There's a lot to do around privacy, GDPR and website analytics tools like Google Analytics.
As a Digital Experience Agency, we think it is very important to have a clear vision on these topics. In this article, we summarize some important evolutions and take a look at the future and what we think it will look like.
Read on and discover…
- A concise summary of what exactly the current problem with Google Analytics
- Which settings in Google Analytics are an issue in terms of GDPR
- Other tools you can use to replace GA
- Why we believe current legislation is doing more harm than good
Let's dive into it...
The current situation in Google Analytics land
It seems like every month a new article is published about some authority that has issued a ruling related to GDPR legislation.
During 2022, Austria's DSB, Franse's CNIL, Italy's GPDP, and several other data protection authorities issued verdicts about websites needing to stop using Google Analytics.
If we take a moment to translate the complex legal texts and rulings into human language, in most cases it boils down to this:
- The websites in question collect data which is considered personal information
- This information was collected without prior consent
- All this website analytics data ends up on U.S. servers
Given the data is physically stored on servers in the US, US authorities (such as the NSA) can also access it.
And that's exactly the problem: Google cannot guarantee the privacy required by the GDPR because U.S. law overrules it anyway.
How personal is personal data?
It should clear: the collection of personal data, ánd the storage of that data on American servers is at the root of a lot of fuss.
“But Wouter, our website doesn't collect personal data!”
Are you sure?
After all, according to the GDPR's definition, a lot of (seemingly small) things are being categorized as "personal..."
As soon as someone can be directly or indirectly identified in any way, that data is considered "personal" data. Not only do we have the usual suspects such as birth dates and email addresses, there's also things like IP addresses or anonymized IP addresses in combination with browser data, screen resolution or type of device your visitor uses.
If Google Analytics assigns a unique identification number to a visitor and this same identification number is used when that visitor visits your website from a different device (because they are logged into their Google account for example) then this is also considered to be personal data.
Indeed, if data in Google Analytics can be combined with data from other tools and this can somehow lead to identifying a person, then this too is a form of personal data.
How to ensure that you collect as little "personal" data as possible depends on the tool you use:
- Google Universal Analytics: switch to GA4 or an alternative tool as soon as possible
- Google Analytics 4 (GA4): follow the privacy-friendly setup in the following section
- Matomo Analytics (a possible alternative tool): configure these according to their own guidelines
- If you use another tool: have it reviewed by your DPO
A privacyfriendly Google Analytics 4 setup
If you use Google Analytics 4 on your website, it's best to set it up so that no personal data is stored or shared with third parties.
Setting up GA4 in a privacy-friendly way is done as follows:
- Google Signals: turn off
- User ID: turn off
- User-provided data capabilities: don't allow
- Granular location and device data collection: turn off
- Advanced Settings to allow for Ads Personalization: turn everything off
- Data Sharing Settings (can be found at account level): turn everything off
And of course: only send data to Google Analytics after your website visitor has given explicit permission to collect statistical data.
There can’t be only one
Google Analytics is by no means the only web analytics tool that can provide us with useful insights.
There are numerous alternatives, each with its own advantages and disadvantages. To list and compare them all would take us too far, but here is an overview of some of the tools we prefer and their main features.
- Has a shared history with Matomo (which used to be called "Piwik") but is not open-source
- EU-Cloudsolution (free) and on-premise solution (only for enterprise clients)
*Important note: the French CNIL may have approved Matomo and Piwik Pro to be deployed without prior permission from your visitors, France is obviously not Belgium. The Belgian GBA never disapproved of CNIL's guidelines, but it never approved them either. Even though the French authorities based themselves on the European GDPR legislation, we must remain cautious in this. That's precisely why, for now, we still recommend always asking permission from your visitors before tracking anything.
Now, which tool is best suited for your organization?
Well, possibly the above list of key features already gives you an "aha!" moment.
If not, it's a matter of determining which features are must-haves for your organization....
- Can the tool be in the cloud or does your DPO require an on-premises solution?
- Should the tool be free?
- Should the data be able to flow to other tools? (For example, to a CRM system or BI dashboards.)
- Do you want lots of data and reports to do complex analysis, or does it suffice to have some general website statistics?
Based on the questions above, you can remove some contenders and you might be left with 1 or more options. Of course, we can also help you with this exercise!
Complex configurations of web analytics tools, reviewing privacy policies, keeping cookie policies up to date, or changing the cookie banner based on the latest advice... it all takes a lot of time.
Large companies can bring in a bunch of in-house developers, DPOs and lawyers to make sure everything is done by the book. But for SMEs it's often a huge challenge to be (and stay) in line with the ever-changing landscape and the costs involved.
Once in compliance with strict laws, you as a business often lose a lot of useful information because many website visitors refuse all forms of tracking when given this choice, often due to fearmongering in the press.
The lost data can no longer be used by companies to improve their services, marketing and business in general because it is considered an invasion of privacy by Europe.
However, 99.9% of companies have no intention of misusing personal data. For them, Google Analytics serves purely to...
- check how many visitors the website has (to report to management or to present figures to potential advertisers)
- see which channels are working well and which are not (to make decisions in terms of budget allocations)
- see which content visitors interact with the most (in order to tailor content more closely to the target audience)
The average company is no Cambridge Analytica, but Europa is treating it as such.
The vision of Dropsolid
Does this mean we are entirely against prior consent before tracking certain things? Not at all!
As an open digital experience company, we not only advocate consent, we believe that full transparency and ownership of data is the way to go.
Google also seems to be placing more importance on data sovereignty by offering "T-systems Sovereign Cloud" (which allows data from certain Google Cloud tools to be stored on German servers).
Privacy is a very important issue, and we only see it growing in importance as we move into the future.
However, current legislation is not the solution... what is currently considered anonymous data and what is labeled "personal data" in the Analytics world needs to be revised.
Indeed, SMEs and organizations without bad intentions are currently bearing the brunt, while companies with bad intentions are finding loopholes.
In our view, keeping completely anonymous visitor statistics should be possible without prior consent. After all, this is a crucial tool for companies and organizations to optimize their websites and services.
What does the future hold?
Respecting the privacy of website visitors while still giving Belgian companies and organizations the tools to be able to optimize their online platforms... in our opinion, it is possible.
However, as long as Google Analytics is seen as a tool that captures and stores personal data on servers in the U.S., you need explicit permission from your visitors before tracking anything.
It's possible that in the future, Google will provide additional features in its tools to comply with the strict European rules. For example, additional settings that determine much more specifically what is and is not measured, or the ability to choose the physical location of the server where the data ends up.
Would you like to spar about your situation? Then feel free to give us a call!