Your website analytics are breaking the law

On 13th January 2022, the world learned that the Austrian Data Protection Authority ruled the continuous use of Google Analytics to violate the GDPR. This is huge because it's the first decision on the 101 model complaints filed by noyb back in 2020, the brainchild of privacy lawyer Max Schrems. Similar decisions are expected to pop up all over the EU, so this isn't a drill.

Fathom customers can breath a sigh of relief, as we already adapted to the Schrems II ruling back in 2021, but this news is scary news for everyone else. And the implications are beyond what one could imagine, as this doesn't just apply to Google Analytics; it applies to EU-US transfers as a whole. Right now, the majority of websites on the internet are violating the GDPR by processing EU personal data on US-owned cloud infrastructure.

"We expect similar decisions to now drop gradually in most EU member states. We have filed 101 complaints in almost all Member States, and the authorities coordinated the response. A similar decision was also issued by the European Data Protection Supervisor last week."
- Max Schrems, EU Privacy Lawyer and Honorary Chairman, noyb

For the sake of this article, we're going to talk specifically about website analytics while acknowledging that the Schrems II ruling impacts the entire internet.

Are my website analytics breaking the law?

Let's be clear here. Many things can affect the lawfulness of your analytics, and we're not going to comment on all of them. Instead, we're going to focus on what the Schrems II ruling (2020) and the Austrian Data Protection Authority's decision means for your website analytics.

The quickest way to know if your analytics are affected is by looking at the statements below. If you answer yes to any of them, then you should consult your legal team or move to a GDPR compliant analytics solution. If you don't know the answer to the questions below, don't worry, we have built a tool below that will scan your website for you.

1. Is your website analytics provider a US company?
2. Is your website analytics provider using web servers owned by a US cloud provider (note: it doesn't matter if the servers are in the EU, the US cloud provider owns them and is still subject to FISA 702 and EO 12.333)

Is IP Anonymization for Google Analytics GDPR compliant?

Unfortunately, no. The problem with the anonymization done by Google Analytics is that it's done within your browser (client-side). So, for example, Google Analytics' embed code might convert your IP to ABCDEFG using Javascript, but they then send data via something called an HTTP Request. It's impossible to exclude your actual IP address from an HTTP Request unless you use a VPN service.

Can I use a consent banner like I do for cookies?

It's not just a matter of accepting cookies; here, we're talking about you having to have a legal transfer mechanism to send data out of the EU to the US. And although explicit consent is one of the so-called "derogations" that can be used for third-country transfers of personal data, they can only be used for "occasional and necessary" transfers - which is definitely not the case for continuous analytics activity on a website.

Does my analytics provider process personal data?

As per the definition of the GDPR, yes. All scripts/websites process personal data because the IP Address & User Agent are considered personal data. And since the Schrems II ruling, you can no longer do this using US-controlled cloud providers.

What Google Analytics alternative should I use?

This situation is a massive headache, we get it, but we have some good news for you: You have options.

We will provide three possible responses you could take in response to this ruling. Of course, if you have a legal team/lawyer available, you should consult them, and you should review any compliance section of tools you use.

Easy: Use an analytics provider that doesn't transfer EU data to the US

The best possible thing you can do is find GDPR compliant website analytics that doesn't route your EU website traffic to the US. They should offer true EU Isolation for your EU website visitors and protect their traffic from US surveillance. Please make sure you ask your analytics provider explicit questions about how they will be handling your website visitors' traffic.

When the Schrems II ruling first appeared, we were very concerned. We were a Google Analytics alternative and, at the time, we were using Amazon Web Services (US cloud provider) to process EU website traffic directly, so we knew this had to change.

We were shocked and confused to see other "GDPR compliant" analytics providers misinform their customers for nearly two years following the ruling, saying that Schrems II didn't matter, to then quickly run around like headless chickens following the Austrian DPA's ruling. Or worse, bury their heads in the sand and stay non-compliant.

Fortunately, we researched, tested, innovated, and worked on a solution with our privacy officer & lawyers when the Schrems II ruling dropped in 2020. We're a small team, but we worked hard and built something production-ready by the second half of 2021.

So when the Austrian DPA made this decision against Google Analytics (and US cloud providers), our EU Isolation system had already processed billions of page views, and we were confident with its performance.

We publicly documented how we built EU Isolation back in 2021, as we knew that other analytics companies would soon be forced to comply. We wanted them to change for their customers' sake, as we don't want to see anybody dealing with legal headaches. It was disappointing that other analytics companies didn't seem to take Schrems II seriously. Still, we're stoked that our extensive research and innovation allowed these unlawful analytics providers to adapt with great speed following this latest ruling.

Harder: Self-host your analytics

If you're tech-savvy and ready for the responsibility of self-hosting your analytics, you should use a company like Hetzner (a German cloud provider). This solution is enough if you only have web traffic coming from the EU. But if you have web traffic coming from around the world, you should deploy into multiple regions, as you want your analytics to be fast for both EU visitors and international visitors. You can do this by setting up geolocation-based DNS routing that distributes traffic between your EU server and your other servers. There is maintenance & responsibility with self-hosting, but it's a solid way of getting yourself compliant.

Make sure your legal team reviews the analytics software you choose against the ePrivacy Directive, too, as a lot of software out there is accessing Terminal Equipment without consent (using cookies, localStorage, etc.). For example, if you see device widths within the analytics platform, speak to your legal team, as that data is sourced from Terminal Equipment (it's the size of the equipment your website visitors are using) and is a violation of the ePrivacy Directive.

Risky: Keep using your illegal analytics

You could choose to keep your current analytics on your website. After all, your marketing team "needs" it for their reports, and Google Analytics is "free." But you run the risk of a DPA complaint, which could lead to a fine, and it just isn't worth it. But at the end of the day, it comes down to you/your boss/your legal team.

And for the crowd who has been talking for years about how "Google Analytics is free," it becomes even more clear that Google Analytics is free... in the worst way. They're legally free to allow the US government to spy on EU data subjects.

Does this ruling only affect me if I have visitors from Austria?

In terms of current DPA enforcement, perhaps, but you should not get comfortable. We know that the Dutch Data Protection Authority has already taken steps that appear to be in line with the Austrian DPA's findings.

"Similar decisions are expected in other EU member states, as regulators have cooperated on these cases in an EDPB "task force." It seems the Austrian DSB decision is the first to be issued."
- noyb

Our opinion is that you should treat this seriously and assume it's only a matter of time before the rest of the EU DPAs follow. After all, the Schrems II ruling came from the Court of Justice of the European Union (EUCJ).

Does this ruling only affect European companies?

No. This ruling affects any company that receive traffic from the EU.

What's next for Schrems II?

There's no doubt in our mind that the Schrems II ruling has created a massive headache for companies around the world. But this isn't the ruling's fault, and this is the fault of US lawmakers for the laws they have made. All noyb is doing is making sure these laws are enforced.

We're not here to judge anyone; we're here to try to help, and swapping out analytics is a solid first step to respond to this latest news.

We echo Max Schrems and hope that this leads to the US Government taking a long, hard look at their foreign surveillance laws and solving things at a political level. The EU & the US should live in harmony, and both countries should benefit from each other.

A lot of people chose Google Analytics because it was free. But the true cost of using Google Analytics is now clear, and it's not worth the risk.

Listen to Jack and Paul talk about this ruling, what it means and what you can do about it on the latest episode of Above Board or watch our video on the subject.

You can donate here if you want to support the work noyb is doing. We know you may be stressed and frustrated by the ruling, but this work is needed.

You might also enjoy:

• EU Ruling: Google Analytics is now illegal
• Illegal Analytics Scanner
• The Journey to EU Isolation