Breaking news: The French Data Protection Agency, CNIL (Commission nationale de l’informatique et des libertés), has concluded that the use of Google Analytics is illegal under GDPR. The CNIL has begun issuing formal notices to website managers using Google Analytics.
This follows the January 2022 Austrian Data Protection Authority’s decision to declare Google Analytics illegal to use under GDPR.
Google Analytics GDPR breaches continue to spread through the EU
Since the invalidation of the Privacy Shield framework, an agreement between the EU and US that allowed the transfer of data to certified US companies, the CNIL and other EU data protection authorities have received numerous complaints regarding data transfers collected during visits to websites using Google Analytics.
About the CNIL’s decision
In this model case, the CNIL has found that an unnamed website’s use of Google Analytics is non-compliant with GDPR because it had breached Article 44 which prohibits the transfer of personal data beyond the EU, unless the recipient country can prove adequate data protection.
Under the GDPR, personal data covers a range of identifiers including email address, race, gender, phone number to name a few, but the less obvious identifiers include IP addresses or cookie IDs, for instance.
The CNIL’s decision was based on the fact that the US does not meet GDPR sufficient levels of data protection as a result of US surveillance laws. Therefore, the unnamed website’s use of Google Analytics created risks for their website visitors when their personal data was exported to the US.
At the time of writing, it is unknown if the CNIL has issued a fine for the GDPR breach. However, the website manager of the unnamed website has been ordered by the CNIL to comply with the GDPR and, if necessary, stop using Google Analytics under the current conditions.
The CNIL offers an evaluation programme to help website managers determine whether web analytics solutions are exempt from collecting data prior to users’ agreement to opt-in through consent screens. Matomo, for instance, is a leading Google Analytics alternative that has been recommended by CNIL and is exempt from tracking consent.
English translation: “This is why I anticipated this announcement, gradually moving the analytics of my sites to @matomo_org since several weeks !
“The @CNIL believes that the use of @googleanalytics is a violation of #GDPR”
Immediate action required for Google Analytics users
The CNIL and other EU-based data protection authorities have made their stance on Google Analytics clear and inaction will likely result in fines, which under the GDPR, can be up to €20 million or 4% of the organisation’s global turnover – whichever is higher.
Based on the CNIL’s formal notice to the model case’s website manager, Google Analytics users should take immediate action to remove any chances of personal data being transferred to the US or find a Google Analytics alternative that is GDPR compliant.
English translation: “The CNIL considers that the use of Google Analytics is a violation of the GDPR. I use @matomo_org and I welcome it *winking face* It will squeal tires among growthackers who are slaughtering. Opportunity to look at alternative tools”
Ready to begin your journey to GDPR compliance with Matomo? Start your 21-day free trial now (no credit card required) and take advantage of our Google Analytics importer so you don’t lose any of your historical data.
Google is in the EU’s crosshairs and organisations that continue to use their tools will be the one’s left to clean up the mess – not Google. Now is the time to act. Search for a Google Analytics alternative and close your compliance gaps today.
Join over 1 million other websites using Matomo now. Give Matomo a try with a 21-day free trial – no credit card required.