Austrian Data Protection Authority declares Google Analytics as not compliant with GDPR. Decision relevant for almost all EU websites.
Austrian Data Protection Authority declares Google Analytics as not compliant with GDPR. Decision relevant for almost all EU websites.
11 comments
it doesnt matter because there is no european web left to talk about.
Well, fuck, okay, so what do we do now? How can you reliably gather user traffic data? We focus on the data theft and marketing angle so much that we tend to ignore that these tools are very useful in e.g. planning public service websites. I’ve used GA in multiple state projects to determine both the most valuable information people search for, devices used and so on. Without it the research part of UX design becomes waaay harder.
I head the QA team for a Web portal that’s being used all over the world. Legal has been looking into GA and GDPR before, and we think we’re safe because only paid customers have access, the monthly subscriptions start in the thousands (even though the median is in tens and mean in hundreds of thousands), so our incredibly detailed contract includes consent for GA. Even so, we are trying to track as much as possible internally, but it’s still so much easier for the QA or UX people just get a quick look in GA. This may hit smaller companies and individual operators hard, and may eventually translate in diminished experience for Internet users.
As an SEO manager, I find this a bit concerning.
For the people that are wondering how european businesses could possibly manage without GA, that market is really filled with alternatives.
A non-exhaustive list of examples:
https://posthog.com/
https://matomo.org/
https://plausible.io/
https://www.openwebanalytics.com/
https://snowplowanalytics.com/
(all of the above can also be self-hosted)
There are also plenty of more lightweight and/or serverside options if you’re not a heavy user of GA.
For the people that were using GA for UX, and really shouldn’t:
https://www.hotjar.com/
https://mouseflow.com/
etc…
I think you can still use it, when you activate the option that NO IP addresses are send to Google.
Because then no personal data is processed. The UID that GA generates for every client is therefore no personal data anymore. Since this UID isn’t related to any data which can be used to identify a person… But that’s just my opinion.
EDIT: No I am wrong 🙁
In the decision the authority explicitly explains, why also such an UID is considered a personal date
This was so obvious. Most websites that have GA dont even follow GDPR regulations themselves because it would hurt their marketing. These are mostly SMBs.
By GDPR you cannot collect data on users if they dint agree, but thats not actually the case almost ever. Most website will collect conversion/ecommerce data even if you dont agree. There is no way to exclude this data in GA if user clicks on “dont agree” so right now it is all useless. You can either track, or no track, thats it.
You can easily check this by yourself (who follows GDPR and who dosent). Go to the website you want to check, dont agree with data collection, then turn on Google Tag Assistant (free chrome extension). If you see Analytics ID pop up, it means you are tracked no matter your “consent” decision…
But even if websites want to implement this (they dont want to because then they cannot optimize their marketing towards users who do convert), they effectively cant. There is no explanation how to do it in any help center and support staff will mot help you (cant because this function doesn’t exist).
Source: I used to work as Google Analytics Customer Support.
So I guess this applies to other solutions too, like Jetpack for any WordPress based website.
I feel like if we’re discovering several years after a law was passed that literally millions of people have been consistently breaking that law for the entire time it has been in force without knowing, someone on the lawmaking side has done a really, really shit job
Are US regulations allowing intelligence agency access any weaker than European ones? I was under the impression that most European countries had similar clauses allowing police or intelligence agencies to get data.
So what happens now?