GDPR and Google Analytics 3: how to be in good standing without risking sanctions or legal actions

Google Analytics 3 (Universal Analytics) does not comply with the law GDPR. The Privacy Guarantor was clear about this with its ruling on 9 June. The 90 days have passed to adapt to all website operators, now the risk of possible sanctions is real and recent research suggests that the latter could amount to 4.5 billion euros in Lombardy alone.

Numbers that show how this could become a real emergency for companies and operators in the sector.

Gmail and inbox advertising: what it is and why a conviction for violation of privacy is possible

Google Analytics and non-EU data transfer

But let’s start from the beginning. In summary, in 2020 a complaint was received from the Italian Privacy Authority, in which reference was made to the fact that Google Analytics 3 transfers some information of the European user to the United States. Information that makes it possible to trace the identity of the persons concerned by aggregating different types of data.

Manufacturing 5.0: here are the benefits of data monetization!

Hence, the June 9, 2022 the Privacy Guarantor has expressed himself stating that Google Analytics 3 (Universal Analytics) is not compliant with the GDPR.

All this was born from the admonition to the company Caffeina Media srl, which uses Analytics on its website. This warning, implicit for all managers, explains that websites that use the Google Analytics 3 service, without the guarantees provided for by the EU Regulation, violate data protection legislation sincetransfer user data to the United States, a country without an adequate level of protection.

The possible penalties for violation of the GDPR

What worries insiders, but which should also alarm companies, are the values ​​that emerged from the research processing the latest ISTAT data. The investigation reveals that the amount of penalties that could reach Lombard companies due to the recent ruling of the Privacy Guarantor, is equal to more than 4 and a half billion euros.

The sanctions provided for by the regulation they can indeed arrive up to 4% of turnover global annual total of enterprises. The latest available data on the turnover of Lombard companies that deal with information and communication services, business support and professional, scientific and technical activities, say that the amount is equal to 113,391,260,000 euros.

Calculating the penalties for non-compliance with all these companies, the sum would reach a total of 4,535,650,400 euros. A very high figure, but which takes into account only a small part of the entire turnover of the “motor of Italy” region.

The research has in fact examined the sectors of activity that are emblematic and that potentially use the Google service. The risk of sanctions exists However for all businesses owners of a website on which Google Analytics is active 3.

This shows how in a region like Lombardy, where the latest estimates speak of about one trillion in turnover for 550 thousand companies, equal to 25% of the national total (Watch PMI Banca IFIS – April 2022), the risk of sanctions can reach decidedly more expensive figures.

The only sure action to mitigate the risk of sanctions

The only certain action to avoid penalties is to remove the Google Analytics 3 script, given that the guarantor has expressed himself only on Google Analytics 3 and not on other software that transfers data to the United States. This is because there does not seem to be a procedure to prevent Google Analytics 3 (also called Universal or GA3) from transferring data to the US.

As mentioned, the aggregation of this data allows to trace the identity of the person involved: this is legal in the US but not in the EU. In fact, GA3 is outside the GDPR standard and it is no coincidence that it will soon be discontinued.

How can this be resolved? You can install statistics software that does not transfer data to the United States, such as Matomo which has already been recommended for PA.

Another option would be use Google Analytics 4. On the latter, the solution defined Server Side allows you to change the IP address, thus making it impossible for Google to trace the identity of the users.

This solution it was not explicitly confirmed by the Italian Privacy Guarantor, while the French counterpart has already expressed itself in favor. But, if on the one hand we are sure that GA3 does not comply with the GDPR, on the other “To state with equal certainty that GA4 is a safe solution would be too risky”, at least that’s how Legal for Digital expressed itself.

At the moment it is still too early to take a definitive path, not even that of a server side management of the tool. The risk of heavy penalties for those who have GA3 on their site remains undeniable.

You will have to wait for the Privacy Guarantor to express itself clearly, or that Google moves in the direction of Europe or even that, a international level, agreements are made wide-ranging on the transfer of data from one continent to another.

What is certain is that the penalties are currently a real risk. Their amount is at the discretion of the supervisory authoritywhich will assess the amount on a case by case basis based on the indications of the GDPR.

The Regulation provides that the sanction established for each case is effective, dissuasive and proportionate, as indicated in Article 83, paragraph 1. The amounts of the sanctions, as per the provision of 23/06/22 nr 9782874, they can vary from 10 to 20 million euros and from 2 to 4% of the company’s total annual worldwide turnoverdepending on the characteristics and the type of violation.

Although all owners of a website are at risk, most likelywe will first focus on digital BIGs to then move even on the smallest.

When it is stated that everyone is at risk, it means anyone who owns a website with software that transfers user data to the United States. To date, the special suspect is Google Analytics 3 but the list could grow and see many other software appear.

The alternative solutions to Google Analytics 3

In this regard, here are some alternative options to GA3, always waiting for the Guarantor to express itself definitively, remembering thatthere are several other softwareon the market, both free and paid.

Google Analytics 4

For those who work with digital marketing campaigns it is an indispensable tool. It allows you to make strategic decisions about which marketing tools work best and how to target the budget.

Google Analytics 4 Server Side

It is always Google Analytics 4 but with a very important variant: between the site where GA4 is installed and the Google server there is an additional server calledproxy,which modifies the IP address of the user who is browsing, thus making it impossible for GA4 and Google to trace the user himself. This means that, even if Google continues to transfer data to the US, this solution should deny the possibility of identifying the user. The Server can be built in house or can be found in the cloud. To date, there are cloud software that allow this option.


It is an open source analytical tool, already approved by the Italian Privacy Guarantor, which offers features similar to those of Google Analytics. However, there are several possibilities and options that Matomo lacks compared to instruments such as GA3 or GA4.


It is a CRM, not an Analytics software. Despite this, it is a good tool to consider. The Marketing Hub Starter version allows, among other things, to have dashboards to monitor the progress of visits, conversions of users on the website, up to the actual sale.


As we have seen, therefore, the current situation is evolving: the final rulings from the Guarantor are awaited and, at the same time, it is checked whether and to what extent the checks and sanctions will arrive.

However, the best advice is to adapt to the pronunciation and to delete GA3 from your sites.

PRACTICAL GUIDE against Phishing: find out how to protect your company!


Source link

About Eric Wilson

The variety offered by video games never ceases to amaze him. He loves OutRun's drifting as well as the contemplative walks of Dear Esther. Immersing himself in other worlds is an incomparable feeling for him: he understood it by playing for the first time in Shenmue.

Check Also

The tools for the early emergence of the crisis

The Code of Business Crisis and Insolvency, in its definitive version entered into force on …

Leave a Reply

Your email address will not be published.