Google Analytics is the most popular tracking tool, but it also raises many questions about data protection. In standard form, using it even after a consent query is hardly possible in a legally secure manner. However, there is a solution that does not require a cookie popup at all.
Introduction
The application area of Google Analytics is diverse. Here are a few common cases:
- Statistics (Visitor counter)
- Content optimization:
- Harte's Tracking: Demographic evaluations, behavioral analyses, cross-page tracking of users
- Click paths
- Ad Optimization (Conversion Tracking, Retargeting)
- Combination with Google Optimize (Split Tests)
Detailed statistical evaluations can be done very well without Google Analytics. For this, I recommend Matomo without consent or Trackboxx (commercial product of a German provider).
Analyzing click paths for content optimization can be done through Matomo.
For A/B tests analogous to Google Optimize, there are certainly more data protection-friendly solutions available, which I won't go into here.
Optimizing advertisements is at least technically easiest possible with Google Analytics. Legally, however, the complexity can hardly be mastered. As an example of this, the Google Tag Manager should be named, which Google kindly almost forces to link with Google Analytics, although it is by no means necessary. The Tag Manager alone is legally hardly masterable, as my simple investigation already shows.
But what about use cases where Google Analytics makes sense?
Legal problems with Google Analytics
As shown above, Google Tag Manager (GTM) is often used together with Google Analytics. I can only recommend not using GTM without consent. The GTM itself is not needed at all, let alone for loading Google Analytics.
If you need a Google Tag Manager, take something else or find someone who can program. An alternative for frequent cases is my Untagmanager. That won't help you and you can't find a programmer or don't want to pay? If the answer to this question Yes is, then perhaps the term Data Protection has not been deeply enough ingrained in your consciousness. No problem, the market and affected people will regulate it.
Due to the use of Google Universal Analytics cookies, consent is required. This results from the BGH ruling on Planet49 prior to December 1, 2021. According to this, § 15 Abs. 3 TMG must be applied in conformity with Art. 5 Abs. 3 of the ePrivacy Directive. ([1]) ([2])
The cookies are technically not necessary and therefore require consent. Short explanation: Google Analytics can be configured in standard mode so that no cookies are used.
Even without cookies, Google Analytics is consent-based . There are several reasons for this, see the link above in this section. Did you know that all analysis data is always processed in the USA ([1]) ?
According to Art. 13 GDPR, comprehensive information obligations regarding Google Analytics must be fulfilled. These information obligations are often referred to as Data Protection Information. Do you know how the numerous data collected with Google Analytics is processed by the Google Corporation? If so, please share it with me, because I don't know. Also for each individual cookie, name, purpose and lifespan must be named. Do you know the exact purposes of the Google Analytics cookies? I dispute it. ([1])
Further problems with Google Analytics
Since Google Analytics is used worldwide so frequently, websites that use this tool are an easily recognizable and attractive target for attacks.
Hackers can use Google Analytics to extract data from a compromised website easily, unobtrusively, and above all hardly detectable. Setting up Firewall Rules, which could prevent this, appears completely unrealistic for many websites. ([1])
If a website uses Google Analytics, it's almost certain in my experience that the website violates data protection rules. Whoever is looking for a reason to issue a warning might first look for websites that use the Google tracker. By now, everyone should have noticed that Analytics has great potential dangers.
The Solution: Analytics without Consent
The solution for a secure capture of users without consent using Google Analytics is based on a simple principle. For the solution, it goes without saying that it will be operated without technically unnecessary cookies. This is possible because Google Analytics can be used without cookies.
It seems sensible to me to find a solution for a few specific use cases. The linking of Analytics data with Google Ads data is the case that makes most sense to me. Google Ads are a way to display online advertising. Advertisers would like to know how well an ad converts and with which search terms a conversion what triggered. This can all be done without Google Analytics, but who knows that and wants to put in more effort?
It might also be sensible to track the actions of the website visitor more deeply. Many analysis tools only record how a user's click path what and how long they stayed on a page. Some may also be interested in how the user scrolled and similar things.
It is clear: With the standard script of Google Analytics, a GDPR-compliant use is hardly or not possible at all.
There are two solutions approaches, which are differently powerful and differently complicated.
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
