The future of marketing is one without Third-Party cookies. Apple is rolling out iOS 14.5, which actively blocks trackers and cookies. iOS has a 39% market share in the Netherlands and as much as 50% in video traffic. It becomes impossible to continue to rely on third-party data.

In January 2020, Google announced that by 2022 third-party tracking cookies will no longer be allowed in Google Chrome. With this, Google Chrome is one of the last web browsers to block third-party tracking. Currently, there is a lot to do around privacy, GDPR and about sending data from European consumers to American suppliers (see also the article by Erwin Boogert).

The Court of Justice of the European Union ruled in 2020 that the privacy shield is invalid. Under the far-reaching CLOUD Act, US security services have access to personal data, even if these data are stored in the custody of a European subsidiary in the EU, as long as there is a link to an American company, such as Google or Facebook. The US does not provide enough safeguards to secure personal data. European privacy legislation requires you to audit the entire chain of companies that process data, and once you end up in the US, the audit fails. The European privacy group Noyb has already filed a complaint against 101 websites because they are still sending data to the US.

This means that, as an organisation, you need to think carefully about what type of analytics you use to analyse your web statistics and campaign results. The collection of this type of data requires compliance with laws and regulations, such as the GDPR.

You probably, like many others, regularly use Google Analytics Universal. Universal is a third party data based system. Meanwhile, Google Analytics 4 (GA4) has been rolled out. This works on the basis of predictions instead of third party data. You can simply run this new property next to your current Google Analytics Universal views. Eventually Google will say goodbye to Analytics Universal, and so will you. But is Google Analytics 4 really GDPR proof? Is there another Analytics tool that is more GDPR compliant and do the costs outweigh Google’s free model?

What has Google changed in Analytics 4 regarding privacy?
With Google Analytics 4, Google has also updated its privacy policy. Meanwhile, Google defines itself as a data processor. If you use Google Analytics, then Google is the data processor. This is important to know when talking about GDPR. Google says the following about this:

 

“Google acts as a data processor for Google Analytics. This is reflected in our ad data processing terms, which are available to all Google Analytics customers with a direct contract with Google.”

 

However, as an administrator you can enable data sharing settings for Google Ads or Analytics, for example, and accept Google’s measurement controller-controller data protection terms. For GDPR purposes Google is then administrator of the data shared and used under these settings. Google thus has access to the data that customers share with Google and the tech giant can analyse it to better understand behaviour and trends, to improve their products and services. Resellers and agencies are not allowed to set this data sharing setting or to protect the terms and conditions. In practice, it happens often enough that an agency or reseller does accept these conditions.

Users give consent but, according to the law, they also have the right to withdraw it. GA4 therefore now also offers the possibility of removing user data. However, you cannot remove data from a single visitor, but you can remove event labels, event categories, user IDs and events from a specific time frame. It sounds easier said than done, because to delete data based on a user ID or a cookie you need the User Deletion API. Applying this within your property requires development knowledge.

Directly with the privacy policy, an update has been made to the terms of data processing. With the update, responsibilities of organisations are also listed, such as informing and obtaining valid consent from EU citizens: that responsibility explicitly lies with you.

In the intro of this blog you could click through to an article by Erwin Boogert about sending data from EU consumers to the US. Therefore, let’s also look at data residency. When using Google Analytics, data is spread across public cloud data centres, most of which are in the US (the rest is in Asia or the EU). Curious about an overview of all data centres? Check out the overview from Google.

To ensure that data processing with Google Analytics is ‘legal’, you must sign standard contractual clauses (SCCs) with Google. Google updated the SCCs in August 2020:

 

“From 12 August 2020, Google will rely on the European Commission’s standard contractual clauses (SCCs) for the transfer of online advertising and measurement data from the European Economic Territories, the United Kingdom or Switzerland.”

 

Google says it is switching to these SCCs because of the court ruling by the Court of Justice of the European Union that declared the EU-U.S. Privacy Shield invalid (16 July 2020). However, this is not the solution. As Erwin Boogert mentions in his article: ‘SCCs, however, do not provide sufficient certainty by default in the explanation of the regulators. “In most cases, this is only allowed if a company takes sufficient additional measures to ensure the security of the transmission.” The Court of Justice of the European Union ruled that cloud services hosted in the US, such as Google Analytics, no longer comply with the GDPR and EU privacy laws. The mandatory audit you have to have performed at Google will fail because of the lack of safeguards: after all, the CLOUD Act always overrides: the law always takes precedence over private agreements. This means that you run the risk of being fined for continuing to use GA.

Are other Analytics tools GDPR proof?
Do you not want to use Google Analytics Universal and Google Analytics 4, because of privacy considerations? There are of course a number of other tools you can use to still run analytics on your site or in your app. The most well-known are Matomo (formerly known as Piwik) and Piwik PRO. Or rely on analytics from Zoinks :). Zoinks Analytics is coming to you very soon.

Matomo
The foundation for Matomo began in 2007, when more organisations were using analytics tools and data collections to help guide the direction of the organisation. With this also came concerns about data storage, privacy and ownership of data. Matomo is different because it does not use data sampling and, unlike Google Analytics Universal and Analytics 4, it is not free. Matomo has two options, on-premise and cloud. With On-Premise, the data is hosted on your own servers and with Cloud, data is hosted on Matomo’s servers. This last option has a price tag.

Piwik Pro
“Our product is the alternative to Google Analytics, focused on complying with the strictest security and privacy rules in the world.” Piwik Pro started back in 2013 as a consulting service for Piwik (now Matomo). In 2016, Piwik Pro developed its own platform and is now a privacy-oriented alternative to Google Analytics. To use Piwik Pro, like Matomo Cloud, you need a license. Matomo On-premise does not.

Getting Started
Do you want to get started with your analytics and GDPR compliance? Then it’s a good idea to also take a close look at your current analytics tool and decide if it matches how your organisation is doing with GDPR compliance. An advantage of Google Analytics Universal and Google Analytics 4 is that it is free to use (up to a certain number of sessions for Analytics Universal). However, you also pay Google with your data. “If you don’t have to pay for the product, you are the product.” is a well-known saying by now.

What else can you do?

  1. Plan an information audit and determine what information you process and who has access to it. Map out the entire chain through which your acquired personal data travels. Is data going directly or indirectly to an organisation in the US or are you not entirely sure? If so, stop the transfer immediately or do not start a new transfer.
  2. Check your privacy policy and update it where necessary. Be transparent about how you process data, who has access to it and how you keep it safe.
  3. Ensure that any processing of personal data is in accordance with Article 5 of the GDPR.
  4. Encrypt and anonymise personal data wherever possible
  5. Ensure that someone in your organisation is responsible for complying with the GDPR
  6. Provide a data processor agreement between your organisation and third parties processing personal data on behalf of your organisation
  7. If a data leak occurs, make sure you have a plan in place that outlines the actions and next steps for your organisation
  8. If you use Google Universal Analytics, make sure that IP addresses are anonymised and consider whether you want to share your Analytics data with Google. Otherwise, uncheck this option within your Analytics views.
  9. Do you want to use another Analytics tool? Thoroughly research which tool can fulfil your wishes and needs. Provide an implementation plan and train people within your organisation. We are here to help you and Zoinks Analytics does everything for you ;).