Most website operators use tracking tools to better understand how their website is used („web analytics”). The most common tool for this is Google Analytics. However, according to the German Data Protection Authorities, there are considerable doubts as to whether Google
Analytics can be used in a data-protection-compliant manner. Website operators should therefore carefully check whether and in what form Google Analytics should continue to be used and in any case observe the following information
.

Background, Problem and Risk of Sanctions

The Datenschutzkonferenz (DSK, i.e. the joint committee of the federal and state data protection authorities) has published current information on the use of Google Analytics (paper as PDF, German). Contrary to previous assessments, the implementation of Google Analytics is not to be considered a data processing, but rather a joint controllership in the relation between Google and the website operator. Accordingly, an agreement on joint controllership in accordance with Art. 26 of the EU Data Protection Regulation (GDPR) would have to be concluded. However, Google does not provide such an agreement. It is also not to be expected that Google will enter into individual agreements with website providers as required in accordance with Art. 26 GDPR. Therefore, the requirements of the GDPR can currently not be reliably met when using Google Analytics.

Furthermore, when using Google Analytics, the personal data of the website user is processed in the USA. Since August 12, 2020, the contractual conditions for Google Analytics therefore include the EU standard contract clauses for data processing in third countries. According case law of the European Court of Justice (ECJ: Schrems II case), additional guarantees may
be required. The DSK has not yet made any specific comments on what such guarantees for data transfers to the US might look like (press release by the DSK as PDF, German). In the absence of the necessary guarantees, the transfer of data may still be based on the consent of the users – but in return, the special risks of a data transfer to the USA must be pointed out, which does not happen on regular basis. Thus, Google Analytics also bears the risk of data protection violations in this aspect.

This issue becomes even more pressing in light of the announcement of the supervisory authorities to increasingly check tracking technologies such as Google Analytics on websites (press release of the supervisory authority Baden-Württemberg, German). Respective audit is to be conducted on a cross-national basis and will initially focus on press and media corporations. It is to be assumed this focus will subsequently be extended to online offerings from other industries as well. As a result, the use of Google Analytics entails the risk of data protection violations and, in the worst case, fines. These risks can only be safely ruled out if the use of Google Analytics is avoided totally. If you are prepared to take these risks, you should at least consider the following tips to reduce risk.

DSK Recommendations for Deploying Google Analytics

Despite fundamental criticism of Google Analytics, DSK makes recommendations for the deployment of this web analysis tool in its current notes. This is surprising yet not to be misunderstood as approval for the use of Google Analytics, but rather as a minimum requirement if Google Analytics is to be used despite data protection concerns. The DSK rec-
ommends the following:

  • Consent: It is necessary to obtain the consent of the website user to deploy Google Analytics (the same applies to other tracking technologies). This can be obtained via a cookie banner or pop-up, as long as the declaration made about it is clear and the consent is actively expressed. Opt-out procedures, pre-ticked checkboxes or the condition that „continue surfing” means consent do not fulfill these requirements. Consent must also be expressed informed. In view of the current uncertainties in data transfer to the USA, we recommend that you draw attention to the resulting risks (keyword: possible access by US authorities) and extend consent to this as well.
  • Revocation Mechanism: A simple and always accessible mechanism for revoking consent must be implemented. It is not sufficient to refer to the browser add-on provided by Google to deactivate Google Analytics; the add-on requires additional programs to be loaded, which is unreasonable for users. Instead, a button for revocation can be placed in the privacy policy, for example.
  • Obligation to Inform: By stating in the data protection declaration, website operators must inform users comprehensively about the processing of personal data in the context of Google Analytics and other tracking tools.
  • Anonymization of IP Addresses: Website operators should also have the IP address shortened. For this purpose, the tracking code on every website with Google Analytics integration must be supplemented by the function „_anonymizeIp()“ (Link for further information).

In addition, we recommend the following measures:

  • Retention Time: The data retention time should be specified. The default setting of Google Analytics is to store user and event data for 26 months by default. The button „Reset on new activity” is also activated by default. The button should be deactivated and the retention time limited to 14 months (shortest possible setting). You can find a description of this on the support pages of Google (Link for further information).
  • No Release of Data to Google: In the account settings for Google Analytics, you can set whether Google may also process the data collected for web analysis for its own purposes, such as product optimization and benchmarking. We recommend that you deactivate all „data sharing settings“ (Link for further information).

Google Analytics 360 and other Features

The above information applies only to the standard version of Google Analytics. The use of Google Analytics 360 (part of the Google Marketing Platform) is usually associated with further data processing. This requires a more detailed audit of data protection laws in individual cases.

Perspective and suggested Measures

Website operators should check promptly whether tracking tools and especially Google Analytics must be used on the website. Although many companies use Google Analytics, they hardly ever use related information. This creates unnecessary data protection and fine risks. When deploying Google Analytics regardless, website operators are well advised to ensure
having implemented the DSK recommendations described above.