GOOGLE ANALYTICS × THE NORWEGIAN DATA AUTHORITIES

On March 1st, 2023 the Norwegian Data Protection Authorities published an article in relation to questioning the legality of Google Analytics.  The article originally did not specify whether the assessment was based on Universal Analytics or Google Analytics 4.  This matters because GA4 has made significant progress about improving the out of the box privacy features – among which, automatic hashing of IP- Address before leaving the EU, as well as automatic opt-out of Google Signals and Data Sharing.

IIH Nordic requested clarification from the Norwegian DPA about which Google Analytics version was reviewed.  The response was the following published March 2, 2023

“På klagetidspunktet brukte det aktuelle nettstedet Google Analytics 3, og derfor har vi tatt dette som utgangspunkt i vurderingen. Vi har fått flere spørsmål om vi, hypotetisk sett, ville gått mot en annen konklusjon med Google Analytics 4. Datatilsynet har ikke tatt stilling til dette i den konkrete saken, men så vidt vi kan se vil ikke nødvendigvis Google Analytics 4 rette opp de problemene vi foreløpig har identifisert.”

IIH Nordic has many years of experience helping customers achieve legally compliant analytics solutions using Google Analytics.  This has been achieved through a detailed understanding of all data points being processed by Google Analytics and creating ways to pre-process data in the EU, on EU servers before being passed onward to Google Analytics.

IIH Nordic offers a solution called Recapture.  The solution was first created and deployed nearly 3 years ago and is in use by more than 60 Danish and International customers.  Recapture combined with IIH Nordic GDPR consultancy, offers an attractive balance of compliance combined with commercial capability.   All engagements with the Recapture service include a point-by-point assessment of legal implications, risk analysis and documentation in relation to the standards raised by the French CNIL and Danish DPA. 

IS GOOGLE ANALYTICS ILLEGAL TO USE IN NORWAY and DENMARK?

The Danish DPA has stated that extra measures need to be taken in order to ensure that Google Analytics meets DPA compliance standards. If none of the recommended measures are taken, the use of Google Analytics will be in breach of DPA guidelines.

But the Danish DPA specifies that they have NOT declared the tool Google Analytics illegal, but only pointed out the lack of compliance in specific setups.

WHAT GENERAL ADVICE CAN BE OFFERED TO ALL CUSTOMERS TO REDUCE RISK OF BREACHING DPA GUIDELINES AND STILL WORK WITH GOOGLE ANALYTICS?

  1. Engage IIH Nordic in relation to understanding risk in relation to compliance and commercial capabilities.
  2. Ensure your cookie consent management is working as intended.
  3. Work with IIH to develop a bare minimum measurement plan and data collection strategy.
  4. Minimize data collection to the bare essentials. 
  5. Remove Universal Analytics and work only with Google Analytics 4.
  6. Implement the IIH Nordic EU-based Server Side solution called RECAPTURE
  7. Minimize your Google Analytics storage time and opt-in for storing data on your own private server such as Big Query.

If you want to learn more about our compliance recommendations or about how we can help you with Google Analytics, don’t hesitate to reach out to us by using the contact form below.

If you want to read a Q&A on the statements made by the Norwegian and Danish DPA, just scroll down a little further.


Contact form

"*" indicates required fields

Name*

ARE THE COMPLIANCE IMPROVEMENT SUGGESTIONS RECOMMENDED BY IIH NORDIC TESTED?

YES, IIH Nordic has been configuring and deploying proprietary GDPR-compliant solutions for 3 years, improving the privacy and commercial capability of Google products. We have more than 60 customer solutions in operation running smoothly with the highest possible data accuracy.  Every customer engagement has passed rigorous legal scrutiny.

DOES DATATILSYNET REFER TO BOTH GA4 AND UA IN THEIR STATEMENT?

No. Datatilsynet refers to Universal Analytics and has not specifically reviewed GA4 in a similar manner yet. They however mention that the same issues might be relevant for GA4 without specifying anything further.

DID THE DANISH DPA PUBLISH A LAW OR A GUIDELINE?

The Danish DPA published a guideline which is not a law. A Breach of the guideline leading to a fine will need to be proven in a court of law. Although it can’t be guaranteed – a warning would most likely be given for a suspected breach of the guideline.

WHAT ARE THE MOST IMPORTANT MEASURES THAT SHOULD BE TAKEN WITH GA4 TO MEET DANISH DPA STANDARDS?

IIH Nordic strongly recommends that all organizations adopt an EU-based server-side tagging solution before sending data to GA4.  This process will enable 100% capability of organizations to manage and control data processing by GA4.  Secondly, we recommend that all organizations have a documented data collection process.  Documentation should clearly state what data is being collected and processed as well as why the organization believes it is necessary. 

ARE THERE EXTRA COSTS INVOLVED IN MOVING SERVER-SIDE?

Yes. The cost of moving server-side has extra costs associated with it which can vary depending on the number of visits to a website.

ARE THERE ALTERNATIVES TO GOOGLE ANALYTICS THAT ARE FREE AND CONSIDERED APPROVED BY THE DANISH DPA?

Yes – there are web analytics tools that can count how many people visit a website. There are few (if any) tools that can integrate with the Google Marketing Platform such as Google Search, Display and YouTube.  If an organization moves away from Google Analytics, there are a number of implications to be considered; cost and availability of the consultancy, lack of skilled competencies to maintain and operate the tool, lack of documentation, inability to integrate with existing Martech stack, as well as implications to marketing efficiency and effect. IIH Nordic Retainer customers can get sparring on this topic, otherwise, we offer consultancy agreements to explore alternatives.

It is also worth noting that both the Danish and the Norwegian DPA states that other tools in the market might be impacted even more from the issues specified, but that they have not looked into them yet.

CAN GA4 BE CONFIGURED IN A WAY TO AVOID PERSONAL INFORMATION TRANSFER TO THE USA?

Yes – IIH Nordic can offer several different solutions each with varying degrees of impact to compliance and commercial capabilities. Engage a consultant to learn more.

CAN GOOGLE ANALYTICS BE CONFIGURED TO CONFORM TO NORWEGIAN, DANISH AND FRENCH DPA GUIDELINES?

Yes – IIH Nordic’s proprietary solution called RECAPTURE can be configured to conform to all DPA guidelines.  Engage a consultant to learn more.

CAN GOOGLE ANALYTICS BE USED SOLELY IN THE EU, WITHOUT ANY DATA TRANSFER TO THE USA?

Yes – IIH Nordic can offer several different solutions each with varying degrees of impact to compliance and commercial capabilities. Engage a consultant to learn more.

IS IT ENOUGH TO GAIN CONSENT FOR ANALYTICS TRACKING TO ALLOW THE USE OF GOOGLE ANALYTICS AND THE TRANSFER OF DATA TO THE USA?

No, consent certainly helps but that does not protect organizations from legal scrutiny.  IIH Nordic is hopeful that Privacy Shield 2.0 will be in place before July 2023 that should address this legal concern.

HOW CAN ALL ORGANISATIONS TAKE MORE CONTROL OVER PROTECTING WEBSITE USER PRIVACY AS WELL AS MINIMIZING DATA PROCESSED BY US BASED GOOGLE ANALYTICS?

IIH Nordic strongly recommends that all organizations adopt an EU-based server-side tagging solution before sending data to GA4.  This process will enable 100% capability of organizations to manage and control data processing by GA4. 

DO YOU STILL HAVE QUESTIONS? DON’T HESITATE TO CONTACT US AT IIH NORDIC!

You can contact Steen Rasmussen at steen@iihnordic.com or Robert Johnson at robert@iihnordic.com. You are also more than welcome to contact us via our contact form by following the link below.

Share the news!

Del på Linkedin
Del via email

Related news