[author: Blair Robinson]*
Recent reports from several European Data Protection Authorities (DPAs), the bodies empowered to regulate consumer privacy under the General Data Protection Regulation (GDPR), have ruled that Google Analytics violates the law. DPAs in Austria, France and Italy have found that the tool, which allows website owners to track and analyze traffic to their sites, inadmissibly transmits data from European users to the United States without adequate safeguards. Other DPAs, including the Dutch Autoriteit Persoonsgegevens, are carrying out similar investigations.
Google Analytics collects user data from cookies, including pages visited, browser information, operating system, screen resolution, language selected, date and time of page views, and IP address of the user device. These decisions could have widespread implications for Google and website owners, as Google Analytics has a majority market share for web analytics technologies. Other less important services could also find themselves in a similar situation. Data flows between the EU and the US have been in limbo since a European court struck down the US Privacy Shield framework in Schrems II. Although regulators agreed in principle to a new framework in March, a formal framework is unlikely to be announced until later this year. Until then, website operators serving European consumers should be warned that their analytics services can land them in hot water with regulators. And with fines reaching up to 4% of annual company revenue, most organizations can’t afford to roll the dice.