France regulates usage of Google Analytics is a GDPR violation

On February 10th, the French national data protection authority issued a formal announcement to website managers that use of Google Analytics is a GDPR violation and can be penalized for the same. The decision from the French nation came after a similar decision by Austria recently.

Employing Google Analytics is a GDPR violation

Since Google Analytics collects multiple data points on website visitors including location, page views, session time, bounce rate and more, it is said to be exploitation the personal data of users. Furthermore, as per the CNIL the data that is handled by the United States which is failing to aide by the EU GDPR or any equivalent privacy laws of its own.

The CNIL have been investigating Google Analytics based compliant for over two years now, including the US’s Privacy Shield agreement on data transfers and the invalidation report of the same by the EU Court. The European Center for Digital Rights, has now recorded 101 complaints from 27 member states of the EU and 3 from the European Economic Area on data controllers for the transatlantic transfers.

What is Privacy Shield Agreement?

Privacy Shield is a self-certification mechanism for companies established in the USA. Although initially the European Commission considered Privacy Shield to be a safeguard for personal data transfer from the EU to the USA, in 2020 the decision was reversed due to lower standards of security and privacy.

CNIL stating why is Google Analytics in violation of GDPR

A test was performed to evaluate the EU and USA regulations which came in favor of the EU and not the USA. The states failed to prove the standards of data protection, as the EU citizens will not be aware of how their data is being used, and their are no compensation norms in place if users data is misused by the USA entities.

CNIL investigated Google Analytics in bits and pieces, and concluded that the tech giant’s website analytics tool doesn’t provide proper regulation over the French users and hence the risk associated with their personal data via Google Analytics is huge.

“Indeed, if Google has adopted additional measures to regulate data transfers within the framework of the Google Analytics functionality, these are not sufficient to exclude the possibility of access by American intelligence services to this data,” CNIL said.

The anonymous website manager has been afforded 30 days to update their operations to comply with European General Data Protection Regulation. The best option is to look for Google Analytics alternative by ensuring their data transmission policy is in compliance with the GDPR.

Not but not least, Google Analytics isn’t banned by France, the tool needs to be updated and reviewed for enhanced privacy protocols that comply with the GDPR norms.

 “Concerning the audience measurement and analysis services of a website, the CNIL recommends that these tools be used only to produce anonymous statistical data, thus allowing an exemption from consent if the data controller ensures that there are no illegal transfers,” the CNIL said.

If you are from Europe and you are managing a website that has Google Analytics code embedded in it, you may need to use an alternative until Google resolves the situation or proves they are in compliant with the GDPR.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.

You can reach out to us via Twitter or Facebook, for any advertising requests.