Our
partnerships
What are we talking about? Comics or Analytics tracking and GDPR? It might be more captivating to talk about the former. Maybe.
Captain America’s shield is the new amendment that updates the Privacy Shield specifications and constitutes a new framework for the protection of the data of American and European citizens. Will it be a cardboard shield or an indestructible alloy?
So let’s start with the recent events that have impacted the protection of the privacy and personal data of European citizens, with a specific goal: to address the main questions we have received from our clients and legal firms in different ways:
Do we need to abandon Google Analytics 3 (Universal Analytics)?
Should we delete the account?
Is Google Analytics 4 GDPR compliant?
Are there other tracking solutions?
To begin with, let’s talk about the Privacy Shield, the latest development in these matters, which actually doesn’t have much to do with Analytics tools, advertising campaigns, and user IPs. It’s more about geopolitics, international agreements, and national security. That’s why experts in Web Marketing and digital technologies must exercise caution when addressing these topics.
There are studies and lawyers who specialize in this area, and those involved in marketing should not and cannot replace them; they should only provide information to outline the technical and technological framework and possible solutions.
The United States, on October 7th, enacted a new Data Privacy Framework that is expected to replace/update the current Privacy Shield after recent discussions with the European Union. The Privacy Shield was originally designed as a tool to regulate the flow of information between the EU and the United States: how the United States can access data of European citizens in case of investigations and what companies should do to comply with these directives.
This new Data Privacy Framework should be a step forward compared to the previous agreement, which was invalidated by the European Court of Justice. It should include stricter obligations and procedures for external entities accessing data collected by companies for their business.
But let’s leave international politics behind and get back to practical matters: What should those who manage and work on websites do?
In general, one should take care of user data (including cookies): map how data is handled and demonstrate, plan, and take action to protect user data.
From a technical perspective, here are the key points:
GA4 processes but does not save IPs (GA3 is not compliant in this regard). Hence, the action against Caffeina Media Ltd. These data may not even be sent to Google Analytics, depending on the settings in GA4.
The problem is that it’s not ruled out that Google, by cross-referencing data, could be able to identify personal data, regardless of GA4 not saving IPs.
Using Server-Side tracking and saving data on European servers complies with GDPR provisions.
Implementing Server-Side tracking with European servers is not enough because data still ends up in the United States, whereas GDPR requires data to be stored in Europe.
Some companies are starting to consider the legal location of the hosting service provider; in addition to having servers in Europe, in the strictest interpretation of GDPR, some also choose a server from a company with legal headquarters in Europe. These are not specific GDPR provisions but rather interpretations of the GDPR. However, there are services that facilitate this.
GA4, like GA3, is essential for integration with Adwords and thus for maximizing Media investments. Other analytics tools do not allow the same capabilities, so Adwords algorithms perform worse due to the lack of data. This can affect an important legal aspect, the legitimate interest of the company, which could be used as an argument for using GA4.
GA3 will stop tracking regardless in July 2023.
Analytics tools like Matomo can be a good solution, but at the moment, we advise against them for those making significant investments on Google channels for the aforementioned reasons.
Closing GA3 is a valid option, especially since it will stop tracking in July 2023.
By closing, we mean removing the GA3 code from your websites in a light mode or, in a more restrictive mode, deleting all historical data in the account through the relevant option in the tool (knowing that data in the digital world cannot be completely deleted, but you can explore this further elsewhere…).
Google Analytics is just one of the many tools that companies use daily and transfer data worldwide (not only to the United States). This map of the Cloud infrastructure of major players is interesting.
Technically, we at EP know what can be done, but then the issue must be tackled with individual consultants or legal departments of companies to decide on the best course of action!
