Court Says Google Analytics Is Illegal
Google has a long history of collecting your personal data and using it to manipulate your behavior. A regulatory agency in France is the latest to find the data collected by Google Analytics breaches European privacy laws.
Google has also been busy in the U.S. during the pandemic, in one instance partnering with Apple to create a smartphone app called MassNotify.
This is used to track and trace people and then advertise the user’s COVID-19 status to others. Despite the intent to advertise user COVID status to others, the MassNotify website says the tool was developed “with a focus on privacy.” Yet the app was also downloaded to Android phones without consent.
Early in 2022, four attorneys general filed four separate lawsuits against Google for deceptive practices in collecting location data from the public. The suits allege that Google continues to track location data even after people turn off the location tracking app on their smartphone. Karl A. Racine is the attorney general for the District of Columbia and one of the attorneys general who filed a lawsuit against Google. He said in a statement:
“Google falsely led consumers to believe that changing their account and device settings would allow customers to protect their privacy and control what personal data the company could access. The truth is that contrary to Google’s representations it continues to systematically surveil customers and profit from customer data.”
The action taken by France’s National Commission for Informatics and Liberties (CNIL) is based on a July 2020 case from the Court of Justice in the European Union (EU), which affects data transfer outside the EU.
EU and 3 U.S. States Have Rules That Govern Internet Traffic
The 2020 Court of Justice case was based on violations of the EU’s General Data Protection Regulation (GDPR). This law was effective May 25, 2018, and is one of the toughest privacy and security laws that govern websites. The law imposes obligations on websites that target or collect data from EU citizens or residents. It does not make the distinction where the website originates.
In other words, if your website collects data or does business with any EU citizen or resident, no matter where your business is located, the GDPR rule may apply to you. The second part that applies to Google Analytics covers when the website tracks cookies or the IP addresses of EU citizens or residents.
The data collection is classified as “monitoring behavior.” The GDPR allows monitoring activity to happen but only when there is transparency and the user understands the data are collected and has the option of opting out, which is designed to protect personal data regardless of where it’s collected, used or stored.
In the U.S., three states now have consumer data privacy laws similar to the GDPR. These states are California, Colorado and Virginia. They have many provisions in common with the GDPR, “such as the right to access and delete personal information and to opt-out of the sale of personal information.”
France Is the Latest to Say Google Analytics Is Illegal
The July 2020 court case on which this new ruling is based, was won by Max Schrems, the lawyer who sued Facebook for privacy violations against EU citizens and won. It has become known as the “Schrems II” judgment, and happened just weeks after Austrian data protection authorities also ruled that Google Analytics violates the GDPR.
The Austrian ruling found that IP addresses and personal identifiers in cookie data could be combined to identify visitors, which is in essence surveillance. To reach the ruling the regulator looked at a variety of measures that Google said it used to protect data in the U.S.
However, they did not find there were enough safeguards to block intelligence services to meet GDPR standards. TechCrunch published part of the decision:
“US intelligence services use certain online identifiers (such as the IP address or unique identification numbers) as a starting point for the surveillance of individuals. In particular, it cannot be excluded that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant.”
The CNIL works with private and public organizations to ensure compliance with the law. A single website was called out for noncompliance with the GDPR, stating it breached Article 44 since data from Google Analytics are transferred to the U.S.
CNIL gave the website operator one month to comply with removing Google Analytics from their website. The ruling is one of 101 complaints that were filed in August 2020 following the successful court case in July 2020. In a press release, CNIL wrote:
“Although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services. There is therefore a risk for French website users who use this service and whose data is exported.”
As AppleInsider points out, Google support pages also acknowledge that Google Analytics is not compliant with “the European Economic Area’s General Data Protection Regulation (GDPR), or California’s California Consumer Privacy Act (CCPA), or other similar regulations.”
According to TechCrunch, CNIL left the door open for website owners to use Google Analytics when substantial changes are made to ensure the anonymity of statistical data being collected and transferred to the U.S.
However, the Austrian decision took a broader interpretation of personal data and found that the IP address may be enough when combined with other smaller bits of data already held by Google to identify a site user. Under the current conditions, Google Analytics is noncompliant with the GDPR, which has clear implications for any website using tools that transfer data to the U.S. without measures to ensure anonymity of the data.
While the CNIL began the process with one website, the joint efforts by EU regulators suggest that it will have ramifications across the EU. TechCrunch later learned from the regulator in France that Facebook Connect “has also been the subject of complaints to the CNIL, which are currently being investigated.”