Earlier this year a group of EU countries — France, Austria, Italy, and Denmark — ruled that the use of Google Analytics, without the correct safeguarding, is non-compliant with GDPR. They ruled that user data being transferred to the US – for processing by Google – lacks adequate legal protection in the wake of the 2020 decision by European courts that invalidated the EU-US Privacy shield. Instead, user data must be collected, processed, and stored without leaving the EU.
Since the recent ruling dictates that you can’t send data to Google in the first place, data must be redacted to prevent unauthorized parties from making sense of the data.
Whatsmore Schrems II and this recent ruling now dictates that the encryption key cannot sit with an entity that operates in a region that doesn’t have adequate safeguards to protect EU citizens’ data. For example, the United States, where FISA gives interested government bodies access to any person’s data that’s stored in the US.
However, to add another layer of complexity, last month US president, Joe Biden, signed an executive order with the goal of making life easier for businesses that need to export EU user-data to the US for processing. The European Commission will now review the order and propose a draft adequacy decision. So, in short, there is no definitive decision yet and it will need to be reviewed by a few committees first. If/when it’s approved — likely sometime next year — it could make data transfer between the US and EU much easier.
This might leave you wondering how on earth you’re going to collect website data in the interim and keep up with all this regulation without the expensive overheads! Fear not — in this article, we’ll explore your options for navigating this tricky issue.
Can I continue using Google Analytics?
The short answer is yes, but at present it requires additional safeguarding to ensure that EU residents’ data cannot be reidentified by US authorities. This requires encrypting or removing certain data and that the data controller retains access to the encryption key. But before we dive into the details it’s worth reminding ourselves of a few terms…
Encryption is the process of scrambling data — typically so that only authorized people can make sense of it. The common use case for encryption is to protect against malicious actors gaining access to a data set. But what we’re discussing in this article is encryption to obfuscate data.
Hashing is a way of turning one value into another value. Generally, hashing is irreversible, which means you cannot unravel the data. It is often used to avoid storing plaintext-sensitive data (e.g. passwords) in databases.
Pseudonymization is a privacy term for transforming non-anonymized personal data into anonymized data through the process of obfuscation. What’s different about pseudonymization is that it doesn’t stipulate who owns the encryption key that can revert the pseudonymization.
So, now that we’ve covered some key terms, we’ll dive into your options for navigating the Google Analytics regulation in the EU.
What are my options?
Google Analytics users in the EU have two main options: continue using GA but with the addition of a proxy server or switch to an alternative tool for marketing analytics, until GA compliance becomes easier to manage.
A proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. To ensure Google Analytics is compliant, you would need to use a proxy server as an intermediary to ‘clean’ the data before sending it to Google for processing, with the main purpose of ensuring that data cannot be reidentified by US authorities. The proxy server avoids any direct contact between the Internet user's terminal and Google’s servers and ensures that the data transmitted does not in any way allow a person to be re-identified.
So, in this workaround you would first set up a proxy server to receive the data, then you’ll need to transform the data to remove any user-identifiable data before sending it to Google for processing. The CNIL (Commission Nationale de L'informatique et des Libertés — the French data protection agency) has published guidance on how to limit the data transferred, which we’ve summarized below:
A user’s IP address cannot be sent to Google, therefore the proxy server needs to detect the IP address and remove or anonymize it.
The proxy server must have an encryption or hashing algorithm over any user identifier (e.g. user ID or CRM ID).
The external referrer (the address of the previous web page from which a link to the currently requested page was followed) must be nullified.
All UTM parameters must be removed.
Certain user agents (software that retrieves, renders, and facilitates end-user interaction with Web content) will need to be nullified if they’re a rare enough permutation that they could be used to re-identify a user. You’ll need to map user agents to know whether they fall into this category or not.
Cross-site or lasting identifiers will need to be removed, for example, third-party user IDs.
The deletion of any other data that could lead to re-identification, for example, a user’s address.
It’s worth noting that implementing this is no small feat and it comes with a major downfall — the amount of data you can pass to Google is severely restricted, and therefore meaningful analysis becomes tricky. For example, by removing canonical identifiers, like a user’s account ID, you cannot attribute sessions to a user.
So, with a proxy server, you can no longer:
Attribute which campaign or channel is performing better through UTMs
Use IP addresses so there’s no address or location lookup
Perform device analysis as your user agents are nullified
Therefore, it’s likely that a large amount of value derived from Google Analytics is lost, so it might be worth considering alternative tools for the time being until there is clarity around the new regulation. We explore this in the next section.
The fundamental issue with the usage of Google Analytics, in certain EU countries, is the transfer of data to the US, which lacks privacy controls under GDPR. So, if you’re evaluating other tools you’ll need to ensure that the analytics tool has data residency within the EU i.e. all data is processed and stored within the EU. A good example of this is Mixpanel. CNIL has also published a list of approved analytics tools.
We understand that temporarily moving away from Google Analytics might seem like a scary one-way door decision but fear not — a Customer Data Platform (CDP) like Twilio Segment makes switching between tools effortless. You only have to collect the data once and then you’re able to send it to wherever you want.
Once you’ve activated Segment you can start experimenting with a multitude of analytics tools to find the right one for your business, without the downstream switching costs. Whatsmore if you decide to go back to Google Analytics, you can have it up and running with the proverbial flick of a switch. That’s because Segment has the benefit of replay, so you can easily move from one destination to another without losing data.
When considering which tool to switch to there’s no need to bucket tools into ‘web analytics’ and ‘product analytics’ — the underlying data is the same. The way the data is visualized is what sets them apart.
Combining product and web visualization into a general analytics tool will be more powerful, help you make more informed decisions, and allows for cross-team usage (e.g. marketing and data science). However, there is a downside to not using a tool like Google Analytics with third-party data enrichment. Information like gender, age category, etc. will be excluded. But there is a consumer benefit to not collecting this data, particularly when operating in privacy-conscious regions like the EU.
For more information, check out this recipe on how customers are implementing a privacy-first web analytics solution with Segment.
If you need a more customizable option, are moving away from out-of-the-box solutions to implementing in-house or need more advanced functionality, you’re in luck. You can build custom analytics in your data warehouse like Snowflake, Redshift or BigQuery and visualization tools, such as Looker, PowerBI or Tableau. Depending on your business needs you can configure this how you like — for example, you can build an attribution dashboard as explained in this recipe — all powered by the first-party customer data captured and governed by your CDP.
In this blog we’ve covered:
The recent ruling by some EU countries determining that user data being transferred to the US — for processing by Google — lacks adequate legal protection.
How to keep collecting website data and remain compliant.
Your alternative options to using Google Analytics.
We’re keeping our eyes peeled for an update from the EU Commission on the executive order. In the meantime, we recommend considering a CDP so that you have the flexibility to switch between analytics tools if/when the regulation gets updated.
* This article is based on Universal Analytics (Google Analytics 3), which will sunset by 2023. To date, EU Data Protection Regulators have not ruled on a company’s use of Google Analytics 4, which could make compliance easier but it’s too soon to tell and it might still come with the same limited data collection discussed in the Proxy Server section.