Google Analytics breaches GDPR according to French data protection Watchdog CNIL
Posted by Fabien Galet on
If you are trading in Europe and France in particular, this update is for you. The French data protection watchdog, CNIL, announced that Google Analytics is non-compliant with and breaches GDPR. (Similar situation with Austria last month).
Right after the new regulation, one French site was given a formal notice from the CNIL because of the use of Google Analytics.
What is Google Analytics?
As part of many services that Google provides, Google Analytics is probably one of the most used tracking tools by website owners. It provides traffic and online sales statistics and can be easily integrated into sites.
The tracking solution assigns a unique identifier to each visitor in order to measure the frequentation of a site. This personal data is directly transferred by Google to the United States, a country that does not offer protection comparable to the European GDPR.
Why is it an issue in the first place?
The CNIL and the European counterparts have analysed the conditions on which data collected using this tool is transferred to the United States. With that said, they are now considering these transfers to be illegal.
In fact, based on the analysis, the CNIL said Google Analytics breaches article 44 of Europe’s General Data Protection Regulation, GDPR, and the tech giant Google hasn’t done enough to ensure data protection.
What are the consequences for site owners that use Google Analytics?
Based on the above evaluation, Google is not held responsible if online businesses use Google Analytics. That means the website owners will have to be GDPR compliant by using other tracking tool alternatives. If notice is given from the CNIL, owners will have one month to find a solution to anonymise data.
There is a fear that there might be a snowballing effect across Europe. They need to be prepared when switching eventually to compliant tracking tools such as Omniture and Piano as they seem to be good alternatives for now.
CNIL suggests transitioning away from Google Analytics and replacing it with a different tool that does not transmit the data. However, they do not call for a complete ban, which seems quite ambiguous at this stage.