Following a large-scale inspection by the Saxon Data Protection and Transparency Commissioner (SDTB), more than 1,500 website operators have improved the data protection requirements on their sites. In particular, the non-compliant use of Google Analytics had to be corrected. What companies should look out for.
30,000 websites in Saxony checked for GDPR violations
In May 2024, the data protection supervisory authority checked around 30,000 websites of Saxon providers. In the case of 2,300 website operators, the unlawful use of Google Analytics objected to. The website visitors had not previously consented to the setting of analytics cookies or the establishment of a server connection to Google Analytics agreed.
"My authority's automated website scans have not only identified a large number of data protection violations, but have now also eliminated most of them. Two thirds of the identified websites now do not use Google Analytics to track user behavior is waived, or an unambiguous consent is requested in advance. Consent asked," says Saxony's data protection officer Juliane Hundert.
Among other things, the authority's consultations revealed that a considerable number of cookie banners often did not do what the settings promised users. In some cases, services were executed and Cookies although the settings signaled "off". Many of those responsible were not aware of this.
Use of Google Analytics not a legitimate interest
Especially when using Google Analytics the SDTB points out that both according to the GDPR as well as under the Telecommunications Digital Services Data Protection Act (TDDDG). Consent of the website visitor is required.
This is because a balancing of interests pursuant to Art. 6 para. 1 letter f GDPR ("safeguarding the legitimate interests of the controller or a third party") is in the opinion of the Supervisory authority for analysis services such as Google Analytics always in favor of the users of a website. Such a balancing of interests would be in favour of the visitor in the case of personalized web analysis of website visitors, as the targeted and in-depth monitoring of behaviour would constitute a strong intrusion into the user's privacy. Privacy of the website visitor, according to the SDTB.
"Persistent and in-depth monitoring of individual behavior and the collection of this data across a multitude of apps and websites is contrary to the reasonable expectations of website visitors regarding the scope of the data in question. Processing and their effects," explains the Supervisory authority continue.
Due to these overriding interests of website visitors, the operation of Google Analytics on the basis of a legitimate interest of the website operator from the perspective of the Supervisory authority not possible. It is therefore an explicit Consent required.
Reading tip: EDPB publishes guidelines on legitimate interest
Consent always required when using Google Analytics
This also applies to the setting and reading of Cookies and so-called storage objects in accordance with Section 25 TDDSG. For these processing operations, clear and comprehensive information and a Consent is required - unless the exception in Section 25 (2) No. 2 TDDSG applies. According to this, the storage and readout would have to be absolutely necessary so that the provider of a digital service can provide a digital service expressly requested by the user. "This is the case with Google Analytics clearly not the case. As an additional analysis service without any apparent necessity, the service clearly requires consent," says the SDTB.
As a result, a Consent both after the GDPR and, where applicable, in accordance with the TDDSG. These consents can be obtained by clearly naming the Legal basis and processing operations are coupled, i.e. obtained in one step.
If this does not occur or if the service is not required, the Google Analytics and to delete the data collected without authorization.
Will Google Analytics without Consent is used, there has been a breach of data protection, which the responsible Supervisory authority with supervisory measures up to and including a Fine can be punished.
Source: Communication from the Saxon Data Protection and Transparency Commissioner
You need advice on the GDPR-compliant use of Google Analytics and the implementation of Cookies? Then get in touch with us:
Phone: +1 (954) 852-1633
E-Mail:info@2b-advice.com
German 
English 
Italian 
French