continue leaving it on your website. So I wouldn’t advise that if you’re in the EU area. After July 1, you’ll be able to access your previously collected data for at least six months.
This page is useful if you do feel like you want to transfer onto GA4. I’ve been reading up on GA4 again, not a legal expert, but from what I’ve read from people who know a bit more legally than I would, GA4 is also not compliant.
Browsers block Google Analytics
I’m going to give you another problem with Google Analytics, just in case I hadn’t given you enough. This article is from Plausible Analytics, they are biased because they are a competitor to Google Analytics, but this is very interesting information.
58% of Hacker News, Reddit and tech savvy audiences block user analytics.
How much data is missing from Google Analytics due to ad blockers, and privacy friendly browsers? Consumers that are just browsing the internet do not want to be tracked. They are actively blocking things from tracking them. Browsers are now starting to do this automatically as well and so where before, you might have had to install an ad blocker, now, a lot of browsers are actually doing this natively which again, is coming from consumer demand. So that’s another thing to bear in mind about not tracking your website users. Do you need to invade your web visitors’ privacy or invasively track them, or can you do something that actually makes them happier that you’re interested in keeping them safe by keeping their data safe.
Several browsers, including Firefox, Brave and Safari, interfere with Google Analytics and Google Tag Manager tracking. Google Analytics and Google Tag Manager calls are blocked by many adblockers too.
They compared Plausible Analytics to Google Analytics data on the blog above, and they saw a huge discrepancy in the amount of visits that were being recorded, which could be down to people’s browsers actually blocking Google Analytics. They’re just showing the stats from their case study the results of which showed, 68% of laptops and desktop users block Google Analytics, 88% of Firefox users block Google Analytics and 82% of Linux users block Google Analytics.
I was amazed when I came across a truly privacy enabled analytic solution that would actually replace Google Analytics for me. That stored all of the data on EU servers, again, not a legal expert, please do your own research into Plausible Analytics, and decide for yourself. Get legal advice, if you need to get your solicitor to look over this version of analytics to see if they feel it’s compliant.
This is a more simple analytics that’s respecting the privacy of people that are visiting your website, is stored on EU servers, and you’ve basically gone to your absolute best effort to protect their privacy and not collect any personal identifiable information, and you’re storing it properly on EU servers. This is one of those solutions, there are other privacy enabled analytics after springing up as well, which I find lovely. And I think it’s been a long, long time since we saw an opportunity for anybody to enter the market into web analytics, and actually have a chance against Google Analytics.
This is the first time I’ve really seen this happen. These products are experiencing huge growth at the moment. And I just think that’s lovely to have not such a monopoly on web analytics, or just having, you know, this one dominating provider. When you support these products, you’re actually supporting small teams of developers, all around the EU, or Europe. And that’s a lovely thing as well, to do that while looking after your web visitors at the same time.
For me, that’s a win. And you can run something like Plausible Analytics alongside Google Analytics. So if you migrated to GA4 something, you can run Plausible alongside it. And then you can decide after maybe getting data from both, is it feasible for you to actually move off Google Analytics and onto something like Plausible?
Deleting Google Analytics improves PageSpeed
When I had Google Analytics installed on my website, I had no doubt that script slowed down my websites. It was so interesting to me that when I installed Plausible Analytics, it had no effect on my PageSpeed whatsoever. It’s so tiny of a size because it’s just not doing, it’s not collecting, all of that data, it’s doing much less, it’s much smaller, it’s much more lean, Not in a bad way, but in a good way. For example, I have a PageSpeed of 94 for mobile on my homepage, which is really good because I have a lot of big images on there as well.
That PageSpeed is just so nice to have, I remember doing a check before I installed Plausible Analytics, and then doing a check afterwards and realizing that it basically didn’t slow down my website at all. So I just think that’s like the extra kind of bonus with this that might make people reading, and just tip you over the edge. That’s what I’m hoping.
Delete Google Analytics data
You might be wondering how to delete any PII as discussed above, that may be held by your Google Analytics property. Within Google Analytics you will see a data deletion request area.
Delete Google Analytics property
Google support pages will help you at support.google.com
To sum up, we have legal cases coming through the EU. We have Austria, France and Italy. We have rulings from those three countries within the EU and it’s very likely that by the end of 2022, we’re going to see other countries in the EU follow suit with their own rulings in this.
My prediction is that Ireland might be towards the end of that. But at some point, we will have to do that as well, because the more countries in Central Europe that make these rulings, the more pressure there is to follow suit. I would say that if you are migrating at the moment from the older version, of Universal Analytics on to GA4, maybe now is the time since you have to do all that work anyway, maybe now is the time to just trial something like Plausible Analytics or look up the other privacy enabled analytics that you can test out.
I really think from a marketing standpoint, going privacy first is beneficial on all these different levels.
I would love to find out from people reading, what kind of analytics are you using? Do you think you would change? Did anything that you read change your mind in any way about Google Analytics? Or are you quite happy and you won’t change it? @ me on Twitter!