Skip to content

The Sun sets on Google Analytics in France

Note: I am not a lawyer – I strong suggest consulting legal counsel for liability / compliance questions.

A few weeks back I published an article about Austria’s ruling against Google Analytics. I was happy to see so many of you found that helpful. We were all left in a state of “What’s next?” as the Austrian decision lacked remediation steps. Well, now we get insight into “What’s next” as the French CNIL has wrapped up their own investigation into Google Analytics use in France.

On February 10th 2022 the CNIL also concluded that Google Analytics is illegal based on international data transfers to the United States. This brings the current country count to two, but with several more decisions pending, I think it’s fair to say we have a pretty good view into how this will go.

The French order mandated that several French websites either make Google Analytics compliant, or cease use of the tool with-in 30 days (March 12th 2022).

My Agency says they can make Google Analytics compliant

I need to be very clear on this next part.

Google Analytics was found unlawful due to international data transfers to the United States. There is no current mechanism in Google Analytics which halts data transfer to the United States. Therefore, it is not possible to make Google Analytics compliant with this GDPR ruling in the present design of Google Analytics.

If you have a consultant or vendor telling you they can tweak your Google Analytics configuration, move the collection server side, etc and that will make you compliant – they are wrong.

This is why it’s important to read the very long / boring court decisions. It’s not about IP Address, nor client id, nor Google Signals. It’s about the fact that all data in Google Analytics gets sent to the USA for processing and USA surveillance law poses undue risk to EU residents.

If I don’t use Google Analytics Should I be Concerned?

Yes, I believe you should based on the following quote from the CNIL.

The CNIL has issued other orders to comply to website operators using Google Analytics.

The investigation by the CNIL and its counterparts also extends to other tools used by sites that result in the transfer of data of European Internet users to the United States. Corrective measures in this respect may be adopted in the near future.

https://www.cnil.fr/en/use-google-analytics-and-data-transfers-united-states-cnil-orders-website-manageroperator-comply

They will be targeting vendor solutions which send data to the United States. This would be a good time to check with your vendors to determine where data processing and storage occur. If you are in the EU the answer of “The United States” should raise all kinds of alarm bells at this point.

I am a US based business, do I care?

If you are subject to GDPR on the grounds you process personal data (if you use Google Analytics per the recent decisions, you assuredly do) and are targeting / doing business with EU residents (per Art. 3 GDPR) then this absolutely applies to your use of Google Analytics in France.

If I didn’t get an order from the CNIL do I have to comply?

I would strongly recommend if you operate a website dealing with France and qualify as subject to the GDPR based on Art. 3 that you take this trend seriously and adjust accordingly.

The French CNIL was very clear as to the intended remediation. I strongly suggest discussing with legal counsel to avoid liability and potentially being found in willful violation at a later point in time.

Published inAnalysisLegalPrivacySecurity