Datatilsynet is now following in the footsteps of other regulatory authorities and declaring the use of Google Analytics virtually illegal in terms of GDPR compliance. It has caused a stir over the past week, and it can be difficult to find out what to do, including what options there are to continue with GA, how the problem should be approached, what alternatives exist to GA, etc. The questions are many.
_______________________________________
"Organisations in Denmark that use Google Analytics must therefore assess whether their possible continued use of the tool takes place within the framework of the data protection rules. If this is not the case, the organization has a duty to either legalize its use of the tool or, if necessary, stop using the tool.”
Quote from Datatilsynets website
_______________________________________
Unitas presents here some answers in a magic cube, which can take you and your organization further in the decision-making process you have now found yourself in.
It must be said at the outset that Unitas not are marketing specialists. Concrete questions about alternative tools, setups etc. cannot therefore be answered by us. We refer you to your business partners in that area.
What options do I have?
You must continue with your marketing. So what options are there?
Overall, you have 4 (5) options:
- Overall, you must assess the value of the data you collect - perhaps it is an open possibility to rethink your marketing strategy or at least assess whether all the data you receive from GA is really necessary. You must avoid so-called vanity metrics.
- Ignore Datatilsynet og ran the risk - you can calculate yourself how expensive it can be.
- Modify the setup of GA – possibly reduce what data you collect and how you use it or, for example, implement a 'reverse proxy' solution in front of your site
- Switch to one alternativ
- Wind, and see if the new Privacy Shield solves the problem any time soon
All the points are elaborated below
Ad 1) The value of the collected data: You want to know if you make a sale in your webshop. But you may not need to know that the buyer's name is Mogens, lives in Brønderslev and also visited eb.dk before he ended up on your site. Only collect the strictly necessary data and not 'nice to know' data if you do not use it specifically for e.g. upselling.
Ad 2) It is on no way a recommendation from Unitas. But you can choose to ignore it Datatilsynet, calculate your risk and hope you don't get caught running a red light. It is typically a fairly large amount that must be factored into such a risk, and usually requires the management to make an overall business risk assessment.
Ad 3) The starting point here is that you use GA 4.0, which allows changes to the setup. If you are still on the old GA Universal platform (expires in 2023), you cannot make sufficient changes to the setup.
You can customize what data is collected so that you collect a minimum. You can get down to a level that ensures you work within the framework of GDPR. But is it enough data for it to be of value to you and your business?
You can possibly implement a 'reverse proxy' solution that masks data sufficiently for it to be perceived as non-personally identifiable data. If you yourself already have a reverse proxy, or your provider has a good offer for this solution, that is also an option. In an example from one of the referenced articles, the cost for own reverse proxy is approx. 30-40.000 in implementation and then 2-3.000/month in operation. As a cloud solution, e.g. Cloudflare can offer a reverse proxy, but many other of the big cloud providers also have such a service. Here, however, you must also be aware of GDPR compliance. We must not replace one problem with another.
The above representation is from the French data supervision website.
Re 4) There are many alternatives to GA. Assess yourself or together with your partner in the field, which alternatives may be the right choice for you. See further down in the post under 'Resources/List of alternatives to Google Analytics'.
Ad 5) There is a new Privacy Shield right on the stairs. If it ends up being approved by the EU (may take more than 6 months), the problem generally disappears with transfers to the US. However, the problem of transfers to third countries other than the US or onward transfers from the US still remains. Regardless of whether the new transfer basis is approved or not, there will surely be new opposition from NOYB (the organization led by Max Schrems - which may lead to new challenges. So regardless of the outcome, you should have a plan B ready.
Resources
Podcast
Especially for the marketing manager in your company, listen if necessary. for this podcast: Privacy League Denmark - If you use Analytics, listen here. Good advice both from the marketing and GDPR side
List of alternatives to Google Analytics
- Referred as being good for B2B – Dream data – based in Denmark and using servers within the EU
- Matomo if you have many reports configured in GA can be imported immediately and is also referenced as a good alternative
- Hotjar – Based in Malta and using servers in Ireland
- Mouseflow – based in Denmark and uses servers within the EU and in the USA (depending on the customer's location)
- Referred as being good for B2C – Piwik Pro – based in Poland and using servers in the EU, USA and more
- Simple Analytics – based in the Netherlands and using servers in Europe
- Smartlook – based in the Czech Republic and uses servers within the EU
- Splitbee – based in Austria and uses servers within the EU
- Visitor Analytics – based in Germany and using servers in the EU
- Wide Angle Analytics – based in Germany and using servers in Germany or France
Articles used for this blog post (some require subscription)
Datatilsynet states that Google Analytics is illegal
Google Analytics illegal: How to continue using Google Analytics – here you will also find the requirements for the 'reverse proxy' solution's configuration
Use of Google Analytics for web statistics (datatilsynet.dk)
Example of costs if you want to continue with Google Analytics
That's how big the consequences can be
The French Data Protection Authority's description of how you can use GA in the future using e.g. 'reverse proxy' with a little more detail
The new Privacy Shield - coming in a few days
Rounding
And remember – this may just be the beginning. Expect something similar in relation to Facebook (and thus also Instagram), LinkedIn, Zapier and all the others that are US-based providers. We are probably only just getting started…