It’s that time again, where a National Data Protection Authority chimes in on Google Analytics. This time it’s Denmark, and the verdict is in alignment with what we’ve seen before out of Austria, France and Italy.
We have carefully reviewed the possible settings of Google Analytics and have come to the conclusion that you cannot use the tool in its current form without implementing supplementary measures…
Since the decisions by our European colleagues, we have looked into the tool and the specific settings available to you when you intend to use Google Analytics. This has been particularly relevant as Google, following the first Austrian decision, has begun to provide additional settings in relation to what data can be collected by the tool. However, our conclusion is that the tool cannot, without more, be used lawfully.
https://www.datatilsynet.dk/english/google-analytics/use-of-google-analytics-for-web-analytics
But what does this mean for Organizations operating in and with Denmark residents?
Organizations in Denmark that use Google Analytics must therefore assess whether their possible continued use of the tool takes place in compliance with data protection law. If this is not the case, the organization must either bring its use of the tool into compliance, or, if necessary, discontinue using the tool.
https://www.datatilsynet.dk/english/google-analytics/use-of-google-analytics-for-web-analytics
The Denmark DPA stops short of saying Google Analytics is banned, as they mention they are not empowered to ban technology. With that said, they made it clear that the standard out of the box configuration of Google Analytics falls short of compliance with data protection law in Denmark.
Not to leave folks scrambling to understand, The Denmark DPA in the same notice does mention a possible solution is adopting the proposed French reverse proxy architecture. I talk about some of the trade offs of this design in a previous post, and mentioned the hosting requirements. The Denmark DPA has you covered there too, with a 30+ page report on all the considerations of using Cloud Providers.
Handy F.A.Q.s
In the days following the press release the DPA released a very comprehensive F.A.Q. about common questions related to their decision. The answers cover a number of topics including, but not limited to:
- Is GA4 Compliant?
- Can I use GA if the user consents?
- Can I configure GA to be compliant?
- Can I use a Risk-Based approach?
- How quickly do I need to take corrective action?
They also leave the door open for other configurations of GA to be evaluated, but do go so far as to state if a legal challenges arises they’ll be defending in Court. It’s worth reviewing the F.A.Q. in order to gain better understanding around their decision as you evaluate options for what to do next.