Is Google Analytics illegal in Europe?

Is Google Analytics illegal?

Lo scorso 23 Giugno il Garante della Privacy italiano ha dichiarato illecita l’implementazione di Google Analytics su un sito web.

Questo perché i dati personali degli utenti europei venivano trasferiti nei server Google situati negli Stati Uniti, non garantendo livelli adeguati di sicurezza della privacy degli utenti secondo la normativa GDPR.

What is Google Analytics?

Google Analytics is a free web analytics service provided by Google that allows users to analyze detailed statistics about a website’s visitors. It is widely used for internet marketing and by webmasters.

The illegitimacy of Google Analytics 3 arises from the fact that the tool transfers user data to the United States. This creates an issue because, in terms of privacy, U.S. regulations differ from those in Europe and do not provide the same level of protection ensured by the GDPR within the European Union.

Why does Google Analytics not comply with the GDPR

Websites collect data via cookies transmitted to users’ browsers, gathering information about their interactions with the site, its individual pages, and offered services.

The data collected includes:

unique online identifiers that allow the identification of the browser or device visiting the website
address, website name, and browsing data
browser information, such as operating system, screen resolution, selected language, and the date and time of the website visit
IP address of the user’s device

The issue is further exacerbated when a user is logged into their Google account while browsing. In such cases, the aforementioned data could be linked to additional personal information in the user’s Google account. Such as e-mail address (used as the account’s user ID), phone number, other personal details, including gender, date of birth and profile picture.

The Italian Data Protection Authority (guarantor per la protezione dei dati personali) has stated that the use of Google Analytics 3 does not comply with the GDPR because it involves the transfer of user data to the United States, a country without an adequate level of data protection under European standards.

Recently, the guarantor issued a warning to Caffeina Media Srl, a company using Google Analytics 3 on its website, requiring its removal within 90 days. The guarantor emphasized that Google Analytics 3’s data processing methods are non-compliant with GDPR requirements because the tool transfers user data to the U.S. without sufficient guarantees for data protection. Among the data transferred is the IP address of visitors, which is legally classified as personal data.

The guarantor has warned this company but the invitation to abandon Google Analytics 3 informally concerns all websites that use the Google tool because the problem is widespread.

So, what should you do?

The situation is still evolving. While the ruling helps clarify some aspects, it also introduces new uncertainties, particularly about the consequences for those who continue using Google Analytics 3.

On the bright side, Google has already taken action by launching the new Google Analytics 4 (GA4), which is said to address the underlying issue.

If you haven’t transitioned yet, we can help you set up a Google Analytics 4 property to ensure you continue monitoring events on your site while maintaining a higher privacy standard. Contact us!