23. June 2022

Italy stops Google Analytics

Authority warns of illegality of sending data with GA to the U.S.

“A website that uses the Google Analytics (GA) service without the safeguards provided for in the EU Regulation violates data protection law because it transfers user data to the United States, a country that does not provide an adequate level of protection.” This was stated by the data protection commissioner at the end of a complex investigation launched on the basis of a number of complaints and in coordination with other European data protection authorities.

The investigation revealed that the operators of websites using Google Analytics use cookies to collect information about users’ interactions with the said websites, the individual pages visited and the services offered. This includes, among other things, the user’s IP address and information about the browser, operating system, screen resolution, selected language, and the date and time of the website visit. It was made clear that this information was transmitted to the United States. In determining the unlawfulness of the processing, it was again pointed out that the IP address is personal data that would not be anonymized even if it were truncated, since Google is able to enrich it with other data in its possession.

As a result of these investigations, the DPA issued the first of a series of measures admonishing Caffeina Media S.r.l., which operates a website, and ordering it to comply with the European regulation within ninety days. The indicated time frame was considered adequate to allow the operator to take appropriate measures for the transfer, under threat of suspending the flow of data that occurs through GA to the United States.

In particular, the Authority pointed out the possibility that U.S. government agencies and intelligence agencies may access the personal data transferred without adequate safeguards and, in this regard, noted that, in light of the EDPB’s guidance (Recommendation No. 1/2020 of June 18, 2021), the measures taken to integrate the transfer tools adopted by Google do not currently ensure an adequate level of protection for users’ personal data.

On this occasion, the Authority draws the attention of all Italian website operators, both public and private, to the unlawfulness of transfers to the United States through GA, also in light of the numerous reports and requests that reach the Office. And it is urging all data controllers to verify that the methods of using cookies and other tracking tools used on their websites, particularly Google Analytics and other similar services, comply with privacy laws.

At the end of the 90-day period granted to the company receiving the measure, the Authority will also verify, on the basis of specific inspection activities, whether the data transfers carried out by data controllers comply with the EU Regulation.

More articles


JENTIS wins EY's Scale-up of the Year Award

Recognised by a 52-member jury among 250+ entries, JENTIS' relentless innovation & commitment to digital transformation has been honored.

Past Events

Interview: The origin of the Web-Cookie

Watch an exciting interview with the inventor of the web cookie - Lou Montulli.


Legal Glossary

TTDSG, LIA, CCPA? We have got you covered! Learn about legal terms related to data processing, data privacy and current legal developments.