If you have followed any tech news lately, you might have seen it: what could be the biggest tech upset in Europe since the introduction of the EU wide GDPR act.
We’re talking about the recent ruling of the Austrian DSB, the Austrian Data Protection Authority, that states that the continuous use of Google Analytics by Austrian companies violates the GDPR and thus, European law.
Now it is expected that the Data Protection Authorities in the other European states will soon follow with similar rulings. In this short article, we will explain to you why the use of Google Analytics is considered illegal according to GDPR, discuss the implications of this, and consider two main options to help you adapt.
Why Google Analytics Is Illegal
In short, the Austrian DSB has pointed out that the continuous use of Google Analytics by Austrian companies and organizations is illegal in light of the GDPR because US surveillance laws require US providers, like Google or Facebook, to provide personal details to US authorities, when instructed to do so.
This DSB decision is a surprise to some, but actually a follow-up to the 2020 Schrems II ruling. This was another major turning point in e-commerce. There, the Court of Justice of the European Union („CJEU“) invalidated the EU-US Data Protection Shield for a similar reason: US surveillance laws and programs such as PRISM and UPSTREAM do not provide the level of protection guaranteed by the GDPR.
After Schrems II, simply implementing additional stronger contractual clauses in your Terms & Conditions and calling your business GDPR-compliant was no longer an option.
GDPR-Definition of Personal Identifiable Information (Pii)
The term "personal data" is central to the application of the GDPR. Only when data is being processed that can be defined as personal data, the General Data Protection Regulation (GDPR) applies. The term is defined in article 4.1 (1):
“‘Personal data’ means any information relating to an identified or identifiable natural person”
At first sight, this seems logical and straightforward. When we consider data such as telephone numbers, credit card numbers, bank account numbers or number plates, it naturally fits into our idea of "personal data".
However, in light of the broader context of the term "any information", as mentioned in article 4.1 and suggested in case law in the European Court of Justice, a whole new world of personal data becomes subject to this definition. Consider records of working hours, written exam answers, and even IP addresses and cookies. Anything, objective or subjective, that can be used to, practically or theoretically, help identify the person connected to this data can be defined as personal data, as long as this relates to a natural person (and not to companies or other legal entities).
Basic Requirements for GDPR Compliance
To find the best software options for GDPR compliant analytics, it’s good to point out that software in itself can’t be GDPR compliant. The software design and how it’s being used represents the way customer data is being processed, stored and used by a (commercial) third party.
To be GDPR compliant, an organization must follow all GDPR guidelines, where software is only one of the important elements of handling customer data. Simply adding a few lines to the Terms & Conditions will not make up for how the software is being used.
However, some basic requirements can be evaluated when talking about GDPR compliant tools.
First and foremost, the software can not transfer data outside of the European Economic Area (EEA), where insufficient levels of privacy and data protection can not be overseen by European Law. This means no storage of EU data on servers in the US.
Non-EU companies need to have a legal entity in the EEA which is liable to the EEA and European law.
We recommend using software that is GDPR-certified by a certification issuer that has been approved by the software vendor’s DPA.
Alternatives to Google Analytics
So now what? Without housing EU customer data in the EEA and excluding the possibility of transferring data to the US, Google Analytics will not conform to the GDPR.
At Bright IT, we believe you should stop worrying about breaches of privacy and consider using alternatives, such as Matomo or Piwik PRO. These platforms were recognized among the top 10 legal alternatives to Google Analytics by JUSTIA, one of the world's largest online databases of legal cases.
Matomo
Matomo (formerly: Piwik) is an open-source web analytics platform that aims to give "100% data ownership" back to website visitors. It is used by over a million websites globally and is trusted by large organizations like the United Nations, Amnesty, NASA, and the European Commission. Matomo sets no limit on the number of websites you can track, the number of user accounts you have, the number of reports you can schedule, and the amount of data you can export.
If you’re making the switch from Google Analytics, Matomo also allows you to import historical Google Analytics data and can anonymize it. Also, Matomo can track personal data, but within accordance to GDPR and privacy laws. One of the main benefits is that with the right knowledge, their offer is customisable to suit a variety of needs.
As reviewed by Optimize Smart, Matomo is a serious contender to Google Analytics and a serious threat to Google Analytics premium, giving the user practically the same result without the cost.
Piwik PRO
Piwik Pro is developed by an AdTech and MarTech team that expanded on the open-source functionality of Piwik.
Nowadays, Piwik PRO is a full-fledged alternative to Google Analytics, focused on compliance with the world's strictest security- and privacy laws and backed up by a dedicated team of service professionals. It ensures compliance with US, Chinese, and Russian data protection laws, GDPR, and the Health Insurance Portability and Accountability Act (HIPAA).
Because of this, Piwik PRO has attracted a customer base of large organizations too, like the European Commission, LinkedIn, the Government of the Netherlands, Accenture, Skoda, HP and even Microsoft. It’s been added by the French data protection authority to their list of analytics platforms that can be used to collect data without consent (given a certain configuration and set of limitations).
The team claims to anonymise data when visitors opt for this right and provides a complete solution for organizations seeking an analytics suite without the need to code in special features.
Why Piwik PRO Might Be the Best Option Out There
According to reviews on Trustradius, Piwiki PRO might have the edge over Matomo, especially for large, professional organizations. The main argument for Piwik PRO over Matomo is their support level, which at the time of writing gets a 10.0 (as opposed to a 7.4 for Matomo).
Considering they are both cost-effective alternatives with a similar return on investment, a professional support team might be the deciding element for marketing professionals looking to build their GDPR compliant analytics team from the ground up.
In Addition to their higher-ranked customer support, Piwik PRO comes with a few additional features that put them over the top. They are ISO Certified and regularly audited, they have their own prepackaged consent manager, and we rank them higher in overall application stability.
Conclusion
In yet another ruling, Google Analytics has been shown to clearly violate the GDPR. We can only expect more legal issues ahead for Google, so now is as good a time as ever to start seeking out alternatives.
Navigating your way through new privacy laws and regulations can be a daunting task, especially for larger organizations where risks grow exponentially. Being able to rely on and consult a trusted, global partner can not only reduce these risks but also give peace of mind when faced with whatever regulations come next.
Both Piwik PRO and Matomo are great alternatives to Google Analytics, but we give Piwik PRO the higher score, not only for their ensured global compliance but for their incredible level of support and their above and beyond attitude to implementing extra security measures.