In January 2022, the Austrian Data Protection Authority (“Datenschutzbehörde” or “DSB“) has ruled that Google Analytics is illegal in accordance with Austrian privacy laws. The DSB specifically is concerned that data which is transferred and stored in the United States is potentially exposed to sleuthing from authorities and Google themselves.
💡 Download: Molzana Quick Take Document (Opens New Tab)
The implications for Google Analytics users
The ruling effectively determines data collection from Austrian authorities by Google Analytics is illegal. This decision could, and probably will, have consequences beyond Austria and outside of Google. Other vendors such as Facebook, who process and store user data overseas would, by virtue of the DSB ruling, now also be breaking Austrian law.
You should also review the above for each and every third-party vendor tag, pixel, or cookie you deploy on-site.
Austria is in the EU which implemented GDPR (General Data Protection Regulation) in 2016. GDPR would likely fall into line with the Austrian ruling, meaning the consequences could be far more widespread.
What should Google Analytics customers do?
In short, there is no iron clad or definitive guidance on this given the proximity to the ruling at the time of writing. Simply put, as Google Analytics has been deemed non-compliant, it is now illegal to deploy in Austria.
As mentioned, many other European markets are likely to follow suit, there are a few steps we would recommend taking initially whilst we understand the full impact of the decision.
- Google Analytics 360 (Premium) clients can delegate data storage locations at a property level. This means that you could feasibly store data locally to where it is collected.
- Google Analytics (Standard) customers cannot delegate where data is stored and processed. We suggest:
- Ensuring your GA setup is in line with guidance around GDPR user privacy. In short, we advise using Google Analytics anonymized IP function which scrubs user data at the end of each visit so they cannot be tracked beyond that with any degree of accuracy. You can set up anonymized IP to be dynamically controlled by the user’s privacy and cookie preferences.
- You may choose instead to only deploy Google Analytics to users who explicitly opt into analytics/statistics cookies via your site or app’s privacy settings
- Or you may choose to suppress Google Analytics cookies entirely for users in Austria.
There is no silver standard guidance at this stage, but the above should be practices your site is deploying in line with GDPR right now.
As mentioned above, this is unclear. There are feasibly a few options from your side and Google’s side that are longer-term options: Google starts storing and processing Google Analytics data locally/in-market or region, in a manner that is compliant with any privacy legislation
If Google cannot find a way to become compliant, the only solution would be to remove Google Analytics in the markets and regions. In this event, replacing it with another web analytics vendor might be required. Only avoiding Google is not going to be good enough in and of itself. You will need to consider: “Is the technology you move towards compliant in regard to international, national, and local data privacy laws such as GDPR & CCPA? Not only in terms of data collection but also data storage and processing.”
Research Google Analytics alternatives
Specific to Web Analytics, you might consider other tech vendors:
- Adobe Analytics – an enterprise-level solution that will require a high technical investment owing to significant implementation time. Additionally, Adobe carries a license fee in the 10’s and 100s of thousands of dollars per instance. Adobe can store data locally, for instance in London, which would help with compliance on the face of it.
- Privacy-conscious and “ethical” web analytics solutions such as Matomo offer data ownership, including on-premise data storage.
- You may have read moving to server-side data collection methods will actively “solve” issues. However, the problem here is not with data collection. It is with the method and location of storage.
Deploying server-side Google Analytics tracking therefore will not be enough in and of itself, you will need to understand what happens to the data after it is collected, specifically where it is stored. There is a degree of control here, in terms of decentralising data storage, but this will need to be configured carefully and deliberately.
The Austrian DSB ruling presently deems the usage of Google Analytics illegal. This is a fast-moving situation that could have implications for tech vendors, other markets, and regions.
Google may alter the way their product collects and processes Google Analytics data, but we will have to bide our time to see if a) this is going to be the case and b) whether it is deemed compliant.
This ruling is the first big shove of big tech firms regarding data capture, storage, and processing with GDPR. This is a fast-moving topic, as such, we advise keeping across this for the foreseeable future.
The Molzana team can help with understanding the implications of the DSB decision. You can contact us directly at: email@example.com.