We tried to answer the questions you may have about The Danish Data Authority’s latest update (21st of September 2022) about Google Analytics, and how you can approach it.
“The Danish Data Protection Agency has looked into the tool Google Analytics, its settings, and the terms under which the tool is provided. On the basis of this review, the Danish Data Protection Agency concludes that the tool cannot, without more, be used lawfully. Lawful use requires the implementation of supplementary measures in addition to the settings provided by Google”
The default setting of Google Analytics may be illegal, but there are still ways to comply with the guidelines from The Danish Data Authority. In the last few years, we at IIH Nordic have already implemented solutions that comply with the new guidelines for many clients.
Our Recapture solution is built on the supplementary measures that The Danish Data Protection Agency recommends and offers additional benefits.
Is Google Analytics illegal to use in Denmark?
The Danish DPA has stated that extra measures need to be taken in order to ensure that Google Analytics meets DPA compliance standards. If none of the recommended measures are taken, the use of Google Analytics will be in breach of DPA guidelines.
What general advice can be offered to all customers to reduce risk of breaching DPA guidelines and still work with Google Analytics?
-
- Work with IIH Nordic to take continual active measures to improve privacy.
-
- Ensure your cookie consent management is working as intended.
-
- Work with IIH to develop a bare minimum measurement plan.
-
- Minimize data collection to the bare essentials.
-
- Remove Universal Analytics and work only with Google Analytics 4.
-
- Implement a server-side tracking solution.
-
- Retain data on your own BigQuery data server and avoid using Google Analytics for data storage
Are the compliance improvement suggestions recommended by IIH Nordic new and unproven?
No, IIH Nordic has been working for more than 2 years on a proprietary solution to improve the privacy and commercial capability of Google products. We have dozens of solutions following our best practice recommendations which have all passed heavy legal scrutiny.
Does Datatilsynet refer to both GA4 and UA in their statement?
No. Datatilsynet refers to Universal Analytics and has not reviewed GA4 in a similar manner yet.
Did the Danish DPA publish a law or a guideline?
The Danish DPA published a guideline which is not a law. A Breach of the guideline leading to a fine will need to be proven in a court of law. Although it can’t be guaranteed – a warning would most likely be given for a suspected breach of the guideline.
What are the most important measures that should be taken with GA4 to meet Danish DPA standards?
IIH Nordic recommends that all clients who wish to retain the maximum commercial decision taking capability of their analytics program to move to a server-side tagging solution
Are there extra costs involved in moving server-side?
Yes. The cost of moving server side has extra costs associated with it which can vary depending on the size and number of visits to a website.
Are there alternatives to Google Analytics that are free and considered approved by the Danish DPA?
Yes – there are web analytics tools that can count how many people visit a website. There are few (if any) tools that can integrate with Google Search, Display and YouTube as well as Google Analytics. Anyone who moves away from Google Analytics will likely suffer a business disadvantage if there is currently use of Google Advertising. Retainer customers can get sparring on this topic, otherwise, we offer consultancy agreements to explore alternatives.
Can GA4 be configured in a way to avoid personal information transfer to the USA?
Yes – IIH Nordic can offer several different solutions each with varying degrees of impact to compliance and commercial capabilities. Engage a consultant to learn more.
Can Google Analytics be configured to avoid the collection of all personal identifiable information?
Yes – IIH Nordic can offer several different solutions each with varying degrees of impact to compliance and commercial capabilities. Engage a consultant to learn more.
Can Google Analytics be used solely in the EU, without any data transfer to the USA?
Yes – IIH Nordic can offer several different solutions each with varying degrees of impact to compliance and commercial capabilities. Engage a consultant to learn more.
Is it enough to gain consent for Analytics tracking to allow the use of Google Analytics and the transfer of data to the USA?
No, consent certainly helps but that does not protect organizations from legal scrutiny.
How can all organisations take more control over protecting website user privacy as well as minimizing data processed by US based Google Analytics?
IIH Nordic recommends to move to a server-side tagging approach which will enable a privacy-first approach to data collection.
Do you still have questions? Don’t hesitate to contact us at IIH Nordic!
You can contact Steen Rasmussen at steen@iihnordic.com or Robert Johnson at robert@iihnordic.com.
The press release from DPA
Read the press release from the Danish Data Protection Agency here.
