The story of Google Analytics in recent weeks has destabilized not a few companies And Public administrations. In total uncertainty, we tried to rearrange the concepts and find together with an expert the best of the solutions available at the moment.
What is Google Analytics and how does it work?
Google Analytics (GA) is a free web analysis service provided by the Google search engine in order to track the activities of visitors to a website and offer the managers of the same aggregate statistics with respect to a series of information: demographic, economic, technical and behavioral. As best specifies Pietro Biasecomputer scientist and activist of Monitora PA:
“When the user then visits a page equipped with a Google Analytics tracking code, a piece of code is automatically executed that transfers, via TCP / IP and HTTP protocols, a certain number of information on Google’s servers sufficient to identify the visitor in most cases “.
In this regard, the Privacy Guarantor highlighted that among the many data collected there are “IP address of the user’s device and information relating to the browser, the operating system, the screen resolution, the selected language, as well as the date and time of the visit to the website“.
Why does Google Analytics pose a risk to our personal data?
Let’s start with an now undisputed element: Google Analytics is not GDPR compliant. The main reason for what has just been stated is inherent in the fact that for Google it is always possible to identify European citizens and track their activity, opinions and interests on all websites (and all Apps) that use Google Analytics, to then trace the registrations to personal identity.
In the list referred to in the first paragraph relating to the data collected by Google Analytics, mention was made of the IP address (personal data in all respects). Well, as stated by the Privacy Guarantor, even if the IP address “if truncated it would not become anonymous data, given the ability of Google to enrich it with other data in its possession“. Therefore Google Analytics and other similar services are not GDPR compliant since they do not provide for the guarantees established by the Regulation itself and therefore violate current legislation because they transfer user data to the United States, a country currently lacking an adequate level of protection.
Caffeina Media Srl: a case that is anything but isolated
With the provision of 9 June 2022, the Guarantor imposed on Caffeina Media Srl (which manages some websites), to comply with the GDPR within ninety days by adopting adequate measures relating to the data transfer activity. Otherwise, the data flows to the United States will be suspended.
Because this measure cannot be considered as an isolated case, but it must be understood as a recommendation extended to all companies and public administrations who illegally use Google Analytics? Since the Privacy Guarantor, after the 90 days established for the company receiving the provision, will begin to verify compliance with the GDPR of data transfers carried out by the Data Controllers. This means that website managers have until 7 September 2022 to regularize themselves in order to avoid sanctions.
Google Analytics Solution 4? No, it is not GDPR compliant
Google Analytics 4 is a non-solution since, like its predecessor, Universal Analytics, by transferring the personal data of users to Google, it cannot be considered as regards the dictates of privacy. Also in this case the problem lies in the rules of the US legal system that assign to government agencies extremely insightful powers of access to databases held by companies established in the United States wherever they have servers in the world. Basically, with Google Analytics the method of transferring personal data varies, but the problem of fail to guarantee effective anonymization of the data persists.
What solutions to adopt?
Exist several open source alternatives to Google Analytics that respect the provisions of the GDPR. Moreover, the adoption of one of the tools indicated below would allow the Data Controllers to continue benefit from information about visitors to their websites without infringing citizens’ rights.
Let’s examine in more detail the software that companies and Public Administrations can choose.
1. Plausible Analytics
Plausible is simple and open source web analytics. Built and hosted in the EU, powered by a European-owned EU cloud infrastructure, it costs around € 5 per month and allows you to import Google Analytics statistics. All the measurement of the site is carried out absolutely anonymously and cookies are not used and no personal data is collected. All visitor data are processed with servers owned and managed by exclusively European companies.
Matomo is an open source service that can be adopted by anyone looking for a complete and accurate statistics service almost like Google Analytics, but that does not reconstruct the anonymous data in any way. There trial is free for 21 days and then becomes paid by choosing a plan with prices of approx 17 euros per month. Matomo also allows you to use the historical data of Google Analytics since they can be imported directly on the service in question.
3. Web Analytics Italy
We close the circle with a specific solution for Public Administration sites. Web Analytics Italy it is in fact a platform that provides real-time statistics of visitors to Public Administration sites, providing operators with detailed reports. Monitoring of statistics is free.
Having proposed these alternatives, it reaffirms the fact that the Privacy Guarantor does not prevent the use of Google Analytics as such, but prohibits it as it transfers user data to the United States in a manner contrary to the provisions of the GDPR. Therefore, “alternative” software to Google Analytics, but which perform the same activities, are to be considered equally illicit.
As the editorial director Matteo Bartocci of Il Manifesto correctly asserts, “Data are the red blood cells of the Internet economy, they carry information and energy on the Net: whoever has more earns more”. For this and for the aforementioned reasons it is essential to carefully evaluate which alternatives can be considered truly suitable to replace Google Analytics.
The solution, as he remembers Guido Scorza of the Council of the Privacy Guarantor “It can be neither technical nor political since the fact is that we need an agreement capable of remedying the situation that arose following the Schrems II ruling, which annulled the Privacy Shield”. Agreement that, to date, does not exist.
An article from the Dr. Alessandra Totaro, Data Protection Officer of several Italian municipalities on behalf of the local authority consulting company Pabli srl. If the local authority you work for has not yet engaged a Data Protection Officer, now is the time to do so. Request a quote immediately by writing to firstname.lastname@example.org or filling out the form.
Source: Pabli srl