In recent months, Google Analytics has evolved considerably and has now moved on to Google Analytics 4. The question is whether consent is required for the 2023 version and why. The answer depends on the configuration of the tool, if the data transfer to the USA and Google's terms of use are not seen as a problem.
This article primarily examines Google Universal Analytics. This variant of Google Analytics was until recently the most frequently used version. The differences from Google Analytics 4 are largely negligible from a data protection perspective. In addition, there are so-called Google Analytics 4 Properties. These are properties with features, which could be used for the existing Google Universal Analytics account. The parallel use of GA4 Properties and GA Properties was possible.
A word in advance about the GA4 terms of use
The Google Terms of Service state in Section "7. Privacy":
You will not transmit any information to Google that Google could use or recognize as personally identifiable information, nor will you allow or assist any third party to do so
This means that the use of Google Analytics in its standard form is not possible, because the IP address is already a personal date, which is always transmitted to Google if GA is integrated as standard. Either Google has no idea about data protection or is deliberately shifting the entire responsibility for data delivery to the controller who uses GA.
Google Analytics with Cookies (standard configuration)
In standard configuration, Google Analytics has the following expression:
- Use of First-Party Cookies
- Transfer of the values from the cookies to Google servers
- Maintaining a unique Client Id per user, which is unique per browser and device
- Benefits of browser fingerprints, including reading the Viewports. Alone for this reason is Google Analytics in every configuration consent-requiring ([1]) ([2])
- Analysis of click paths
- Evaluation of user dwell times on individual pages
Due to the cookies used as well as the proven data transfer by Google Analytics from the cookies to Google servers, consent is strictly required. This can be derived logically from Art. 5 (3) ePrivacy Directive, which according to the BGH judgment of 28.05.2020 (I ZR 7/16) is applicable in Germany or § 15 Abs. 3 TMG must be interpreted conformingly.
The Client Id is called Client Id, but what's meant by that is an identification for a user (= Client).
It is not intended that identification is stored on the Client (i.e. the user's device, if one wishes to call the device a client) in every case. In cookie-based operation of Google Analytics, the Client Id is stored on the user's device. In cookieless operation, the Client Id is not stored on the user's device – storing information on the user's device works without cookies (as of 05.03.2021)!
Proof of access to cookies by Google Analytics
That access to cookies by Google Analytics occurs can be proven as follows:
The cookies generated by Google Analytics when calling a randomly selected website are as follows:
That these cookies were generated by Google Analytics can also be proven. I'll spare you that here. Anybody technically capable will manage it on their own.
That Google Analytics accesses these cookies can be proven by looking at the tracking event that is set by the Google Analytics script:
https://www.google-analytics.com/j/collect?v=1&_v=j87&aip=1&cid=1111111162.1612337222&_gid=4444463630.1612555025
The actual call is still much longer. It was cut for data protection reasons and for better readability. As can be seen, in the parameters cid and gid the values stored in the cookies are transferred. Accordingly, a clear access to the cookies took place, thus an access to the information stored on the user's device. This evidence is unassailable because it can be reproduced at any time (as of 10.02.2021).
Cookies are not a legitimate interest
That cookies are not covered by a legitimate interest here can be inferred alone from the fact that Google Analytics can also be operated without cookies. This case will be considered next. By the way, it would also be irrelevant if cookies were assigned to a legitimate interest. Because the § 25 TTDSG, which regulates the consent obligation of cookies, does not know any legitimate interest! The TTDSG is in this respect a special law for the GDPR and has precedence over the GDPR with regard to cookies. According to the TTDSG, it also makes no difference whether values are stored in the cookies that are personally identifiable or not. The TTDSG realizes the EU's ePrivacy Directive almost word-for-word for Germany.
If Google Analytics uses conventional cookies instead of HTML5 Local Storage, the legal basis is identical. This means that even with this so-called Web Storage, consent from the user must be obtained.
Google Analytics with cookies or web storage requires consent based on the ePrivacy Directive
Standard configuration of Google Analytics.
Google Analytics without Cookies
One of my other articles describes the configuration of Google Analytics without cookies.
If Google Analytics is configured so that no cookies are used, then the characteristic is as follows:
- Maintaining a unique Client Id per user, which is unique per browser and device
- Using the browser fingerprint
- Analysis of click paths
- Evaluation of user dwell times on pages
The Client Id is sent to Google Servers with every tracking event by the Analytics Tool, of course. However, the Client Id is assigned a different value with each call to another page on the same domain (i.e., the visited website) if no cookies are used. Google Analytics therefore does not recognize a user as returning within the same session if they access two pages on the same website. This should not be surprising, because passing the Client Id from Page 1 to Page 2 cannot occur directly without cookies and can only (secretly) take place through non-directly verifiable fingerprinting.
With the help of Client Id, a user can be tracked. The Client Id can again be read from the website that uses Google Analytics. The code for reading the Client Id is:
// Read the Client ID
// Execute the Code after the send command!
ga(function(tracker) {
console.log(tracker.get('clientId'));
});
Now a website can store each user's IP-address for every user. At the same time, the corresponding Client Id can be stored along with each user's IP address. That this is even possible lies simply in that Google Analytics makes the Client Id of the webpage accessible.
A privacy-friendly variant of Google Analytics, which does not exist due to the existence of the Client Id, would at least keep the Client Id encoded on the user's device and only decode it on the Google server, thus in the Google Analytics Dashboard. This would prevent one from being able to trace which user is assigned to which hit in the Google Analytics dashboard.
If Google Universal Analytics displays the Client Id in plain text, it is possible later to export or query Google Analytics data via an interface and then mix with own user recordings. Recording the user's IP address is at least secretly possible without being proven. What would be provable, however, is the transfer of the Client Id to a server of one's own. For this, a JavaScript call per AJAX would be necessary. Alternatively, one could pass the Client Id as a parameter when calling a subsequent page, which would also be provable. In addition, the disadvantage of this approach would be that tracking could not take place if the entire website is left.
If the Client Id is transferred to one's own Server, that is, the server of the currently visited website, a consent obligation is given.
If the Client Id is only sent to the Google Analytics account and not elsewhere, a consent obligation according to Art. 6 GDPR is not directly given. However, according to Art. 12 GDPR, transparent information about data processing operations must take place. The privacy statements of the Google Group are the opposite of transparency.
If one looks at the help from Google, however, it can be read there that a tracking of individual users based on the Client Id can take place over a longer period and across several contact points (Touch Points) can occur. Alone this seems to be consent-obligatory. This also applies in my opinion if only with Google Analytics 360 (GA 360, previously GA Premium) a deep user analysis is possible, but GA 360 is not even used. GA 360 allows direct access to raw data (access to raw data) (with GA360 one pays essentially for the possibility of raw data export and evaluation of these data). ([1])
The consent obligation also applies if one would have to dig deep into the Trickkiste to perform a so-called Clickstream Analysis with Google Analytics (via the Google Tag Manager) in order to do this. I'll spare you the link to the article that shows how it's done, not wanting to mislead anyone. To put it briefly, one records how Google Analytics logs data. Later, one compares the metadata with the tracking data in order to make finer-grained hits that can be assigned to individual users.
Update from April 30, 2021: There is an official written statement from Google itself stating that all (!) Google Analytics data are stored and evaluated in the USA. Accordingly, a data transfer to the USA always occurs, which raises the question from Article 44 GDPR. ([1])
Google Analytics always stores all data (at least) in the USA
In my words reproduced statement from Google itself, as of 30.04.2021.
Before the Google Analytics data ends up in the USA, it is usually collected by so-called collectors in the geographical vicinity of the visitor to a website and possibly sent to the destination via intermediate stations. This means that data processing potentially takes place worldwide.
Storage of the client ID
If Google Analytics is run without cookies, the Client Id will not be stored on the user's device but only exists in main memory as a fleeting information.
The Client Id is stored solely on Google servers when running without cookies, which is still bad enough (see above). Here's an illustration of what someone sees when they integrate Google Analytics into their website and later evaluate the collected data in the Google Analytics Dashboard:
It would have been quite possible for Google not to make this Client Id available and thus be more data protection friendly. Google did not want this, so it did not want to be data protection friendly.
The following screenshot shows what you can do with Google Analytics data:
The data is not available through standard Google tools, but can be obtained without additional Google products. As shown in the illustration, even Headings can be read out that were used when searching for the website just called up. Each individual user is also assigned a unique identifier. So users can be tracked across multiple channels. This can even be done quite easily with your own copy of the Google Analytics Script, which however quickly becomes apparent if someone with technical and data protection understanding takes a closer look. A Google documentation shows how many data per user interaction with Google Analytics are recorded. There are so many that their number can only be counted automatically. There are 257 attributes per hit (as of 26.07.2021). This recording always takes place, but is only available in Google Analytics 360.
Here a more positive example with Piwik, where you can see that running the same Client Id in the browser of the visited website and on the server where the analysis results are stored, is obviously not necessary:
Matomo stores this visitor with the following data transfer, which takes place in the browser:
action_name=&idsite=1&rec=1&r=477433&h=13&m=29&s=28&url=https://xyz.de/&_id=&_idts=16149xx369&_idvc=1&_idn=1&_refts=0&_viewts=16149xx369&send_image=0&res=1920x1080>_ms=236&pv_id=bxxyyP
As can be seen by comparing these parameters with the previous screenshot, there is nowhere to be found the visitor ID 67f37f3a2aa98b84. Not even in a session cookie from Matomo is this ID stored, but rather the value 8xx1f5bec073xxffe61862b70312xxe0.
A user assignment in the browser with a visitor in the result of Matomo is thus not possible and therefore much more data protection friendly than Google Analytics
There are also tools that can get by without a Client Id. Since I don't want to advertise commercial providers here, I'll gladly name the provider I know on request.
DPA with Google?
In a cookieless configuration and without sharing analytics data with third parties, an DPA would have to be closed with Google by the person responsible for the website. An DPA is a commissioned processing contract. Such a contract can only be concluded with Google if Google does not use the data collected with Google Analytics for its own purposes.
Data transfer to third parties
In the terms of service for Google Analytics, it is stated under point 6 that Google can pass on data to third parties in order to provide the service. This is permissible as long as these third parties can guarantee an appropriate level of protection in accordance with the GDPR. Here, the question arises as to who these third parties are. Let us leave this point aside for now.
Data access from an unsafe third country
In the first sentence of the aforementioned terms of use, Google LLC is mentioned: "These terms of service for Google Analytics… apply between Google LLC and you…"). Google LLC has its headquarters in the USA.
A further indication that a Google Analytics customer actually concludes its contract with Google LLC, USA, and not with Google Ireland Limited, Ireland. Google occasionally sends emails to Analytics customers. I received one such email:
The footer of the mail reads as follows:
It should be noted that I on registered with Analytics with a company based in Germany. Google explicitly asks for this information in order to display conditions that apply to Europe.
I consider the aforementioned email and the information in the agreement with Google when concluding an Analytics account to be proof that the contractual partner is Google LLC, USA. If you click on the unsubscribe link in the aforementioned email, a website appears in which Google LLC, USA, is again named as the operator of the website.
The central contractual partner for German Google Analytics customers is Google LLC, USA
Provable fact.
The US are an unreliable third country, for which there can be no guarantees that the GDPR will be complied with. Against the GDPR stand the FISA Act (Foreign Intelligence Surveillance Act) as well as the Cloud Act. Standard Contract Clauses are therefore bullshit in the US.
Google Analytics without cookies requires consent due to data transfers to insecure third countries
In addition, there is probably an obligation to obtain consent due to non-transparent information provided by Google.
Use your own client ID
It is possible to use a custom Client Id instead of the one provided by Google. This makes sense especially when using multiple Google Analytics accounts.
ga('create', 'UA-XXXXX-Y', {
'storage': 'none',
'clientId': '12a24efd-ec42-492a-92df-c62cfd4540a3'
});
The shown code passes a custom Google Analytics Client Id, which was previously generated by the website or re-issued for a recurring user. Additionally, cookies are disabled. With cookies, this case would be identical to the one described above.
The use of one's own Client Id leads directly to a consent requirement according to Article 5 Section 1 c GDPR or Article 25 GDPR, the principles of Data Minimization and Data Protection through Technical Design.
Google Analytics with its own client ID is subject to the consent requirement pursuant to Art. 5 (1) c GDPR, Art. 25 GDPR.
In addition, there may be further legal claims.
Own user ID for Google Analytics
Instead of a Client Id, a website can use its own User ID. The differences between Client Id and User ID are:
- The Client Id is pseudonymized and limited to a browser on a device. The User ID can work across devices and identify users personally.
- The Client Id is the standard for Google Analytics evaluations. The User ID must be enabled for evaluations.
- The Client Id is automatically assigned. The User ID must be assigned and managed by the Google Analytics customer.
The following code shows passing one's own User ID to Google Analytics.
ga('create', 'UA-XXXXX-Y', 'auto', {
userId: USER_ID
});
ga('send', 'pageview');
Before the User ID is passed on to Google Analytics, it must be generated itself.
The User ID can be secretly linked with an IP address. Furthermore, it can be assumed that the User ID will be matched with user data that has been or is being collected in other ways.
A consent is necessary when running one's own User ID for Google Analytics.
Google Analytics with its own user ID is subject to consent on the basis of Art. 5 (1) c GDPR or Art. 5 (3) ePrivacy Directive, depending on the design
The user ID can be managed in different ways. The assessment must be made depending on this.
Summary
The following table shows the evaluation of consent obligation in various Google Analytics configurations:
| Google Analytics configuration | Assessment |
|---|---|
| With Cookies | Consent obligation according to Art. 5 (3) ePrivacy directive |
| Without cookies, with client ID, no personal use of the client ID | Consent obligation according to Art. 44ff GDPR or Art. 5 Abs. 1b or c GDPR or Art. 25 GDPR |
| Without cookies, with client ID, own use of the client ID | Consent obligation according to Art. 5 Abs. 1 b or c GDPR or Art. 25 GDPR |
| Without cookies, with own client ID | Consent obligation according to Art. 6 GDPR or Art. 5 Abs. 1 c GDPR or Art. 25 GDPR |
| Without cookies, with user ID | Consent is required according to Article 5 (3) ePrivacy Directive or Article 5(1)c GDPR or Article 25 GDPR (depending on the implementation of the User ID) |
For all these scenarios, according to Art. 44ff GDPR, there is a consent obligation, because the service provider Google LLC is located in the USA and active worldwide, as well as passing on data to third parties.
Similarly, for all these scenarios, it remains likely that a consent obligation exists due to Art. 12 GDPR. This article states that there must be transparent information of the user. Art. 5 Abs. 1 b GDPR also demands clear and defined purposes. Can you explain the data protection and usage conditions of Google to me? Can you tell me who or what is meant by "Google"? As for the latter, I have since found out that "Google" in the sense of the Google Data Protection Declaration for the EWR (European Economic Area) essentially corresponds to the Google Group, i.e. Google Ireland, Google USA and over a hundred subcontracted processors.
At all times, attention must be paid to not using Opt-Out Cookies. Instead, the Google Analytics Script should no longer be loaded when the user has revoked their consent.
Those who value high legal certainty should use a different analysis tool. For example, Piwik (Matomo) can be configured in local installation so that consent is not required. Also WP Statistics for WordPress websites does a good job.
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.