News breaks on June 23 that an Italian company has been warned by the Privacy Guarantor for setting up Google Analytics on its site in a way that does not comply with GDPR regulations.

The Italian Privacy Guarantor, with this measure has thus taken a stand against the export of personal data of European citizens to the US.

Where is the problem?

Basically, the data processing methods by Google Analytics 3 do not comply with the requirements of the GDPR because the tool transfers users’ data to the United States and therefore does not guarantee their protection; in fact, U.S. security agencies can access this data without specific authorization.

IP anomization allowed by Analytics 3, is not considered a sufficient tool to protect the privacy of site users.

What to do then?

Google Analytics is not GDPR compliant and the responsibility not Google’s

When we install Google Analytics on our site, the data owners are us, Google only becomes the operator, so if the data is not processed according to the rules, the site owner will be held accountable.

Thus, at present it is not possible to use Google Analytics while ensuring GDPR compliance.

Google Analytics not compliant with GDPR. Whose responsibility is it?

At present, according to the authority, it is not possible to use Google Analytics while ensuring GDPR compliance, and the responsibility lies with the website operator, not Google.

The Guarantor’s intervention, in fact, is aimed at site operators: the responsibility for relying on tools deemed non-compliant with current regulations lies with them and not the Mountain View giant.

The Guarantor’s statement reads: “On this occasion, the Authority draws to the attention of all Italian website operators, public and private, the illegality of transfers made to the United States through GA, also in view of the numerous reports and queries that are reaching the Office. And it invites all data controllers to verify the compliance of the way cookies and other tracking tools are used on their websites, with particular attention to Google Analytics and other similar services, with data protection regulations.”

Google Analytics not compliant with GDPR. How can we proceed?

It is not easy to define a precise path as the given indications are not enough to outline a strategy that can leave one calm. We would also like to remind you that the problem raised in this specific case for Google analytics can be extended to all those services that use IP tracking by companies based in the U.S. states or at least American…

Some avenues might be these:

  • Eliminate Analitycs. It sounds like a stupid answer, but in fact many companies have installed the powerful service but do not use it. In this case there is no point in keeping the service active. Obviously this talk is impractical for those who use it as a monitoring system for their business.
  • Switching to local analytics systems such as Matomo, but with the risk, in case of server and data breaches, of incurring even heavier penalties, In addition, it becomes difficult to think of a separate analytics system if you are working with the whole GOOGLE ecosystem.
  • Continue to use Google Analytics,upgrading to Google Analytic 4 but performing a specific setup that minimizes the information collected, or in “proxy” configurations that require significant setup and maintenance costs, however.

I have Analytics 3, what do I risk?

In the case that has raised all this fuss, there is no mention of sanctions imposed by the Guarantor, who merely raised the issue, giving the company 90 days to remedy the situation, after which time the site’s compliance with the GDPR will be verified.

However, it would be at least desirable to do an evaluation of one’s configuration and consider solutions that are more in line with the protection of user data.

If you need advice in this regard, The De Marchi Studio is at your disposal.