Use Google Analytics In Compliance With Data Protection Regulations
Management Summary
NaturallysupportWe would be happy to help you check and adapt your implementation.
No time to read this now? No problem – we also have our tips for using Google Analytics in compliance with data protection regulationsPDF for downloadprepared.
We also offer with ourConformity checka review of your Google Analytics implementation. Details and appointment scheduling can be foundhere.
What does the decision mean specifically?
The partial decision from the data protection authority in the specific case states thatintegration that took place therefrom Google Analyticsat that time(08/14/2020) among other thingsfollowing defectshas shown:
- The use of Google Analytics was based solely on the old SCCs (Standard Contractual Clauses).
- Consent to data processing was not obtained
- The anonymization of the IP address was not activated correctly
In order to prevent such defects when using GA, awell-founded concept and clean implementation– and both are often missing (as in the case mentioned).
This results in essential measures that allow clean, solid and, above all, valuable use.*
Why is the topic so explosive?
Since the use of Google Analytics and data exchange with Google has also been a concern in the courts, many voices have pointed to simply using a different, EU-based analytics tool.
Whether this is good advice clearly depends on the objective of your activities. Google Analytics is no longer just an analysis tool, but rather a data activation center and basis for all data-driven, targeted, cross-channel and cross-funnel marketing. The advantages of GA:
- Reporting & Insights
- Raw data in real time -> AI & DWH
- Predictions, Clustering & Real-time personalization
- Audiences for targeting
- Enrichment with CRM, expansion to CDP
- Activation in email, social, offsite
https://youtu.be/im0ZZDQmsEY
Siegfried Stepke at the DMVÖ Online Talk on the advantages of Google Analytics
How can Google Analytics be used in compliance with data protection regulations?
https://youtu.be/DUbg-sGYVl0
At the DMVÖ Online Talk, Siegfried Stepke shows the most important steps for using Google Analytics in compliance with data protection regulations
1. Adhere to the legal framework!
Google has adapted the “Google Data Processing Terms for all Google Products” to reflect the new versions of the Standard Contractual Clauses (SCC). Accept the new Data Processing Agreement (DPA) and thus Google’s order processing agreement in the Google Analytics settings.
Also create a Transfer Impact Assessment (TIA). The aim of this analysis is to assess the risk for data transfers. The obligation to do so arises from the standard contractual clauses for the transfer of personal data to third countries.
Please also point out possible data transfer to third countries in your data protection regulations and update them accordingly.
2. Get consent – in advance!
Make sure that you obtain the consent of your website visitors in advance. This means that you can only fire Google Analytics once you have received your consent and can also save and access it.
We also recommend that you include a reference to a possible data transfer directly in the banner text and obtain explicit consent for data transfer to a third country.
OneConsent management platform(CMP) facilitates this process.
3. Make sure Google Analytics is configured correctly
During your setup, make sure that no personal data/PIIs are included in Analytics and that you make use of features such as IP anonymization.
We would be happy to support you in this regard, offer personal GA audits and support you in the optimal implementation of analytics, so that your web analysis tool can continue to be used worry-free and, above all, in compliance with data protection regulations.
4. Switch to server-side tracking
Server-side tracking is not only a suitable solution for increasing the lifespan of 1st-party cookies and bypassing some tracking blockers, but it also offers options for adapting the data before it is sent to Google Analytics. In concrete terms, this means that, for example, you completely remove the user’s IP addresses before sending the data to Google Analytics.
At the DMVÖ Online Talk, Kristina Niederer and Siegfried Stepke provide information about the possibilities for using Google Analytics in a data protection-compliant manner and go into server-side tracking in detail:
Advantages of using server-side tracking
How does server-side tracking work?
Serverside tracking and data protection
Conclusion
With these measures you can use Google Analytics in a legally compliant manner.* Pay attention to the legal framework, the legally compliant obtaining of user consent, the correct tracking setup and use server-side tracking.
Check compliance now!
With the conformity check we offer a check of your Google Analytics implementation. Details and appointment scheduling can be foundhere.
Update:
For the legally compliant exchange of personal data to Google – with the consent of your users – we recommend encryption at the server-side tracking level in order to comply with the currently applicable legal opinions (DSB / AT, CNIL / FR). Our experts will support you with:
- Server side trackingg in the EU – a server location in the EU means no access by Google and no transmission of the IP address to Google.
- Stripping all datathat allow indirect personal reference to be derived (e.g. browser identification)
- Encryption of all IDswith personal reference BEFORE they are transferred to Google
If you have any further questions about this topic, the points mentioned above and the integration of Google Analytics, we will be happy to help you.kontakt@e-dialog.group
*We would like to emphasize that we do not provide legal advice and the information provided here cannot replace such.
