BLOG

Are my website analytics breaking the law?

There are a whole host of things that can affect the lawfulness of your analytics, and we can’t list them all here. Therefore, we will focus on what the Schrems II ruling of 2020 means and how it will affect your analytics. We all should look at how we use analytics, make sure we are complying with the law.

Updated on:

April 15, 2023

At Green Arrow Consultancy our job is to ensure that your website and analytics are compliant, not just in Europe but globally and that we take into account all new rulings that relate to online privacy and data security.

There are a whole host of things that can affect the lawfulness of your analytics, and we can’t list them all here. Therefore, we will focus on what the Schrems II ruling of 2020 means and how it will affect your analytics. 

The questions that this blog will put to you below will give you a good idea if your analytics need to be looked at. If you feel that any of the below questions would be answered with a simple ‘Yes’ then you need to have a chat with our friendly team at Green Arrow Consultancy and together we will ensure that you are compliant with analytics solutions.

Is your website analytics provider a US company?

Is your website analytics provider using web servers owned by a US cloud provider?

Is IP Anonymization for Google Analytics GDPR compliant?

We are afraid the answer to this is, No. The problem with the anonymization done by Google Analytics is that it's done within your browser (client-side). So, for example, Google Analytics embed code might convert your IP to ABCDEFG using Javascript, but they then send data via something called an HTTP Request. It's impossible to exclude your actual IP address from an HTTP Request unless you use a VPN service.

Can I use a consent banner as I do for cookies?

This isn’t just a case of accepting cookies; this is about you having to have a legal transfer tool to send data out of the EU.

Does my analytics provider process personal data?

With the definition of the GDPR, the answer is yes. All scripts/websites process personal data. With the Schrems II ruling, you can no longer do this using US-controlled cloud providers.

What Google Analytics alternative should I use?

This is a complex one and there isn’t a straight answer.

We will provide three possible responses you could use in response to the Schrems II rule: 

Easy: Use an analytics provider that doesn't transfer EU data to the US

The best possible thing you can do is find GDPR-compliant website analytics that don't route your EU website traffic to the US. One company we like is Fathom Analytics.

Fathom Analytics have placed themselves in an ethical analytics market, can they beat Google, well certainly from an ethics and compliance side they can.

Harder: Self-host your analytics

If you're tech-savvy and ready for the responsibility of self-hosting your analytics, you could look at using Hetzner (a German cloud provider). This is a good solution if you only have web traffic coming from the EU. But if you have web traffic coming from around the world, you will need to set up geolocation-based DNS routing that distributes traffic between your EU server and your other servers. There is maintenance & responsibility with self-hosting, but it's a solid way of getting yourself compliant.

Risky: Keep using your illegal analytics

You could just keep your current analytics, as you rely on them for your reports for their reports, but this is a risky strategy as you run the risk of a DPA complaint, which could lead to a fine. 

Fines for violating the GDPR

There are quite a few people for years now that have been pushing the case that free isn’t always a good thing. "Google Analytics is free," and because it is free, are we illegally allowing the US government to spy on EU data?

Does this ruling only affect me if I have visitors from Austria?

At the moment we can’t guarantee that it won’t affect you if you do have visitors from Austria. The Dutch Data Protection Authority has decided not to take any risks and has taken some steps in line with the Austrian DPA's findings. This shows that really, this ruling does need to be taken seriously, especially if you know you have visitors from Austria and that it probably won’t be long before the rest of Europe follows. 

Does this ruling only affect European companies?

No. This ruling affects any company that receives traffic from EU countries.

What's next for Schrems II?

The Schrems II ruling has created many problems for companies globally. But this isn't the ruling's fault, it just means that governments globally need to look at their foreign surveillance laws.

If in the past you have chosen to use Google Analytics because it was free, this ruling shows that you may want to re-think this decision and see what other options are open to you. 

If you need more advice on your website’s analytics or about how to ensure you are staying up to date with the latest privacy and data protection laws globally, come and have a chat with my friendly team at Green Arrow Consultancy. We will spend time chatting to you about how we can ensure you are on the right side of the law and ensure any changes that are necessary are done with as little hassle to your business and online presence as possible.