Google Analytics has been under a lot of criticism in recent months. Several data protection authorities such as the Austrian, French, Dutch, Italian and Danish have now classified Google Analytics as non-compliant with the European General Data Protection Regulation (GDPR). We explain what this means and whether Google Analytics can still be used.
Is Google Analytics Data Protection Compliant?
The two data protection authorities from Austria and France criticize the fact that Google Analytics stores IP addresses and thus, personal data, on servers in the United States. This customer data could be exposed to US intelligence services at any time. On the other hand, the Italian and the Dutch authorities are focusing more on the fact that the default configuration of Google Analytics is not GDPR compliant and that several measures have to be taken to make the setup compliant.
In addition, there is currently no mechanism, like EU-US Privacy Shield, that would legitimize the use of American software. On the 7th of October 2022, President Biden signed an executive order for a new framework for a EU-US Privacy Shield. A deadline for when a new Privacy Shield will be established and whether it will be sufficient to comply with the GDPR is not yet clear.
This means that it is currently not clear for how long, or if at all, Google Analytics can still be used according to the European General Data Protection Regulation (GDPR).
If the GDPR does not apply to your business model and you are only subject to Swiss Data Protection laws, you still enjoy an advantage. Firstly, Switzerland still has a valid Privacy Shield with the USA and secondly, there is almost one more year until the new policy comes into effect on the 1st of September 2023. How strict the new regulations will be has yet to be seen.
In order to continue using Google Analytics in the EU and remain compliant with GDPR is to adopt the server-side tracking (or tagging) solution.
What is Server-Side Tracking?
In client-based tracking, information is collected on the website and sent straight to the platforms involved. These platforms then set cookies to identify your users later. The diagram below illustrates the tags that are set by the website on the end device.
With server-side tagging, a server is placed in between your website and the platforms. All the information from your users’ devices is sent to this secure server. Which information is passed on to which third-party platforms can be decided on a case-by-case basis.
Is it Possible to Use Google Analytics with Server-Side Tracking in a Privacy Compliant Way?
As indicated in the diagram above, the data from Google Analytics is no longer automatically sent to Google’s servers in the US, but to a server which can be located in Europe. The data only goes on to Google Analytics after it has been modified. This means that the data can be anonymized or pseudonymized in advance, thus ensuring that no personal customer data reaches the US. The French data protection authorities mentioned Server-Side Tracking explicitly as a solution to use Google Analytics in a GDPR-compliant way.
Naturally, server-side tracking is more time-consuming than using Google Analytics in the conventional way as you are responsible for maintaining both the server and data adjustments yourself. Google already offers some assistance here, as you can obtain the server via Google and determine the location of the server yourself in the process.
You also need the technical know-how to set up the tagging correctly. Google already offers a Google Tag Manager container that can be set up on the server side. For the techies among you, we have already prepared another blog post that explains the GTM container for server-side tracking in more detail. There are also other Software-Solutions available which simplify the Server-Side setup quite a bit as for example JENTIS. JENTIS provides a separate Tag Manager and the whole Server infrastructure as well, including its maintenance.
Server-Side Tracking also Solves the Third-Party Cookie Problem
Now, if you’ve been paying close attention, you’ve probably noticed that server-side tracking can also solve another problem.
Some browsers like Firefox, Safari, and Edge (Chrome as of end of 2024) have moved to block third-party cookies directly. This is bad news for your marketing campaigns, which you may no longer be able to measure or target effectively.
Server-side tracking can now be set up on your own domain and so only first party cookies are set on the website. If you are interested in the technical details here as well, we would like to refer you to our upcoming Server-Side Tagging Tutorial.
If server-side tracking could be a benefit to you and you would like to learn more, feel free to contact us. We would be happy to discuss your individual setup with you.
