France rules Google Analytics non-compliant with GDPR

Erin
February 11, 2022

Breaking news: The French Data Protection Agency, CNIL (Commission nationale de l’informatique et des libertés), has concluded that the use of Google Analytics is illegal under GDPR. The CNIL has begun issuing formal notices to website managers using Google Analytics.

This follows the January 2022 Austrian Data Protection Authority’s decision to declare Google Analytics illegal to use under GDPR.

Google Analytics GDPR breaches continue to spread through the EU

Since the invalidation of the Privacy Shield framework, an agreement between the EU and US that allowed the transfer of data to certified US companies, the CNIL and other EU data protection authorities have received numerous complaints regarding data transfers collected during visits to websites using Google Analytics.

"It's interesting to see that the different European Data Protection Authorities all come to the same conclusion: the use of Google Analytics is illegal. There is a European task force and we assume that this action is coordinated and other authorities will decide similarly."

Max Schrems, European privacy law activist and honorary chair of noyb.eu

About the CNIL’s decision

In this model case, the CNIL has found that an unnamed website’s use of Google Analytics is non-compliant with GDPR because it had breached Article 44 which prohibits the transfer of personal data beyond the EU, unless the recipient country can prove adequate data protection.

Under the GDPR, personal data covers a range of identifiers including email address, race, gender, phone number to name a few, but the less obvious identifiers include IP addresses or cookie IDs, for instance.

The CNIL’s decision was based on the fact that the US does not meet GDPR sufficient levels of data protection as a result of US surveillance laws. Therefore, the unnamed website’s use of Google Analytics created risks for their website visitors when their personal data was exported to the US.

At the time of writing, it is unknown if the CNIL has issued a fine for the GDPR breach. However, the website manager of the unnamed website has been ordered by the CNIL to comply with the GDPR and, if necessary, stop using Google Analytics under the current conditions.

"One thing we’re certain of is that these decisions will continue to roll out throughout the EU and potentially beyond. Other countries are imposing their own privacy regulations that closely mirror the GDPR like Brazil’s General Data Protection Law (LGPD), India’s Data Protection Bill, New Zealand’s Privacy Act and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) to name a few.”

Matthieu Aubry, CEO and co-founder of Matomo

The CNIL offers an evaluation programme to help website managers determine whether web analytics solutions are exempt from collecting data prior to users’ agreement to opt-in through consent screens. Matomo, for instance, is a leading Google Analytics alternative that has been recommended by CNIL and is exempt from tracking consent.

English translation: “This is why I anticipated this announcement, gradually moving the analytics of my sites to @matomo_org since several weeks !

“The @CNIL believes that the use of @googleanalytics is a violation of #GDPR”

Immediate action required for Google Analytics users

The CNIL and other EU-based data protection authorities have made their stance on Google Analytics clear and inaction will likely result in fines, which under the GDPR, can be up to €20 million or 4% of the organisation’s global turnover – whichever is higher.

Based on the CNIL’s formal notice to the model case’s website manager, Google Analytics users should take immediate action to remove any chances of personal data being transferred to the US or find a Google Analytics alternative that is GDPR compliant.

English translation: “The CNIL considers that the use of Google Analytics is a violation of the GDPR. I use @matomo_org and I welcome it *winking face* It will squeal tires among growthackers who are slaughtering. Opportunity to look at alternative tools”

Ready to begin your journey to GDPR compliance with Matomo? Start your 21-day free trial now (no credit card required) and take advantage of our Google Analytics importer so you don’t lose any of your historical data.

What does this mean for Matomo users?

As the GDPR continues to evolve, our users can rest assured that Matomo will be at the forefront of these changes. With Matomo Cloud, all data is stored in the EU or in your country of choice when you self-host on your own servers with Matomo On-Premise.

Conclusion

Google is in the EU’s crosshairs and organisations that continue to use their tools will be the one’s left to clean up the mess – not Google. Now is the time to act. Search for a Google Analytics alternative and close your compliance gaps today.

Join over 1 million other websites using Matomo now. Give Matomo a try with a 21-day free trial – no credit card required.

We’d like to also bring attention to the privacy-fighting efforts from noyb and Max Schrems, as this should not go unnoticed. noyb is an independent, non-profit organisation that relies on the support of individuals. Support privacy by supporting noyb – donate or become a member now.