In recent weeks there’s been a flurry of fluorescent-jacket-clad activity in the villages between where I live and where I work.
It concerns something called Community Speedwatch, a scheme that invites residents to club together, receive training (and fluorescent jackets), and access to a speed camera.
At commuting time, the residents don their high-vis uniforms, point their cameras, and settle in.
Doing 23mph in a 20mph zone?
Expect to receive a letter from Community Speedwatch saying they spotted you and that if you do it again, they’ll pass your details onto the law.
What does all of this have to do with Google Analytics?
To drive over the speed limit is to break the law. Most people would probably describe themselves as law-abiding citizens, however many of those same people probably speed from time to time.
It’s a law that is broken every day by ‘normal people’.
Since the introduction of GDPR, there’s now another law that’s being broken by normal people.
Google Analytics is breaking the law
As of September 2022, Google Analytics has been deemed to be breaking data protection rules in four European countries.
Austria, France and Italy had already declared that so, and now Denmark has joined them.
The matter is fairly simple; because Google Analytics passes EU-derived user data to the US, it breaks the law.
This data contains information such as user IP address and referrer information.
Without getting too technical, this is the type of personally identifiable information that is protected by GDPR.
A press release issued by the Danish Data Protection Agency says, “On the basis of [a] review, the Danish Data Protection Agency concludes that [Google Analytics] cannot…be used lawfully.”
There’s no room for interpretation there. If you operate in Denmark, you can’t use Google Analytics and stay on the right side of the law.
It’s the same story in Austria, France and Italy. Four European countries effectively banning the standard use of one of the most prolific tools available.
So what now?
On reading this news a few things struck me.
The first thing was that this is massive, how had I not read about this before?
Four countries banning a ubiquitous application developed by one of the largest companies in the world.
The second thought that crossed my mind is that this is only the beginning.
It won’t be long before this becomes a continent-wide issue that sees GA outlawed across Europe.
What happens then? I think there are only three ways to address that:
- Implement a proxy-based system to anonymise GA data and make it legal again (more on that in a moment)
- Wait for Google to introduce a solution (no sign of that right now)
- Migrate to an alternative (legal) analytics system
The problem with migrating
Let’s tackle the easy one of those three first.
Migrate to a GDPR-compliant alternative to GA.
There are loads of options out there.
This sounds great on the surface, but look at this from the perspective of an organisation and it becomes less appealing.
Most firms have lived with GA since the beginning.
They’ve trained staff in it, they trust the information that comes from it (rightly or wrongly) and they see it as the gold standard in analytics (again, rightly or wrongly).
It reminds me of the battle of trying to convince an organisation to move away from WordPress.
Despite being woefully inadequate, prone to security holes and highly unstable, WordPress remains a tough habit to break for many organisations.
I suspect GA holds a similar position in the market.
GA and WordPress, you see, are ‘in orbit’.
Just like an ill-advised ad starring Kylie Jenner that couldn’t knock Pepsi out of orbit, neither can the small matter of breaking data protection laws get in the way of GA.
Migrating, I believe, isn’t feasible right now.
Wait for Google
Will Google provide a workaround to the issue?
I can answer this one quite quickly.
I don’t know.
Implement a proxy-based system
That then leaves us with the tricky-sounding one.
Again, without getting too stuck into the technical parts of this, the potential solution to this problem (and the one put forward by the French data protection authority) is to anonymise data sent to the US via a proxy.
A proxy is essentially a system that sits in between the person using the internet and the system capturing the data (Google).
That system can strip out personally identifiable information before it goes to Google.
Is this the end of tracking everything?
Yes, basically.
For marketers, I don’t think this really matters.
I’ve always been of the opinion that analytics data is about monitoring trends and ignoring absolutes.
Knowing about a general uptick in performance has always been more useful than knowing the absolute number of visitors to a single webpage.
Advertisers should be a little more worried.
It’s likely to get harder to get ads to follow people around.
Some people will celebrate that fact, others will lament it.
Don’t worry though, money talks and with the amount of ad revenue Google makes, it’s sure to find a way to carry on.
Ultimately, the shift we’re seeing is going to make it hard for snoopers, whether they are snooping for commercial purposes or more serious reasons.
I think it’s time to start weening yourself off of the deep data you’re used to and get comfortable with monitoring trends.
Likewise, if you’re driving through a UK village anytime soon, don’t expect Waze to warn you about the Community Speedwatch personnel camped out down the road, you’re best off sticking to the limit.
