Google Analytics is deemed unlawful in Denmark – now what?

If you live in Europe and work in marketing or data analytics, you might have heard the news. Last week, Denmark was the fourth European country to deem Google Analytics as breaching the EU’s General Data Protection Regulation (GDPR). Following a similar ruling in Austria, France and Italy, the Danish authorities concluded that, under its default settings, Google Analytics cannot be used lawfully in Denmark. 

Given the importance of Google Analytics as a web tracking tool in the martech ecosystem, we wanted to give European marketers insight into these rulings, what they mean for European businesses, and what can be done to mitigate the risks and downsides of this situation. Let’s dive in.

Context

Google Analytics is a web analytics service offered for free by Google. It was launched in 2005 following the company’s acquisition of Urchin. To enable it, users simply have to add a small snippet of code in their website’s HTML. Once that’s done, they get a complete suite of tools that help them analyze and understand their website traffic – where it’s coming from, the visit patterns, time spent on each page, bounce rates and much, much more. The rise in popularity of Google Analytics has been nothing short of spectacular. In fact, an estimated 35m websites globally are using Google Analytics today to understand how people interact with their website. 

However, the recent rise in concern around data privacy has resulted in the adoption of a wave of new laws and policies that are now challenging tools like Google Analytics in some legislatures. It’s the case of GDPR, Europe’s tough data protection law that came into effect in 2018. In essence, some courts in Europe have deemed Google Analytics unlawful with regards to GDPR, as some of the data collected in Europe gets transferred to the United States. In the words of Makar Juhl Holst, Senior Legal Advisor at the Danish Data Protection Agency:

“The GDPR is made to protect the privacy of European citizens. This means, among other things, that you should be able to visit a website without your data ending up in the wrong hands. We have carefully reviewed the possible settings of Google Analytics and have come to the conclusion that you cannot use the tool in its current form without implementing supplementary measures.”

What this means for Danish businesses

As noted earlier, Denmark is the fourth European country to conclude that Google Analytics infringes on GDPR. While it remains unclear what this means for the countries that haven’t yet reached a similar judgement, there is some clarity into what this means for Denmark, France, Austria and Italy. 

As stated by Datailsynet, Denmark’s Data Protection Agency:

"Organisations in Denmark that use Google Analytics must therefore assess whether their possible continued use of the tool takes place in compliance with data protection law. If this is not the case, the organisation must either bring its use of the tool into compliance, or, if necessary, discontinue using the tool."

This means, essentially, that if you’re a Danish business using Google Analytics, you must find a way to implement supplementary measures to bring your use of the tool into compliance. If that is not possible for your business, then you must cease to use Google Analytics. 

What you can do 

As stated above, this verdict leaves Danish businesses with two options: a) take measures to become compliant, or b) stop using Google Analytics altogether. We’ll take a look at both options.

There is still a lot of uncertainty with regards to what kind of plan can be put into place to bring the use of Google Analytics into compliance. However, one possible solution has been put forth by the French Data Protection Agency: pseudonymisation. This can be achieved by means of a technique called reverse-proxy. This helps to avoid any direct contact between the user’s terminal and Google Analytics’ servers. 

If your business cannot implement the solution above, the other option is to stop using Google Analytics altogether. Understandably, this might be difficult for some, as Google Analytics plays a central role in many companies’ web analytics efforts. Thankfully, EU privacy-friendly alternatives to Google Analytics are starting to emerge. It’s the case, for instance, of Plausible Analytics, which hosts customers’ data in the EU and is compliant with GDPR. 

Get started with compliant analytics

If you’re looking for advice on how to ensure your use of Google Analytics is compliant, or are looking for alternative tools to help with your web analytics efforts, don’t hesitate to reach out to one of our experts today! 

‍