18. January 2022

Foxes that anonymize chickens

IP-address, GDPR & Google Analytics

This blog post was originally posted by Thomas Taucher (JENTIS Cofounder and Co-CEO) here on LinkedIn here on LinkedIn (in german).

A lot has been reported in recent days about the current decision of the Austrian data protection authority (link), sometimes with very contradictory interpretations or recommendations. From “keep cool and don’t panic” to “turn everything off”, it’s all there. Many lawyers and agencies are speaking out, and the media are also discovering the topic more and more.

The decision itself and the similar discussion often revolve around one topic: the IP address. So it can’t hurt to take a closer look at this ominous IP address: What is the IP address? What do I need it for? And why is it problematic in terms of data protection?

What is the IP address?
Simply put, the IP address is similar to the postal address for your home, only for the computer with which you are on the Internet. The conventional IP address consists of 4 groups of numbers and looks something like this: 123.65.10.40. The important thing here is that the IP address is assigned to you by your Internet provider (e.g. A1) and is unique worldwide at the time it is assigned. Your Internet provider can therefore identify you on the basis of this IP address (e.g. the postal address of your house, your name and probably also your account number). Therefore, relatively soon after the introduction of the GDPR in 2018, it has been established that the IP address is a personal data.

What is an IP address?

What do I need an IP address for?
The IP address is fundamentally necessary for our Internet to work. For example, if you want to view a website (let’s say LinkedIn), your browser sends a request to the LinkedIn server. The server, happy about any traffic, sends the text, images and other data back to your browser so that it can display the web page for you. Both the server and your computer have a globally unique IP address at this point and can thus communicate with each other and exchange data.

sending IP address  from client to server

 

Why is that problematic?
As already mentioned above, the IP address is a personal data and exactly such data may no longer be sent to the USA according to the GDPR and the current decisions (Schrems II). The current decision of the Austrian data protection authority has only made this clearer one more time.

Now, at the latest, it must be obvious to us – no personal data to the USA!


The fox that anonymizes the chicken
Somewhat surprisingly, you can still read that you only have to turn on the Google Analytics anonymization function and you would be tracking in compliance with the GDPR again.

Anyone who has been paying attention now will immediately ask themselves the following question: “How can I anonymize something that serves as a basic technology for the Internet?” – and you’re absolutely right. If your browser would no longer send your IP address, server and browser could not possibly talk to each other – comparable to a postcard without an address – this would probably not arrive either.

Without an IP address communication isn't possible.

 

What Google offers us here is to anonymize the IP address of visitors to our websites after communication has taken place. So we still send the non-anonymized IP address to Google in the USA and would have to trust Google to anonymize it afterwards. Not only does this concept feel like asking the fox to keep an eye on the chickens, but most lawyers and experts believe that it is completely irrelevant whether Google does this or not. After all, Google has already processed the IP address, even if only for a few seconds. According to the GDPR, however, even this short period of time is sufficient for the transfer to no longer be GDPR-compliant.

This is how Google anonymizes the IP address.

 

So what are the potential solutions?
Of course, one possible solution is to simply switch providers now. If you use Google Analytics exclusively as a reporting tool, this is probably not a bad idea. However, many of us also use Google Analytics as a data gate for other Google products such as Google AdWords. In this case, we can’t just turn off or switch Google Analytics.

Good for us that there is a simple solution for this. The new technology of server side tracking provides a remedy.

In this approach, a dedicated server is interposed between the browser and Google. This way, the two are decoupled and no IP address of the visitor needs to be shared with Google.

This is how Server Side Tracking anonymizes the IP address.

 

When choosing your server side tracking solution, make sure to get it from a European provider, so the chicken really stays in Europe without much effort.

From my point of view, it not only makes no sense, it would also not be fair to pass the buck to Google here. Google builds products that we all love to use. As website operators, we need to be aware of our role of responsibility, which data we send to whom.