It should clear: the collection of personal data, ánd the storage of that data on American servers is at the root of a lot of fuss.
“But Wouter, our website doesn't collect personal data!”
Are you sure?
After all, according to the GDPR's definition, a lot of (seemingly small) things are being categorized as "personal..."
As soon as someone can be directly or indirectly identified in any way, that data is considered "personal" data. Not only do we have the usual suspects such as birth dates and email addresses, there's also things like IP addresses or anonymized IP addresses in combination with browser data, screen resolution or type of device your visitor uses.
If Google Analytics assigns a unique identification number to a visitor and this same identification number is used when that visitor visits your website from a different device (because they are logged into their Google account for example) then this is also considered to be personal data.
Indeed, if data in Google Analytics can be combined with data from other tools and this can somehow lead to identifying a person, then this too is a form of personal data.
How to ensure that you collect as little "personal" data as possible depends on the tool you use:
- Google Universal Analytics: switch to GA4 or an alternative tool as soon as possible
- Google Analytics 4 (GA4): follow the privacy-friendly setup in the following section
- Matomo Analytics (a possible alternative tool): configure these according to their own guidelines
- If you use another tool: have it reviewed by your DPO