By using web analytics tools you transmit data to the third parties providing the service. If the third party provider is located outside the EEA, the operator must comply with the regulatory framework for international data transfers under the GDPR.
The transfer of personal data to third parties outside the EEA can be based solely on user consent if the third country, where the data recipients are located, has an adequacy decision by the EU Commission, i.e. a confirmation of an adequate level of data protection. If such is not given, user consent is not a sufficient legal basis and the transfer needs an alternative justification.
Following the invalidation of the EU-US Privacy Shield by the CJEU Schrems II ruling, practically the only remaining option for the data transfer to third party providers based in the US, such as Google Analytics, is to rely on standard contractual clauses. However, according to the ruling even if standard contractual clauses are in place, you must provide “supplementary measures” to protect against access by U.S. authorities and to ensure effective legal protection for data subjects against unauthorized access.
According to the guidelines of the EDPB, pseudonymization is an effective supplementary measure as long as singling-out or re-identification of individual users is not possible.
Please be aware that this only serves informational purposes and does not constitute legal advice.