A recent decision of the Austrian Data Protection Authority (“Datenschutzbehörde” or “DSB“) which states that continuous use of Google Analytics violates the GDPR is likely to open up a big debate within the ranks of DPOs and developers, with the first ones having big concerns on Analytics’ adoption and the second ones trying to minimize the risk.
Being involved in such a lawsuit is never funny, so with such a sentence I really do not envy DPOs called to take a position on this before a similare case explode in their country. The full transcription of the decision is available for everyone to read, but it’s a 50 pages frenzy back-and-forth not exactly easy to understand. To summarise, the problem seems to be the use of a the cookies (yes, it’s always cookies’ fault, isn’t it?) “gads“, “ga” and “_gid” that are seen by the DSB as a way to uniquely identify the user. So it’s not only a matter of IP anonymisation as many professional actually believe.
Now, I’m far from giving legal advice on these pages, I need everything but a lawsuit from some big company willing to find a scapegoat, so I only want to share some thoughts. Given that, in my very humble opinion, all this attention on cookies and imaginary unique identifiers with the power to rule personal identification of someone is close to madness, a little extra effort is needed to try to better adhere to GDPR regulations.
- Consider analytics frameworks (every framework, not only Google’s) exactly what they are: framework for collect analytics data. They are not necessary for your service to be provided, so try to resist the urge to set them as necessary, even if you anonymise the IP.
- Carefully read Google’s DPA (Data Processing Terms) (oh and yes, this totally refers to my TLDR post) and put every reference needed for GDPR compliance in your cookie and privacy policy.
- Consider to switch to server side tracking: this approach allow you to perform better filter and anonymisation directly on your EU-based web server BEFORE actually send data to everyone. A nice guide from Google itself is available, you simply need to make sure your server are bootstrapped in EU.
- Always ask a final approval from yours or your customer DPO: never ever assume you’re ok with some law or regulation when privacy is involved. Fines are really oversized because of the mass attention on the topic, and you really don’t want to be held liable for any issue that could arise.
Also, please consider also using a Data Catalyst to perform better trasformations before sending data to your server: when there’s no clear guide about what is allowed and what is not, taking al necessary countermeasure is significantly more secure. There’s a bunch of solutions available on the market, but since I’m not sponsored by any of those (*wink*), I will not advertise any: simply perform a search for “data catalyst for anonymous server side tracking” and you’ll surely find something that will fit your needs.
Photo by Justin Morgan on Unsplash
[…] our everyday work when it comes to use external services or include external libraries: the recent sentence about Google Analytics considered illegal by Australian Data Protector Authority it’s an evidence of how much can be harmful not to pay attention to what we use for our […]