Google Analytics Fundamentals for GDPR

Google Analytics is a Tracking Tool, which still enjoys great popularity. The tool is hardly controllable from a data protection perspective, because it is not known whether and how Google uses the data collected by a website with _Analytics itself.

There are various versions of Google Analytics available:

• Google Analytics 4 (quite new)[1]
• Global Site Tag for Google Analytics 4
• Google Universal Analytics (currently), which is referred to in this document unless otherwise specified
• Global Site Tag for Google Universal Analytics
• Legacy Analytics (old)
• Urchin Analytics (very old)
• Google Tag Manager as a container for the above Status-Alone Analytics expressions

Depending on its scope and configuration , Google Analytics records more or less data from users, always a lot. Some configurations, such as data sharing for Google products & services, are consent-based. Other configurations are not entirely clear to handle, assuming one believes Google does not use data of others for their own purposes. Exactly this impression is created when reading the contract documents (such as privacy policy, terms of service etc.) from Google. ([1])

Google stores a unique identification for each user – in order to reduce user anonymity – for the dimensions Browser and End device, which is referred to as Client Identifier in Google Analytics. With this, a person cannot be directly identified. However, one can easily save and store the user's IP address together with the Client ID from Google on their own server. Upon request, they export the Client IDs using the practical export function in Google Analytics and simply match them against the self-recorded IP addresses for De-Duplication of Users.

In the cookie-free variant and with a maximum data protection-friendly configuration, Google Analytics could – without client ID and without the uncomfortable feeling that Google itself is secretly exploiting the collected data from others – function without consent (as long as the server location isn't also a problem). However, this raises the question of what advantage this tool has over other, clearly more legally secure tools that require less security effort. In cookie-free variant and with GDPR-friendly configuration, Google Analytics shows in the dashboard for two consecutive page reloads two users. Other tools can do this better, without raising data protection issues. This is all in summary without apparent benefit for most website operators 4, possibly but for Google.

Formerly, Google Analytics used Third-Party Cookies and what considered consent-requiring solely for that reason. Currently, Google Analytics uses First-Party Cookies, but uses them exactly analogously to the previous cookies:

As can be seen, a website that integrates Google Analytics has access to no less information via First-Party Google Cookies than when using Third-Party Google Cookies. Google itself also potentially has the same level of access – although this must be assumed based on Google's statements (data protection regulation, terms of use etc.) if Google Analytics is operated in a configuration with cookies and otherwise maximally data protection-friendly. However, it is up to the responsible person – the operator of the website that integrates Google Analytics – to prove the legality of the processing.[2]

My practice test showed that the settings for data release in Google Analytics could be easily expanded afterwards for already collected user data. This means that the following procedure is possible:

1. Google Analytics wird maximal GDPR-compliant konfiguriert
2. User data is collected with Google Analytics
3. The data sharing for Google Analytics towards other Google services is being expanded, such as to Google Products & Services (thereby creating a Joint Responsibility according to Google's guidelines, previously it what an DPA)
4. The user data collected prior to data sharing, as mentioned in point 2, is now potentially being misused contrary to its original intended purpose
5. If needed, Google Analytics can be reconfigured with a single mouse click (from joint responsibility suddenly an DPA emerges again)

The completely new Google Analytics 4 has the following data collections pre-set [3]:

• Page views
• File Downloads
• Scrolls
• Clicks on external links
• Video engagement

This default setting will most likely result in tracking that requires consent.

The LDA Bavaria represents the somewhat undifferentiated official opinion that Google Analytics is impermissible without consent:

Regardless of whether the IP address is shortened or not, consent must be obtained.

Source: https://www.lda.bayern.de/de/faq.html

In response to my inquiry to the LDA Bayern on this matter, they quickly responded and asked if it would be better to express it more differentiatedly. I confirmed this and would be pleased if the FAQ of the BayLDA were accordingly improved. Positively, there what definitely the quick response and the constructive follow-up question from the authority!

In an investigation , it what found that the uncertainty in data collection caused by activated IP anonymization is considerable. For 81% of users, their location what recorded with comparable accuracy despite activated anonymization as if no anonymization had been activated.

According to information from Google 6, Google transmits the data collected with Google Analytics to numerous third parties in numerous third countries, including insecure third countries.

Furthermore, Google explains how Google uses data from websites or apps that integrate Google Tools (links from the source removed):

When you visit a website that uses advertising services like AdSense or analytics tools like Google Analytics, or embeds video content from YouTube, your web browser automatically sends certain information to Google. This includes the URL of the visited page and your IP address. We may also set cookies in your browser or read existing cookies. Similarly, through apps that use Google's advertising services, data is transmitted to Google, such as the name of the app and a specific identifier for advertising purposes.

We use the information you provide to us through websites and apps to deliver, maintain and improve our existing services, to develop new services, to measure the effectiveness of certain advertising, to protect against fraud and abuse, and to personalize content and ads that you see both on Google and on our partner websites and apps.

Source reference: https://policies.google.com/technologies/partner-sites?hl=en

Google Analytics collects data from various sources about users, including:

• HTTP Request
• Browser and system information
• Cookies (including DoubleClick cookies)

With "Google" in German data protection regulations, "Google" refers to the company "Google Ireland Limited" as well as their "affiliated companies". "Affiliated companies" is defined by these sources (bolded emphasis added) ([source])

A company that belongs to the Google corporate group, namely Google LLC and its subsidiaries, including the following companies that offer consumer services in the EU: Google Ireland Limited, Google Commerce Ltd and Google Dialer Inc.

Source: https://policies.google.com/terms?hl=en

Google LLC is a company with headquarters in the USA. This already makes loading Google Analytics a critically data protection law-sensitive process, because data potentially can be sent to an American company or servers in the USA or to third parties. Update: Google itself admits that all Analytics data is always processed in the USA. ([1])

The provision of Google Analytics by Google as a data processor is not possible, because Google itself uses the data collected with Google Analytics by third parties (namely other websites) (and according to its privacy policy forwards it to numerous, potentially arbitrary, or those with insecure data standards, third parties [7][8].

The use of Google Analytics is, in my view, consent-based for one of the following reasons:

• the configuration is obviously consent-based or
• the configuration unintentionally tracks more than intended or
• the data situation potentially allows for tracking of users or
• the data sharing to other Google services can be expanded retrospectively for already collected users or
• User actions can potentially be tracked using the Measurement Protocol or
• Google can be assumed to use the data for its own purposes or
• The server location is in an insecure third country.

Anonymization of IP addresses during tracking events

When accessing the Google Analytics script, the user's IP address is automatically transferred to a Google server as per the Internet Protocol. Even when tracking events are sent by the tool, the user's network address is also transmitted.

With IP address anonymization for Google Maps, it means that when tracking events are triggered as event parameters, the user's IP address will not be transmitted (but is compulsorily passed through the traffic data of the tracking event). This anonymization should definitely be performed or is already active in the current standard configuration of Analytics. You can check this by looking at the source code of a page that embeds Google Analytics. There should be an indication of anonymizeIp. However, what's wrong is as follows:

This anonymization is only activated after Google Analytics has been started via the send command. It's essential to have the instruction anonymizeIp before the send command.

If Google Analytics is embedded via the Google Tag Manager or something similar, the code looks different. In this case, open the developer console in Firefox (or other browsers) by pressing F12 and navigate to Network Analysis. Then, visit the website where Google Analytics is embedded. Now, search for a collect call over the domain google-analytics.com:

The parameter aip=1 indicates that IP address anonymization is enabled.

Measuring the effectiveness of Google Ads with Google Analytics

Google Analytics can be used to measure the effectiveness of ads run on Google platforms. Some argue that this (including the use of tracking cookies) is essential for some businesses, as they would otherwise not be able to operate economically. However, it should be noted:

• In the Google Terms of Service for Advertising Products, it is explicitly stated that no personal data may be transmitted to Google for advertising purposes3. Meant are therefore specifically for Google Analytics "online identifiers (including cookie identifiers), Internet protocol addresses, and device identifiers" assigned by the customer3.
• Google Ads can also be optimized with other Google tools without Google Analytics. Google writes here: “Conversion tracking can help you see how effectively your ad clicks lead to valuable customer activity on your website, such as purchases, sign-ups, and form submissions.” ([1])
• The optimization of landing pages or the recognition of recurring visitors can also take place without Google Analytics, for example through logics that run on one's own server. In this case, even the ad from which a visitor comes can be taken into account – entirely without Google tools_
• _Remarketing functions through tools of third parties are subject to the consent requirement even more than other tracking mechanisms (cf. judgment of the VG Bayreuth on Facebook Custom Audiences from 08.05.2018 – B 1 S 18.105 or judgment of the ECJ on Fashion ID from 29.07.2019 – C-40/17)
• Google Ads can only be optimized with Google Analytics if data sharing for Google Products & Services has been activated in the Google Analytics account. This, however, generally requires consent, as Google acts as Joint Controller, so that the Google Terms of Service apply (which effectively demand consent when using cookies or similar technologies) and its customers (website operators) even check themselves . ([1]) ([2])
• These ads can only be partially made more effective with the tools provided by Google, and are relatively effective (or ineffective) in themselves (depending on how one views the fairly low conversion rates). The legitimate interest thus recedes into the background for this reason alone. A survey of online marketing agencies conducted by the author revealed that none of the fifteen randomly selected respondents claimed to be able to make ads with Google Analytics more effective.

Conclusion: Google Analytics may not be used without consent to support optimization for Google Ads. In a separate article, I describe the requirement for consent in more detail.

Alternatives

There are various privacy-friendly options for Google Analytics. These are likely sufficient for 99% of website operators!

In a separate article, additional alternatives for various Google tools are described. ([1])

A prominent representative of a data protection-friendly analysis service is Matomo. Matomo can even be used without consent, if the tool is configured accordingly.

[1] For a comparison between Google Analytics 4 and Google Universal Analytics see https://support.google.com/analytics/answer/9964640?hl=en

[2] See also the judgment of the CJEU of 11 November 2020 – C-61/19, point 42. A joint responsibility with Google exists only after investigation and knowledge of the author if data release in Google Analytics for Google Products & Services is activated – then a consent by the user would be required in any case.

[3] See https://support.google.com/analytics/answer/9216061?hl=en as well as Google Analytics Dashboard

[4] Only as a signal to Google, how long a user stayed on the website, could there be any benefit.

[5] See https://www.conversionworks.co.uk/blog/2018/04/16/ip-anonymization-ga-impact-assessment/

[6] In https://support.google.com/analytics/answer/3379636?hl=en Google confirms that the previous DPA for Google Analytics no longer applies (if such a contract – probably in English – what concluded and what even legally valid) and instead this DPA applies: https://privacy.google.com/businesses/processorterms/. See there especially sections 10 (Data transmissions) as well as 11 (Subcontractor processors). See also footnote 27 and the corresponding section, which suggests that a contract for Google Analytics cannot be concluded with Google.

[8] https://www.datenschutz-praxis.de/verarbeitungstaetigkeiten/google-analytics-datenuebermittlung-verstoesst-gegen-dsgvo/ and Google's statement ("You agree that Google or its affiliated companies may collect, use, and share your usage data associated with the Service for the purpose of providing the analytics and tracking services…")

[8] See https://policies.google.com/privacy?hl=en, where Google admits combining data from Google Analytics with data from third parties, allowing third parties (such as advertisers) to benefit from this. If these conditions do not apply due to a DPA (see https://privacy.google.com/businesses/processorterms/, Section 4.2), Sections 10 and 11 of the aforementioned DPA state that Google can transfer data to its American parent company, Google LLC, which is not compatible with the GDPR without consent (cf. FISA Act, Footnote 39).

Key takeaways of this article

Google Analytics is problematic due to insecure data processing and the transfer to Google, and is often not legally compliant with data protection regulations.

Although Google Analytics is now GDPR-compliant, it can still lead to privacy issues because it may potentially misuse user data.

Google Analytics may not be used without user consent as data is transferred to Google and possibly also to companies in the USA.

Google Analytics is problematic because it collects user data and may share this data with third parties without informing users.

Google Analytics may not be used for advertising optimization without consent.

Using Google Analytics may violate the General Data Protection Regulation (GDPR) because Google transfers data to the USA and links it with data from other companies.

About these key statements