Google Analytics : How to be GDPR compliant?
In February 2022, the CNIL declared that Google Analytics was not GDPR compliant. Panic then agitated the companies using data collected by Google Analytics. The CNIL, seized by the NOYB association, considered that the American giant did not respect the European regulation on data protection regarding the transfer of data to the United States.
The consequences are immediate for website managers who must in any case comply with the GDPR. In practice, the CNIL is even considering banning the use of Google Analytics as long as Google does not sufficiently regulate the transfer of personal data to the United States.
Should we change the data analysis tool used on websites ? Can we wait for Google to follow the rules in Europe, at the risk of being caught in the meantime ? If not, how to be GDPR compliant ? Which alternative to Google Analytics to choose ? And how to comply with the GDPR with Google Analytics ?
Reasons and consequences of the CNIL’s injunction against Google Analytics
Google Analytics uses your user data for its own purposes and therefore transfers it to the United States, which is not compliant with the GDPR, as pointed out by the CNIL in an article dated February 10, 2022. However, you must comply with the European Data Protection Regulation.
These obligations must be specified in your privacy policy, confirming your company’s compliance with the GDPR. So the risk regarding the management of your site’s user data concerns you directly, even if the transfer to the United States is not directly of your making.
As a reminder, this General Data Protection Regulation is applicable in the European Union since May 25, 2018. If the CNIL has shown tolerance and more conducted a mission of awareness for a few years, it is now beginning to crack down more and apply sanctions, often heavy, to companies that would not implement corrective actions to comply with the GDPR.
In this context, Google Analytics is now in the target. However, it is undoubtedly the tool most used by companies to monitor the performance of a website, which puts many companies in trouble.
The role of Google Analytics
Google Analytics is a powerful tool for analyzing website visitor data. It collects information and processes personal data to provide analyses of user behavior on a website. It is particularly interested in :
- The frequency
- The duration of their visit on the site
- Their place of connection
- The source of the connection (social networks, search engine, other website, direct connection)
- The keywords used to land on the site
This user data, compiled and analyzed, is then used to determine a digital marketing strategy and advertising campaign. This is to generate more visits, improve the customer journey and therefore convert more customers.
The consequences of the transfer of personal data from Google Analytics to the United States on GDPR compliance
What a webmaster does with his users’ data is already a very important issue. But what Google Analytics does with it, without the site administrator even being informed, is a much bigger one. It appears that the American company transfers data to the United States without respecting European regulations.
Initially, only a few sites of large French groups were put on notice by the CNIL for non-compliance with the GDPR (and not Google Analytics itself). However, does this clear the way for other websites, especially lesser known companies? Unfortunately, no.
They too can be put on notice at any time if an association or even a private individual files a complaint. This is at least the case as long as Google has not acted on its data transfer methods from the European Union to the other side of the Atlantic (or any other country for that matter).
Comply with the GDPR with Google Analytics: is it still possible?
Good news: respecting the GDPR with Google Analytics is indeed possible. In practice, staying within the bounds of the GDPR, without deleting Google Analytics, means limiting the data of its users. To do this, log in to your user interface, your dashboard, to check that you are not collecting any clearly identifiable personal data, such as a phone number, an email address, or even the name of visitors.
You can also reduce the lifetime of Google Analytics cookies. The GDPR gives for example a limit of 13 months for advertising cookies. This is not respected by Google in any case, since the minimum retention period for cookies is 14 months. To change this, it is necessary to act on the site in the source code of the JavaScript tag, or via the Google Tag Manager tool. Of course, in this context, Google Analytics, which is basically easy to use, immediately becomes much more technical.
Alternative solutions to Google Analytics to comply with the GDPR
But rather than going through tedious Google Analytics adjustments, why not choose an alternative solution ? Of course, Google Analytics is a very powerful tool with a very large amount of data available. But depending on your activity, you don’t necessarily need everything it offers and, above all, you take a risk as to your reputation with your customers and partners.
Moreover, this data is not necessarily adapted to what you are really looking for to increase your growth and customer satisfaction. There are other solutions, more ethical and allowing an analysis of user data that truly meets your needs.
Matomo, the alternative to Google Analytics that lets you control your data
Recommended by the CNIL and GDPR compliant, Matomo is an open source analysis tool that protects your data and your customers’ data. This solution does not transfer the data to another country: and for good reason, it does not host it on its own premises, but directly on your own server on prem or on a secure cloud. Moreover, this solution allows you to use your site more fluidly, without consent screens.
Matomo offers a freemium self-hosted version that requires some technical knowledge and a server, but with the main features and an unlimited number of sites. Cloud versions are paid and the price depends on the level of visits to the site.
Sitecore Experience Analytics, improving customer experience at the heart of performance
Today, customer behavior on websites is no longer limited to user data, but must include a real analysis of the customer experience. With this in mind, Sitecore has developed Sitecore Experience Analytics to measure both the quantity and quality of interactions.
The latter is measured by an indicator: the engagement value, calculated both on the use of the visitor and by points awarded according to his actions. These points are directly related to your activity and your objectives. You will be able to determine the axes of your digital marketing and your budget on the right channels.
Sitecore Experience Analytics is also 100% GDPR compliant and does not use your customer data for its own purposes.
We are one of the main partners of the platform in France. Discover all the functionalities offered by Sitecore.
GDPR compliance
The respect of the GDPR is an obligation for companies and websites that collect data on their customers and users. The use of Google Analytics in its current state represents a legal risk, first of all a formal notice from the CNIL.
Beyond the legal stakes, such a situation has a negative impact on the reputation of a brand and on customer trust. To avoid such a reprimand and deteriorate your brand image, it is important to switch to an adapted and GDPR compliant data analysis solution. Or, at the very least, implement the necessary adjustments with Google Analytics to meet the requirements of the CNIL and the European Data Protection Regulation.
Do you want to be accompanied by an expert team in order to become GDPR compliant ?
Contact us, our specialists will be able to guide you and help you find an alternative solution to Google Analytics.
