A decision by the Austrian data protection authority is currently causing a stir – the use of Google Analytics is not compliant with the General Data Protection Regulation (GDPR). Since the data protection organization NOYB has filed numerous model complaints, one can expect that further decisions of this kind will follow.
NOYB is waging an extensive fight against the transfer of personal data from the EU to the US, as the organization considers the level of data protection in the US to be inadequate. The detailed version can be read directly at NOYB .
The main issue in this case was the use of Google Analytics without the user’s consent – i.e. without a properly configured consent management/cookie banner. The use of Google Analytics still seems compliant with data protection if it is implemented correctly. Especially since Google has now outsourced the operation of services in the EU to its Irish subsidiary.
Apart from analytics
Things become difficult if you follow the arguments of the data protection officers and think further. The data transmitted, which are specified in the decision in the case of analytics, are:
– User identification numbers (to recognize website visitors)
– IP address
– browser parameters
Basically, this is data that is generated every time a URL is called up. With every HTTP request, the IP address and data on the browser used end up on the server that provides the URL. This data can already be used to identify the user – if a cookie from the corresponding domain is already available, this will also be transmitted when the website is called.
Many websites use external services and call URLs that receive data from the website visitors with each call. Operators are often not aware of this. An example is the use of fonts or javascript libraries. Anyone who uses a template for their website (theme for WordPress, Joomla, Typo or another CMS) rarely pays attention to which resources are already included. This creates calls to, for example, Google Fonts, Font Awesome, cdnjs and many more.
Many of these providers are US companies – so you could also interpret this as data transfer to the USA…
The popular and widely used Google Tag Manager is also an external service – however, the offer is now also available through Google Ireland Limited, not through the US headquarters.
It is also questionable how the use of a web hosting service based in the USA is to be assessed? If a website is operated by such a provider or in the cloud, all user access and the associated data end up with a US company.
Play it safe?
The optimal case is probably a website that does not include any external services, is located at a European hoster in a European data center and collects as little data as possible. This may be feasible for a web business card, but even when running a small online shop you want to gain insights into user structure and behavior, create added value (e.g. through newsletters) and maybe also do some marketing. All of this is hardly possible without the use of third-party tools.
When selecting the appropriate service provider, EU companies should be used if possible and the user’s consent should be obtained when integrating them – before external calls are started.
For some requirements there are also open source alternatives that can be installed on your own server – so no data is transferred to third parties. However, one should not underestimate installation, setup and maintenance. An alternative to Google Analytics is Matomo , for example – depending on the requirements of an analysis tool.
The regular “cleaning out” of the website should also be on the plan – sometimes a service is integrated as a test and remains installed even though it is not used. The aim should be to generate as few calls to third-party providers as possible.
Less is more
Not only in relation to the topic of data protection, it makes sense to generate as few calls as possible to external sources. The integration of additional services can make websites slower and thus impact user experience. Considering that, you should only integrate the services that you really need.
I would be happy to advise you on the choice and selection of the necessary and useful extensions for you.