After Austria, the CNIL has also just found that Google Analytics violates the GDPR because the data flows to the United States are not secure enough—another reason to change tools. And also to prepare for the post-Privacy Shield era.
How to do it? Avoid American solutions at this stage. In France, the CNIL maintains a list of solutions benefiting from the exemption of consent for the deposit of cookies. You can find solutions like AT Internet, Abla Analytics, Matomo, or Piwik Pro.
We will tell you about it. This is our legal news of the day.
Why are CNIL and others saying no to Google Analytics?
The end of the Privacy Shield continues to have all its effects.
In the post-Privacy Shield world, any company transferring personal data flows to the United States must secure this transfer:
- in a contractual manner, for example, by signing standard contractual clauses;
- in a technical way by implementing measures such as encryption or anonymization.
In practice, all flows are concerned because American suppliers and service providers are used for a large number of things:
- outsourcing of customer relations;
- hosting a website and its database;
- use of ERP, CRM-type platforms, etc.
For some time now, cookies have also been affected. After the EDPS (which decided against the European Parliament) and the Austrian regulator, CNIL has just attacked Google Analytics.
The observation is simple: even though Google has put measures in place, it cannot prevent US intelligence services from accessing this data. In these conditions, this provider does not pass the test; the data flow toward the United States violates the GDPR.
Is Google Analytics definitely in violation of the GDPR?
Google Analytics is still the most widely used analytical tool globally, leaving the competition far behind. Everyone has become accustomed to learning on this tool.
To say that Google’s non-compliance is a surprise… is a step we will not take. We have been advising you to search for an alternative solution for some time now.
Because although practical and supposedly free, the tool has many flaws.
- Google is not just a provider. It also uses data for its purposes. This is still serious for the site publisher because it involves communicating data to a third party under conditions it does not control.
- Google Analytics combines too effortlessly with Google Ads and a rather advertising-oriented use. Unlike others, this proximity partly explains why GA does not benefit from the consent exemption specific to audience measurement solutions. Prior consent is, therefore, necessary to deposit Google’s cookies.
The recent decision by the CNIL is a bit of the last straw. It is not insurmountable to modify data flows to secure them. And Google is indeed working on it right now. But preventing potential access by US intelligence services is a real challenge, and it is not sure that there is a good answer.
Above all, a cycle has been launched now that European regulators are gradually crossing the threshold and concluding the end of the Privacy Shield. Other websites will be checked. You could be the next one that CNIL blames for using Google Analytics.
Because, yes, the website publisher is on the front line. It is the one that the CNIL will control, and that can be sanctioned at this stage. Not Google.
That’s why you need to prepare for change.
How to switch from an analytics solution? Aim for privacy-first
For all publishers who use this solution and for all agencies that recommend it to their clients, the CNIL’s decision is a real earthquake.
You will need nothing more than to get used to using Google Analytics and look for an alternative solution. But for you, choosing a privacy-friendly solution is also an opportunity.
How to do it? Avoid American solutions at this stage. In France, the CNIL keeps an up-to-date list of solutions benefiting from the exemption from consent for the deposit of cookies. You can find reasonable solutions like AT Internet, Abla Analytics, Matomo, or Piwik Pro.
It may seem less sexy because you may have fewer data and indicators. But you will gain a more ethical approach to data analytics processing, more adapted to your needs.
In the second step, it’s up to you to highlight these efforts in your communication.
And Axeptio helps you do that. How? It’s simple. Your Consent Management Platform highlights the cookies, and therefore the tools, that you use. From now on, Google Analytics will no longer appear; on the contrary, you will unveil a choice of privacy-first solution. Here is an additional argument to reinforce the trust of your audience.
End of the Privacy Shield – Is Google Analytics just the beginning?
The answer is, of course: yes!
As we explained to you. The security issue of personal data flows to the US concerns all your American providers:
- Your CRM;
- Facebook Pixel, Facebook Ads;
- Your payment providers. In its decision above, the EDPS also targeted Stripe cookies;
- Social media sharing buttons;
- Features such as Facebook Connect or Google Connect.
Replacing Google Analytics allows you to get ahead of the game because reviewing your data transfers will become necessary in the medium term.
To do this, stay informed of the decisions made by data regulators. They set the tone for which tools will be in their sights.
Conclusion: Yes, you should remove Google Analytics from your sites.
The recent decision by CNIL is one more reason to convince you that it is more than time to abandon Google Analytics.
- Because as a responsible actor, you must optimize your GDPR compliance. Even if that means stopping working with certain suppliers;
- Because your audience is concerned about how you handle their data, it is up to you to integrate privacy into your brand strategy.
There are other solution providers on the market. Of course, this is a fundamental change, it will have a cost, and compromises will have to be made.
But it’s worth it. You will improve the relevance of your data processing and make your activity more user-friendly. And thanks, in particular, to our CMP; it’s an effort that you will proudly showcase to your audience.
