Does Google comply with the GDPR?
To anticipate, the answer to the initial question is: Yes, Google Analytics and GDPR data protection are compatible if informed consent is obtained from the user. This article explains what this looks like in detail.
A little history
The days when Google Analytics could operate silently in the background of a website are definitely over. Back then, a note in the privacy policy and the website operator's legitimate interest in statistics for the operation of Google Analytics and data protection as the legal basis were sufficient.
With the development of Google Analytics into a marketing tool, the repeal of the Privacy Shield as the basis for data transfer with US companies by the ECJ and the increased awareness of privacy among many internet users, the situation has changed fundamentally.
This may also be due to the fact that advertisers have overdone it. Emailing a friend on vacation in Holland only to be shown ads for Dutch vacation homes shortly afterwards while surfing the web makes you wonder. The judicial bodies and data protection supervisory authorities have taken this into account and brought the GDPR and also the EU Directive 2002/58/EC, which has been partially ignored in Germany, into force in the implementation of the Telecommunications and Telemedia Data Protection Act (TTDSG).
The result is that the full use of Google Analytics and data protection is only possible with voluntary and informed consent. What do users consent to and what does consent have to look like?
The facets of consent
1. consent to the setting of cookies
Consent for cookies is not primarily about data protection, but about the integrity of the end devices. § Section 25 of the TTDSG states that data may only be written to the memory of a PC, laptop, tablet or smartphone or data may only be read from these devices with the user's consent. We also object to a person entering our home without our consent and writing on our pinboard or reading the notes on the fridge.
2. consent to user tracking
With user tracking, movements on the website are recorded, products in the shopping cart, purchases and also the pages on which the user has previously surfed are evaluated. The surfing behavior of users is also tracked across several websites and condensed into a profile. Regulatory authorities and courts require consent for this.
3. consent to the transfer of data to the USA
This topic is complex and has not yet been fully discussed. It is clear that the data collected via Analytics is stored on Google's US servers and is also processed there for Google's own purposes. This makes Google the controller within the meaning of the GDPR and no longer just a processor that provides analyses and statistics. Consequently, an agreement on joint controllers pursuant to Art. 26 GDPR must be concluded and published.
There is a second facet to the US data transfer that needs to be considered. Via Google, US security authorities also have access to the data and profiles of users who have no legal recourse if they are not US citizens. They are not even aware of this access to their data. This fact must also be made clear for consent to be effective.
We must not conceal the fact that the German supervisory authorities, unlike those in other EU countries, have a problem with consent to the US transfer. There is therefore a residual risk for local companies and, if the authorities decide against it, the only option is to go to court. However, there are strong voices supporting the consent solution for US transfers. Thomas von Danwitz, judge at the ECJ and involved in the Schrems II ruling, stated in an interview that the exemptions in Art. 49 GDPR, including consent, had not yet been 'explored'. The view that the law restricts these exemptions to occasional transfers is controversial. The clear statement in Article 49 (1) GDPR must be given priority over the unclear statement in recital 111. And the supervisory authorities in Austria and France leave the possibility of consent open in their opinions on analytics.
So there is a lot to be said for taking this route or doing without Google Analytics altogether. There is no equivalent alternative to consent. It is difficult to imagine that signing the EU standard contractual clauses and additional measures following a Transfer Impact Assessment (TIA) will produce a positive result. Too little information is available on the processing of data by Google for this to be possible. A reliable risk assessment is simply not possible.
Design of the consent
Consent can only be effective if all three issues - the setting of cookies, tracking with profiling and personalized marketing and the US transfer with the possibility of access by the security authorities - are clearly explained to the user. It is clear that this must be done when entering the site, which is why we have the cookie banners, also known as comprehensive consent management platforms, because it is no longer just about cookies. Where which information should be placed is still being discussed. In the opinion of data protection experts, everything should be in the first window in which consent is given and not only on a second level after a click. What is practicable here remains to be seen.
But one more alternative
There is an alternative: If the website operator is prepared to forego some information and use for personalized marketing, there is the option of hosting Google Analytics themselves. This would avoid the US transfer to Google. The setting of cookies and thus the recognition of users on their next visit or on other websites could also be avoided. If you then limit the tracking of data to your own website and only work with pseudonymized data, consent is not required. Although there are also German supervisory authorities who do not want to accept this limited tracking with a shortened IP address without consent.
Conclusion:
Google Analytics and data protection can be operated compliantly in two scenarios:
- Without consent with a reduced scope of services, self-hosted without Google, without cookies and only for your own website analysis.
- Or with consent to the use of cookies, profiling and personalized marketing and to the transfer of data to Google with possible access by US security authorities.
Neither scenario is absolutely legally secure because German supervisory authorities question both the consent to the US transfer and the pseudonymous analysis of website visits without consent.