The discussion about whether it is legal to use Google Analytics has been in the media a lot this year. This summer, the issue has taken another turn. On July 10th, the European Commission adopted the new Data Privacy Framework, which opens up the possibility for data transfer between Europe and the US.
With the new agreement in place, it may seem like the Google Analytics issue is resolved. However, there are several areas that businesses need to be aware of, which rarely get mentioned in the ‘Google Analytics legality’ conversation.
When talking about Google Analytics, only the data transfer issue is mentioned, while data protection and data quality is often overlooked. In this blog post, we discuss the 3 most important implications of the new EU-U.S. Data Privacy Framework agreement – and how our Recapture service is relevant.
1. DATA TRANSFER
First of all, there are still doubts as to whether everything is in order with the new data agreement, and Google Analytics could potentially become illegal again.
The NOYB has challenged the EU-U.S. Data Privacy Framework agreement as they believe it is almost a copy of the previous agreement. If they win (for the 3rd time), we’re back to more question marks about the legality of Google Analytics – or questions regarding data transfer to the US being illegal.
It is also possible that the Danish Data Protection Agency will eventually find something else about the legality of Google Analytics.
Both scenarios are speculation based on past observances. IIH Nordic feels organizations are best served by investing in data collection and data compliance solutions built specifically to ensure Google Analytics data quality while mitigating risks due to changes in compliance laws.
Uncertainty is a major risk for many businesses. Recapture solves this for Google Analytics 4. The EU-U.S. Data Privacy Framework agreement only solves the data transfer issue and makes Google Analytics legal when it comes to transferring data to the US – at least for now.
2. DATA PROTECTION
Although it is now, for the time being, legal to send personal data to the US, all Danish (and EU) companies must still document all personal data that is processed, collected and transferred.
Organizations that engage IIH Nordic for Recapture receive documented control and management of data collection in Google Analytics 4. In particular, documentation focuses on the items from the CNIL’s published list that are classified as “personal data identifiers”, e.g. IP address, etc. Companies can be fined if they cannot demonstrate control and management of the GDPR rules, and it is therefore important to pay attention to this aspect.
When a company collects and processes personal data (for marketing or analytics purposes) they are responsible for the data. Data transfer to the US is just one rule they have to deal with. In addition to that, there may be a number of rules they need to be aware of. These include the Danish Marketing Practices Act, the Danish Consumer Contracts Act and the Cookie Executive Order.
Around the same time as the ‘EU-U.S. Data Privacy Framework’ was adopted, the Danish Data Protection Agency issued their guidance on Direct Marketing and GDPR as companies have a number of obligations when collecting personal data (including Google Analytics) as per the data protection rules. This is important for all companies that collect data via Google Analytics (or other analytics tools) and/or use data for marketing to individuals, e.g. via their website, email, SMS, social media or other digital channels.
Google Analytics (and other analytics tools) collect data that is classified as “personal data identifiers”, e.g. IP address, etc. In accordance with the published list by the French CNIL.
The guide provides detailed information on how companies can handle personal data in a legal and ethical manner.
3. DATA QUALITY
Last but not least, there’s the data quality aspect. The ‘EU-U.S. Data Privacy Framework’ agreement does not help in relation to avoiding:
a. data loss due to cookie consent (Cookie Executive Order)
b. data loss due to ad blockers
There are many movements working towards a “cookieless future”. This is among other things evident in relation to the Cookie Executive Order.
Recapture is the only solution for Google Analytics 4 that provides anonymous data collection and cookie-less tracking of the behavior of those who visit a company’s website – and even allows for personalization based on anonymous data.
This approach also ensures that Recapture can anonymously “capture” data that is lost today when people reject cookies when encountering the cookie banner on the website. Thus, companies can take a privacy-first approach to data collection and have access to data they would not normally have due to the cookie regulation.
Today, companies lose an average of 30-35% of their data in relation to the Cookie Executive Order. For certain marketing channels/marketing campaigns, this figure can be as high as 80-85%, which can result in companies making the wrong business decisions.
RECAPTURE SOLVES ALL 3 ISSUES WITH GOOGLE ANALYTICS 4
Many Danish companies and websites are hoping that everything is now in order with the adoption of the EU-U.S. Data Privacy Framework. The agreement however, only solves the data transfer issue.
Recapture is the only solution that solves all 3 areas for Google Analytics 4: 1. Data transfer, 2. Data protection and 3. Data quality.
The fact that we no longer have to debate the issue of data transfer is only beneficial for Recapture as the solution primarily drives business value through data protection and data quality. The fact that the solution also solves the challenges of data transfer in uncertain times is just an added upside that makes Recapture a digital Kinder Egg.