Google Analytics better run, better run

Faster than the Austrian Data Protection Authority’s bullet…?

The new year started with a bang, the DPA pulled the trigger, but why? An Austrian website has been using Google Analytics without properly implementing IP address “anonymization”.

The Datenschutzbehörde (could it sound any more authoritative?) has stated that IP addresses are personal data because they can identify visitors if combined with other digital information. In this particular case, the visitors’ data stored by Google Analytics could have been accessed by the US government, thus violating the European GDPR laws and regulations.

The prosecution

Now that we all know the case, let’s move on to the heart of the story.

The Verdict raised several issues with many nuances but the major points we want to highlight are:

  1. A wrong configuration of Google Analytics could give Google LLC access to personal data without EU user consent;
  2. Despite all GA settings controls, Google cannot prevent personal data being accessed by the US government.

In simple words, a wrong implementation of Google Analytics by a local web publisher could provide inadequate levels of protection. Moreover, quite a lot of other online tools have their base in the US or have the possibility to access EU databases without consent. Therefore, if the Verdict were applied to all, we could  see the fall of many publishers and small businesses who use the web.

The defense

What does Google have to say in its defense? Here you will find their responses to all questions asked by the Austrian DPA. The document sheds some light on the debate and includes interesting info about what GA does and what it does not do, its use of data and the controls that are in place to limit data access. Long story short, it is a reassuring document 🙂

And then, come on, let’s face it:

“In 15 years of offering Analytics services, Google has never received the type of demand…speculated about”, Kent Walker.


The Booster Box bulletproof vest



Ok everybody, let’s put down our paper bags!

After having listened to both the prosecution and the defense, our main advice is: don’t panic! We have a whole list of solutions:

  1. First, breathe and wait. Will the USA take notice and amend their data privacy and surveillance laws? We honestly don’t see that coming.
  2. Review your site to check its compliance with GDPR regulations and its alignment with Google best practices.
  3. Remember that you do have control over the data that you collect using Google Analytics. For instance, you can ensure that:
    • full IP addresses are never further processed or logged;
    • data collection is partially or completely disabled;
    • time limits are set for user-level and event-level data before automatic deletion;
    • data is deleted from Analytics servers;
  4. Implement a Server Side solution, ensuring even better control over the data flow and preventing GA from ever receiving certain PII, e.g. the user’s IP address. This will give your data another layer of protection as you will be the one deciding what info is sent to the Server.
  5. Make sure you select the European hosting region when you set up a server Google Tag Manager for the EU website.

Finally, “don’t panic” doesn’t mean you should forget about it. If you have a EU business presence, we strongly suggest you do not miss any further developments in the coming months.

And okay…if you say please, we vow to monitor the situation for you and share major updates. Just promise you’ll stay tuned!