Alternatives to Google Analytics are in vogue. The past few years in European data protection have brought some drastic findings, especially the Schrems II decision of the CJEU. In many cases, the focus was on the question of the permissibility of transfers of personal data to third countries, such as the USA. This includes transfers that occur in the context of the use of marketing and analysis tools, such as Google Analytics.
Data protection authorities have interpreted the General Data Protection Regulation (GDPR) and CJEU rulings strictly and have already imposed severe penalties for using Google Analytics.
Many of the standard marketing and analysis tools no longer met the requirements of Schrems II. Those who continued to use them risked high penalties in addition to legal fees and image damage. In the worst case, they could amount to up to 4 % of the worldwide group turnover.
Looking for Google Analytics alternatives? Not so fast
Many marketers decided to look for alternatives to Google Analytics. But was this step taken too soon? Is it possible to continue using Google Analytics 4 and forego alternatives – even in the long term in compliance with data protection laws?
In this article, you will learn how the current situation came about and what options marketers and website owners have to put their analytics on a future-proof, privacy-compliant footing.
The new Data Privacy Framework – problem solved?
But the legal situation has changed. In July 2023, the EU Commission approved the new EU-US Data Protection Framework (DPF), which lifts many of the restrictions of Schrems II and makes it much easier for organisations to transfer personal data from the EU to the US.
This means that Google Analytics could also be back on legally safe footing.
But no one can currently estimate how long that will be. The NGO of data protection activist Max Schrems will challenge the new agreement in court. Therefore, the legal uncertainty for companies will probably remain until a new decision by the Court of Justice of the European Union (CJEU).
In this complex situation, it is essential for website operators to keep an overview and know the scope for action.
In this article, you will learn how to use your Google Analytics in a data protection-compliant manner, even in the event of a possible repeal of the Data Privacy Framework.
What is Schrems II?
When and how personal data may be transferred to third countries is one of the central topics of the GDPR. According to the GDPR, it is not prohibited to transfer user data to third countries and to use tools from third countries, such as Google Analytics. However, the requirements are considerable. For example, the website operator must check whether the data security in the third country also offers an “adequate level of data protection”.
In the case of the USA, this check was simple before the DPF was introduced: no, the level of protection was insufficient. The CJEU reached this conclusion in the Schrems II ruling, declaring a related agreement (Privacy Shield) between the US and EU null and void.
The reason for this was the US Federal Foreign Intelligence Surveillance Act or FISA. The expansion of this law after the terrorist attacks of 11 September enabled the US government and US intelligence services such as the NSA to conduct surveillance on the internet on a large scale.
Tech companies can still be forced to hand over user data under secret court orders (“FISA Court”). This was also shown by the explosive Snowden revelations.
The data of EU citizens is, therefore, not safe in the USA. However, website operators are responsible under the GDPR to ensure they do not get there without further protection measures.
The problem with Google Analytics
The consequence of this: the Austrian data protection authority declared using the US tool Google Analytics illegal at the end of 2021 – a landmark decision. Afterwards, numerous EU authorities followed suit, including those of Italy, France, Sweden and Denmark.
Google tried to counteract the Austrian decision by implementing new data protection functions in Google Analytics. But even these are insufficient to establish legality, as the Danish data protection authority decided in 2022.
And the solution of operating servers in the EU or letting subsidiary companies handle the data processing was also out of luck. According to data protection authorities, US government agencies and intelligence services also have access to servers and US subsidiaries, regardless of where they are officially located. This is made possible by the US “CLOUD Act”.
Users of the analytics solution had to stop using it if they wanted to be on the right side of the law. Or take additional measures to protect the data of EU citizens.
The data protection authorities did examine Google Analytics specifically. However, their decisions had implications for all tools and services from US providers that work with personal data.
Using Analytics securely in compliance with data protection laws
It is difficult to legally send personal data to third countries without a valid data protection agreement. According to the GDPR, the affected user must explicitly consent to individual transfers and be informed about possible risks. This consent may also only serve as a legal basis in exceptional cases and “not become the rule”, as the European Data Protection Board has emphasised.
In practice, obtaining consent is difficult to implement. And whether practical solutions will hold up in court is still completely unclear.
The only alternative is to conclude standard contractual clauses, which, according to the CJEU, can enable data transfer – with additional measures. One such measure is the pseudonymisation of personal data before it is sent to the USA via a proxy server.
So, what courses of action do website operators realistically have?
From Google Analytics to the alternatives: Three options
1. Wait and see
One possible strategy is to do nothing for the time being and wait and see whether the CJEU accepts the Data Privacy Framework with the USA – or overturns it again.
Advantages: You don’t have to change anything in your MarTech stack and save yourself the trouble of switching to other tools and tracking solutions.
Disadvantages: It is questionable whether it meets the requirements of the CJEU and stands up to scrutiny. The new agreement will be challenged in court as soon as it enters into force. This variant is, therefore, associated with the strategic risk of being caught on the wrong foot should the DPF fall.
2. Switch to a European Google Analytics alternative
You could switch to a European Google Analytics alternative. If it is a company based in the European Economic Area, as well as not a subsidiary of a third-country company, you avoid the issues around international data transfers.
Advantages: This approach makes it easier for you to track privacy-compliantly if the tool providers are based in the EU.
Disadvantages: Your infrastructure is set to your existing tracking and analytics setup. The changeover involves more effort.
The choice of European solutions is also still limited. Many do not yet match the performance of established (US) tools.
3. Switch to a proxy solution (Server-side tracking)
From the decisions made so far by the data protection authorities of the EU member states, one recommendation crystallised as to how US tools can be used in compliance with the GDPR. Namely via proxy.
The solution is very simple: Instead of transferring data directly to the US (or to US servers in the EU), website operators simply connect a server in between. There, the data is pseudonymised to remove the personal reference. Only then is the data forwarded to the US tools such as Google Analytics. It is crucial that EU companies operate both servers and tracking software in the EU.
This way, website operators can continue to use their tools as usual. This technique is also called server-side tracking.
Advantages: You can simply continue to use your usual tools, such as Google Analytics and still remain DSGVO-compliant. You then usually receive first-party data, often of better quality and depth than third-party data.
Disadvantages: The basic principle of server-side tracking is quite simple, but the implementation involves technical effort and costs if you want to set it up yourself.
However, server-side tracking as a managed solution, including hosting, is a future-proof variant that makes you independent of the developments around the Data Privacy Framework and possible challenges or offers the flexibility to react quickly to regulatory developments.
Case Study: Using Google Analytics 4 entirely server-side and in compliance with data protection laws
Learn how a server-side implementation of Google Analytics 4 with JENTIS helps your marketing become data protection compliance and significantly increase data quality.