How Google Analytics became the go-to tool
Google Analytics launched in 2005 and offered free statistics and insights into website traffic and user behavior. It quickly became the most used analytics tool on the web, taking over 50% of the market by 2007. There were several factors why Google Analytics managed to dominate the market in just a few years:
- Free and user-friendly: For small businesses with limited resources, Google Analytics provided an accessible way to gain insights into website traffic and user behavior.
- Google Ads: Tracking the performance of Google Ads campaigns through Google Analytics made the service even more appealing. Marketers could see how ads translated into site visits and conversions.
- Innovation: Google continually rolled out new features, reports, and integrations to provide more robust insights. Features like goal tracking, ecommerce tracking, and mobile app analytics were introduced over time.
- Big data: Google Analytics leveraged Google's data infrastructure to offer large sample sizes, fast processing, and features like custom dimensions and metrics.
- Decision-making: Google Analytics popularized a culture of data-informed digital marketing. Marketers were able to make decisions based on actual user behavior rather than hunches.
As you may have noticed, Google Analytics caters mostly to the needs of the marketers. The individual users whose data is used don't have a say about their data. That's where the GDPR comes in, putting the privacy and rights of the individual user at its core. But the GDPR clashes with Google's interests, resulting in quite some conflicts between Google and Europe and some of its individual countries.
Core conflicts between Google Analytics and GDPR compliance
To better understand the conflict, it's important to first see how the GDPR works and where it clashes with Google Analytics. There are three main points of conflict where the GDPR and Google Analytics clash:
- Data Collection and Consent: Imagine someone walks into a store. GDPR basically says you can't just take their picture without asking for permission. Similarly, sites now need to ask visitors if they agree to gather some data about their visit.
- Data Retention: The GDPR requires that personal data be kept for “no longer than is necessary.” Let's say you keep a diary of who visits your house. GDPR advises not to keep notes about a guest from 5 years ago, as that's no longer relevant. The same goes for web data; some experts even recommend not holding on to it for more than 2 years.
- Data Transfer: Google Analytics data is stored in the U.S. (and other countries). But the GDPR prohibits transferring EU citizens' personal data to countries with inadequate data protection laws. It’s like if someone from Europe gave you a letter to keep safe, GDPR wants to ensure you don’t just store it anywhere else.
Under the GDPR, websites and apps must obtain explicit consent from users before collecting and processing their personal data. All three of the main points above must be clear to the website visitor. Failure to inform the visitor – or not adhering to other rules set in the GDPR – can result in hefty fines, running into the hundreds of millions.
Why Google Analytics currently isn't compliant
Achieving compliance with the GDPR while using Google Analytics requires carefully evaluating the terms of service and privacy policies. Among other things, you need to limit data collection and retention, properly obtain user consent, and avoid data transfers outside the EU. With some adjustments, Google Analytics can operate legally, but compliance ultimately depends on how website owners choose to implement and use the service.
Some critics argue that Google Analytics inherently collects more data than is necessary to fulfil its purpose. Additionally, users cannot opt out of data collection if they wish to use a website. This has led to numerous legal challenges for Google in Europe.
Data protection authorities ban Google Analytics
Some European countries have banned Google Analytics altogether to avoid potential GDPR violations. The bans began after a landmark ruling by Austria's data protection authority in late 2022, which was later followed by similar court decisions in other countries, including Italy and France. The rulings emphasized that Google Analytics did not comply with GDPR's requirements, as some or all data was transferred and stored in the U.S. At the time of writing, the U.S. isn't considered to be a safe country, as its privacy regulations aren't comparable to the more strict ones in Europe. Storing data there is therefore considered unlawful.
Do Google Analytics bans work?
(Non)compliance with these bans is difficult to identify and even more difficult to enforce. Although in July 2023, the Swedish authorities have issued the first fines for several major companies not complying with the ban. At Dataprovider.com, we scan the web on a monthly basis and gather diverse information from publicly accessible websites. So we can see if the ban in those countries has had any effect on the use of Google Analytics. We focused on Italian, French and Austrian websites as the ban was put in place there over a year ago. (After the ban in those countries, Google Analytics was banned in various other European countries too. But less than a year has passed since those bans, so we left them out of the equation for now.)
In total, we tracked 653,321 Italian, 900,876 French and 167,963 Austrian websites that had Google Analytics or Google Tag Manager installed before the announced ban. For Austria, we looked at data from January 2022. For France, we selected data from December 2021 and for Italy May 2022. We then checked if these websites made any changes to their website analytics tool by March 2023. What percentage of these websites removed Google Analytics or switched to another analytics provider? Might there even be websites that added Google Analytics after the ban?
In Italy, 82% of websites did not remove Google Analytics. In France, the percentage is slightly lower but still quite high, with 74% of websites remaining with Google to track their analytics. The highest percentage of websites changing to another provider can be seen in Austria: there, 34% removed Google Analytics, leaving 66% that stayed with Google.
If website owners removed Google Analytics, where did they move to? Both in France and Italy, the vast majority adopted Adobe Analytics software. In contrast, website owners in Austria opted for Clicky and Statcounter to keep track of website analytics.
Obviously, in response to the ban, Google has made changes in an attempt to become GDPR compliant. Website owners now must obtain proper consent from users before enabling Google Analytics tracking. Google also allows disabling of certain features like user-level data and offers IP anonymization and data retention controls.
The future of Google Analytics in Europe
But additional steps may be needed for full GDPR compliance. Some websites use consent management platforms to clearly explain how data is used and obtain verifiable consent from users. Privacy policies must transparently disclose the use of Google Analytics data collection and must allow users to opt out.
The future of Google Analytics in Europe remains uncertain. While Google has made efforts to assist websites in following GDPR guidelines, some critics argue their analytics tool will never be fully compliant. Ongoing legal challenges and bans seem likely, as privacy regulators closely monitor how personal data is collected and used across the digital landscape. The banning of Google Analytics may not be a solution that works for most website owners, especially when the ban is not being reinforced everywhere.
Our data shows clearly that the majority of website owners in Austria, Italy and France did not change their analytics tool after the ban was imposed in their countries. Nevertheless, the Google Analytics ban is an opportunity for other companies that provide GDPR complaint web analysis solutions to gain an advantage in a Google dominated market. The decision for which analytics tool to use remains with website owners in Europe, who face a difficult decision in balancing user privacy concerns with business needs. With ambiguous regulations open to interpretation, no easy or risk-free solutions currently exist. Constant re-evaluation of privacy policies and tools will be necessary to keep up with this evolving data protection landscape.