Following a large-scale inspection by the Saxon Data Protection and Transparency Commissioner (SDTB), over 1,500 website operators have improved the data protection requirements on their websites. In particular, the non-compliant use of Google Analytics had to be corrected. What companies should look out for.
30,000 websites in Saxony checked for GDPR violations
In May 2024, the data protection supervisory authority checked around 30,000 websites of Saxon providers. The unlawful use of Google Analytics was objected to for 2,300 website operators. The website visitors had not previously consented to the placement of Analytics cookies or the establishment of a server connection to Google Analytics.
"The automated website scans carried out by my authority have not only identified a large number of data protection violations, but have also eliminated most of them in the meantime. Two-thirds of the identified websites now do not use Google Analytics to track user behavior or ask for explicit consent beforehand," says Saxony's data protection officer Juliane Hundert.
Among other things, the authority's consultations revealed that a significant number of cookie banners often did not do what the settings promised users. In some cases, services were executed and cookies were set even though the settings indicated "off". Many of those responsible were not aware of this.
Use of Google Analytics not a legitimate interest
When using Google Analytics in particular, the SDTB would like to point out that the consent of website visitors is required under both the GDPR and the Telecommunications Digital Services Data Protection Act (TDDDG).
In the opinion of the supervisory authority, a balancing of interests in accordance with Art. 6 para. 1 letter f GDPR ("safeguarding the legitimate interests of the controller or a third party") must always be assumed in favor of the users of a website in the case of analysis services such as Google Analytics. According to the SDTB, such a balancing of interests is in favour of the visitor in the case of personalized web analysis of website visitors, as the targeted and in-depth monitoring of behaviour represents a strong intrusion into the privacy of the website visitor.
"A permanent and in-depth observation of individual behavior and the collection of this data across a large number of apps and websites contradicts the reasonable expectations of website visitors regarding the scope of the processing in question and its effects," the supervisory authority further explains.
Due to these overriding interests of website visitors, the operation of Google Analytics on the basis of a legitimate interest of the website operator is not possible from the perspective of the supervisory authority. Express consent is therefore required.
Reading tip: EDPB publishes guidelines on legitimate interest
Consent always required when using Google Analytics
This also applies to the setting and reading of cookies and so-called storage objects in accordance with Section 25 TDDSG. Clear and comprehensive information and consent are generally required for this processing - unless the exception in Section 25 (2) No. 2 TDDSG applies. According to this, the storage and reading would have to be absolutely necessary so that the provider of a digital service can provide a digital service expressly requested by the user. "This is clearly not the case with Google Analytics. As an additional analysis service without any apparent necessity, the service clearly requires consent," says the SDTB.
As a result, consent must be obtained in accordance with both the GDPR and, where applicable, the TDDSG. These consents can be obtained in combination, i.e. in one step, if the legal bases and processing operations are clearly stated.
If this is not done or if the service is not required, Google Analytics must be deactivated and the data collected inadmissibly deleted.
If Google Analytics is used without consent, this constitutes a data protection violation that can be punished by the competent supervisory authority with supervisory measures up to and including a fine.
Source: Communication from the Saxon Data Protection and Transparency Commissioner
Do you need advice on the GDPR-compliant use of Google Analytics and the implementation of cookies? Then get in touch with us:
Phone: +1 (954) 852-1633
E-mail usa@2b-advice.com