I have to admit: thinking about this article was as hard as working for the last six months! The first lesson that Marketing teaches you (even more if we talk about Digital) is to accept that the sector evolves rapidly, influenced by multiple factors that are often beyond our control. In fact, the provision of the Italian Privacy Guarantor issued last June (here the link to find out more) gave a strong scare to the entire digital economy. I wonder: are we really going to give up Google Analytics? And what will become of Digital Marketing?
Google Analytics is in the crosshairs of the European authorities
Should we have expected it? Absolutely. Were we prepared? I would say not.
As of July 2020, the transfer of European user data to the US is no longer legal.
The Schrems II judgment of the Court of Justice of the European Communities invalidated the privacy shield that regulates this flow of information. Perhaps not everyone was aware of it, perhaps not so much has been said about it, the truth is that the problem has been underestimated for two years. Therefore, the recent intervention of the Guarantor Authorities of the EU countries should not have surprised us. If nothing else, these rulings appear to be aimed at reaching a new political compromise limiting US government agencies’ access to personal data from Europe.
In 2022, several European authorities banned the use of Google Analytics (GA) questioning the future of its use in Europe. The central issue concerns the transfer of personal data to the United States, where privacy laws are less stringent than in Europe. The first to speak out was the Austrian Guarantor (Datenschutzbehörde or DSB), then the French CNIL and the Italian Guarantor, followed by the Danish and so on.
Google Analytics is one of the tools analytics site most popular in the world, installed in millions of main websites. It provides interesting statistics about visitors, their acquisition channel, the time they spend on the pages.
While in Italy the Guarantor limited itself to admonishing the company subject to the provision, asking it to adapt data processing to the General Data Protection Regulation (GDPR) within 90 days, the story has alarmed many companies. Analytics has been helping companies achieve their business goals for decades, and at times, they were forced to choose between handing over the data they collected and risking penalties for violating the law. Someone has given up any analytics service, others have continued to use Google Analytics, others have evaluated the use of alternative marketing solutionstesting Matomo, Piwik Pro, Plausible, Statcounter, Simple Analytics…
Will a simple platform change be enough? Certainly not.
The Guarantor’s investigation also mentions other services performed by US companies that collect and process user data. How many times during the working day do we access Google Drive, or Dropbox, One Drive, Google Ads, LinkedIn, Meta, Mailchimp and many other useful services for our activities?
All of these technologies potentially violate the GDPR because they are hosted on servers controlled by companies in the United States. It is reasonable to think that many of these tools will soon end up in the Guarantors’ crosshairs. What we deduce is that it is more a question of geopolitics than of marketing: between both personal data protection systems there is an already evident legislative gap. The United States, in order to maintain an active (even commercial) association with Europe, must necessarily come close to our privacy principles. This is also what the German State Commissioner for Data Protection and Freedom of Information (LfDI) Brink said.
For this reason, the European Union and the United States are negotiating a new agreement. On October 7, 2022, President Biden signed a executive order which, if approved by the European Commission, would form the legal basis for new legislation on international data transfer, limiting access to European data by US intelligence services to only what necessary my provided to ensure user privacy.
For now, this signature does not have legal force, so companies cannot trust it yet. At the very least, it allows us to still have some hope.
At the same time, there has been no shortage of comments from skeptics. First of all Max Schrems, president of the noyb association, according to which the new agreement would already contain important legal ambiguities, such as the lack of a clear definition of “provided” in relation to the access to data allowed to intelligence. So let’s wait to claim victory. It seems like a long shot, but there’s a chance this Privacy Shield 2.0 may never be finalized.
Obviously, it is digital marketing that pays the price for this period of stagnation, it is us.
In short, the suspension of the Privacy Shield agreements, the disapproval of third-party cookies by browsers, the update to iOS 14 by Apple, the decision to breach Google Analytics by the Guarantors of the European countries have made it clear how a paradigm shift is needed, in the way we do our work, in measuring the performance of our activities and in valuing investments. All this, as compatible as possible with the GDPR.
Is Google Analytics 4 really privacy friendly?
We know that the version contested by the Guarantor so far only refers to Universal Analytics. This was confirmed by theAdv. Guido ScorzaItalian Privacy Guarantor member: “The Guarantor’s offices have not had the opportunity to examine version 4 of Google Analytics simply because the data controller subject to the provision did not use it. […] Therefore, it is impossible to say whether or not it is capable of solving the problem.”
It would seem that Big G has actually paid more attention to user privacy with the new release, GA4. For example, it no longer stores IP addresses: they are initially used in a volatile way for geolocation. It would also allow you to exercise a more control over the data collected relative to the location of the users and the device used for navigation and would offer the possibility of totally or partially eliminating the data of the visitors to the site.
Compared to Universal Analytics, GA4 stores data on servers in Europe. Therefore, according to Google, data management is subject to European law. In fact, we know that despite these efforts, US intelligence authorities can still request access to this data.
Among other things, GA4 processes many metrics that, while not sensitive data per se, can be combined to identify a user. It is true that we can limit the collection of information that threatens privacy protection, but doing so would have negative implications for data analysis and the performance of marketing activities themselves. We are on point and in the head.
For companies, marketing agencies and employees of the marketing department, disabling Google Analytics or simply replacing it is a serious problem, not only for economic reasons, but also for the time needed for the migration, for the skills required for the configuration and maintenance of another tool, for loss of historical data. Similarly, server-side monitoring and proxy adoption, a solution suggested by the French CNIL, could prove untenable.
So what should we do?
It is difficult to establish what will happen in this and the next few years, but it is of fundamental importance to keep up with the tools at our disposal and with the current regulations. Until the European Commission and the United States sign the data transfer agreement, you must be careful with your tracks and have at least a plan B.
A discussion with your DPO (data protection officer) or legal counsel may be useful to ensure that information and cookie consent management are compatible. Transparency pays off: today we know that “privacy experiences impact user trust.”
Mitigate the risk of fines by stopping data collection in Universal Analytics. Rather move to GA4 even if your simple setup won’t be enough to solve the problems I told you about above. In the meantime, however, you can disable Google Signals and the advertising personalization feature and you can use “autonomous” data for statistical purposes.
If you have concerns or reservations about Google Analytics, please consider other tracking tools hosted in Europe. Carefully assess the effort and investment that may be required (again the lawyer can support you and help you make the best decision for your specific case). Unfortunately, there is no perfect tool that meets all of our needs. The important thing is not to take the problem lightly and not stop monitoring your website. Therefore, I advise against completely abandoning the analysis tools. This would lead to clumsiness in defining the activities to be carried out and in estimating the results.
The “Privacy Paradox”
Anyone will advocate for a change in focus towards user privacy. But to what extent will this attention to people’s data be sustainable for companies to deliver relevant messages as well? To what extent does all this make sense?
We live permanently connected to the Internet, bombarded by content (news, photos, videos, chats). is hewas of absolute privacyHowever, our data is shared very quickly on the web. The rain of data that we produce online and new technologies are changing our routine and our relationships, but also other sociopolitical and economic aspects.
We demand confidentiality, but we barely try to protect our data in first person. We are profoundly inconsistent and gullible. Some simple examples: (1) we post photos of all aspects of our lives on social media, obviously as social proof; (2) we often voluntarily give away our information in exchange for access to services and content of interest to us; (3) we allow the GPS to locate us to guide us to the destination we want to reach. And then… have you ever used a voice assistant? Convenient, right? It makes your life easier. Well, in order to answer you when you call them, Siri, Alexa or Google must remain listening, so our device’s microphone remains on, providing applications with much more information than we think.
Even when we say we intend to protect our privacy or complain about ads that follow us, we don’t change our habits. This applies both online and offline. It’s the so-called”privacy paradox”, that is, the presence of a discrepancy between the concerns or attitudes expressed by individuals and their actual behaviors regarding privacy.
In this context, marketers work in a situation of supposed conflict: on the one hand we see the right of users to their privacy and on the other the need for marketing to remain relevant. As Matteo Zambon writes in his last book “GA4: Google Analytics 4 for beginners” it seems that we are moving dangerously towards “you must not track users” based on what Matteo himself calls “follow-up”. On the one hand, it will be our task to look for alternatives to continue operating well in the market; on the other, we must wait for the support from the legislative point of view of the authorities. The next few months will probably be decisive!