Most of the people using GA wouldn't be able to set it up correctly. I switched my personal site from GA to Microanalytics, since I wanted to avoid spending time trying to figure out how to configure GA to be conformant.
Google should be the one doing the compliance work. If Italy bans some usage pattern in GA, it's Google that should make it impossible to configure it in non-conformant way.
Some time ago Google gave EU admins the option to select a local regional (EU) server. This means the data is not send to the US. But! It’s still nog fully legal as the Google HQ (and thus the US government( can still access all the data.
The article has the watchdog suggesting exactly that (the specific site has 90 days to use GA in a compliant way, no direct complaint against GA), so it seems from their point of view it's legal.
The title of this post and a lot of the comments are projecting what they want GDPR to be (all non european online entities banned from doing business in the EU) vs how its being enforced.
> just illegal to use in its default state which transmits PII to the US
As I mentioned in a sibling comment, this is technically true but complying with GDPR takes more than unchecking a few boxes. I've never seen any GA set-up that would remotely approach compliance. At minimum, you need to mask IP's before they reach Google, which means standing up a non-Google server to proxy all the hits. That is more complexity than 99+% of GA installations.
My current understanding of google analytics and GDPR compliance is that you can use it in a GDPR compliant manner without that much trouble.
On the older UA there is a simple flag that enables IP anonymization and on the new GA4 there is purportedly no need for it as they don't collect or store the IP at all.
For many clients I have set up a cookie compliance tool like Onetrust, which blocks loading of GA and other scripts with one of the consent popups. With this combined configuration (and having verified nothing sneaks through before someone gives consent) most company legal / compliance teams I have worked with have deemed this to be a fully compliant setup. Of course, this might not be actually compliant, but the company legal team has done some research and arrived at this as the most advantageous position currently available.
I think using a compliance based tool like Onetrust also gives a sense of legal security in that if our configuration is properly set up they are advertising that we then get compliance as part of their service, and so responsibility of a violation could potentially be passed to them in a legal setting.
I understand that this is primarily an advertisement for Posthog, but if you're going to keep posting it you might want to keep it up to date. There are only 4 countries on your map and one of them is:
> The Dutch Data Protection Authority warns that the use of Google Analytics 'may soon no longer be allowed', after a ruling by the Austrian privacy regulator. A definitive conclusion is said to come at the beginning of 2022.
At least you removed "the only open source product analytics platform" and the Google fonts since the last time a Posthog employee posted it https://news.ycombinator.com/item?id=29994183
NOYB is the primary source tracking these cases and generally was also responsible for filing the complaints that led to them. All the details are available from NOYB's GDPRhub wiki, https://gdprhub.eu. GDPRhub attempts to provide information on all the European DPAs including how to file complaints. At the least it provides contact info for all the DPAs and English translations of DPA decisions.
As stated in 13 Jan 2022 announcement on noyb.eu, these decisions are generally the result of the "Max Schrems II" decision. After that decision, Schrems filed 101 complaints to DPAs, and now the chickens are coming home to roost.
Note that the "legality" of Google Fonts, under the default configuration, is also in question. Arguably use of Google Fonts is even more widespread than use of Google Analytics.
Congrats. We also chose to do the analytics ourselves. No tracking, no cookie banners, and probably better stats as well. One thing that Google did very cleverly was to only give GA users the search terms that visitors used to end up on their site.
Unfortunately, you can't self-host the integration with Google Ads or Search Console, which locks anyone who relies on Google (or Facebook, Microsoft, etc) Ads into the use of Google Analytics/Ads tracking.
Our definition of "exceptional scenarios" is clearly not the same... The list of scenarios in article 6 are common business operations covering a huge range of legitimate activities where processing might need to occur; there is little exceptional about them.
Another decision in a long stream that will make it much harder for EU start-ups companies to catch up to American ones. With absolutely no improvements to actual EU citizen well being.
Yes, let's all marvel at the accomplishment of making everything funded by exploitative and intrusive but largely useless advertisements.
All digital startups are literally doomed without the indiscriminate collection of personal tracking data.
Side note: thank you modern adtech for consistently recommending me products I already bought days and weeks before. Very effective. Gullible companies just keep paying cold hard cash for these garbage recommendation systems because some sales rep talks fluffy about AI and machine learning, it's so mindblowing....
here I thought maximum exploitation would be selling someones identity on the dark web but I come to find on HN that it's actually hashed analytics data D: !!!
Isn't this an opportunity for EU startups? By choosing to enforce the law on US companies that EU companies are already generally very compliant with, surely the EU has levelled the playing field for EU companies?
It is. Most startups in the EU have to use more and more businesses in the EU. The selection is little, so way more changes to succeed if your EU based and serve both markets.
I run Simple Analytics [1], which is a privacy-first analytics business from the Netherlands. I see a lot of business from the EU just because we are from the EU as well.
A little advantage for EU analytics startups, disadvantage for all other EU startups and SMBs who have less options for figuring out what users like about their website and offerings.
So due to this legislations it is more costly/less profitable for a company to have a European customer compared to US customer. Things like GDPR/lawsuits/bad PR etc. doesn't come for free for companies. So if some startup has more ratio of European users it is at a disadvantage.
Setting up something like Matomo instead of GA doesn't looks to me like a huge penalizing factor for a startup.
If anything, EU startups could benefit from better control over the tools they use. One interesting halo effect of Google seeing that much data is also that US startup from ex-googlers get a head start on many insights.
take data of your USA customers and sell it to the highest bidder without their consent or even knowledge as you please. don't complain that I have the right to know you do that and disagree to you doing that.
or maybe EU is starring to rely on their own startups.
If I had to chose an analytics software for a customer's website, I'd chose someone in EU for the sole reason that it would be compliant in both EU and the rest of the World.
I am no EU citizen, however live in Europe and do tech startups. I welcome GDPR as well as this ruling.
It's unethical IMO to send personal data to countries that have weak privacy laws without making it absolutely clear to the user. Which is rarely the case with GA right now.
I switched most my projects to shynet, for me personally that's more than enough information and I have zero worries about tracking and know that some users appreciate my approach.
Edit:// even before GDPR became a thing I worked with several companies who had strict rules about hosting in Europe or even more explicit not hosting in the US.
Let me guess, you're from the US and user surveillance is beneficial to your business so naturally everyone with non-capitalist (read not $$$-centric) ideology is plain wrong. EU startups don't have to "catch up" or even compete with US start ups.
Does this imply that the EU is "non-capitalist" or something?
"EU startups don't have to "catch up"..." then don't get surprised when EU talent is poached by US and Asian HRs for x2-x3 rates. And before you're gonna talk about all those "free" (taxpayer funded) services and how no European would ever move to Asia or NA, i'd like to remind you that we're in the remote work world now :)
As an EU citizen, I find it to be a huge improvement to detangle my data from US-American entities. Especially with the election of Trump and January 6th. Maybe Americans haven't fully realized what that meant for US-EU relations for the next hundreds of years. The US is just not a politically stable country until further notice.
Eh? Jan 6 wasn't very noteable (a bunch of disorganized protestors are let into congress, but the state was not meaningfully threatened), the US has long had political instabilities, the business plot was way worse, but who has heard of it now...
Actually, the cookie layers of Google have become a lot better in recent months. I doubt that is was Googles initiative, so I think that all this legal stuff is making a difference. Yes, it is a very slow process, but what would be an alternative?
Yes it doesn't solve the startup problem, but honestly there also also a ton of other laws and regulations outside of data protection which make it hard for startups to prosper. Web Analytics seems a relatively minor problem.
Yikes... Have you ever heard of some of the alternatives?
I self-host Plausible which is GDPR compliant and gives me all of the features that Google Analytics is actually good for. There is so much bloat in GA that provides absolutely no extra value.
I'm skeptical that this is a bad deal for EU citizens.
Nah. The problem here is Google, not analytics in general. You can still use analytics as long as you do it in a privacy-first approach.
These laws also apply to US companies offering their services to in the EU. Frankly, it's about time American companies get reigned in on their privacy abuses. US startup culture has been playing fast and loose with people's data for far too long to disastrous effects.
That's assuming a European GDPR-compliant alternative to Google analytics wouldn't arise. But of course it will. It's not even a very difficult product to build. If anything this is both sticking it to Google and creating opportunities for European startups to fill the void.
The EU hasn’t shaken off their roots in monarchy. Using the power of the state to go after a single private entity since they have a blood feud with said entity and are now finding all sorts of excuses to hit them economically.
I’ve been following the cases with regard to privacy in the EU and it’s a complete joke. You have all these onerous rules against any web technology making it near impossible for startups to function without an army of lawyers. Think I’m exaggerating? Look up the provisions under GDPR for any business, big or small, to set up a website and then process a single user request for their data even without sign in.
The UK is sick and tired of this and has recently begun moving to ignore these onerous rules. All power to them.
You may be looking at this through a very narrow, heavily politicized lens.
First: GDPR is a compromise, so it's a bit uneven. That's partly due to lobbying by google and friends. Second, privacy very much needs protection. Even if you are perfectly fine giving up your privacy, other people aren't. Third: you can actually process user requests. Depending on how you do it, you don't even have to show a banner. Is that really too intrusive?
> The EU hasn’t shaken off their roots in monarchy.
I know, right. I mean obviously the world's most famous royal family (our British one) isn't really a monarchy so that doesn't count. And they certainly don't get previews and vetos on our laws, or given hundreds of millions from the licence fees for offshore wind farms, or own a notable percentage of the land.
As for GDPR, compliance is pretty straightforward provided you aren't being shady to begin with.
And the new UK proposals are much worse and if they go through as they stand will be a nightmare for anyone serving UK visitors.
> The UK is sick and tired of this and has recently begun moving to ignore these onerous rules. All power to them.
I don't think so; the UK passed the Data Protection Act 2018 just 4 years ago, to bring GDPR into UK law. That is: the DPA is normal statute legislation, unlike the GDPR itself, which is a bureaucrat-made regulation. The DPA was passed by both houses of Parliament.
So what are these mysterious moves to ignore the law? The only such moves I'm aware of are some plans to remove the European Court of Human Rights from UK law (ain't gonna happen - the ECHR is written into the Good Friday Agreement), and the UK's decision to ignore the decision of the ICJ concerning the Chagos Islands.
If I understand this correctly, the issue isn't Google Analytics specifically, but "because it transfers users’ data to the USA, which is a country without an adequate level of data protection".
So this could also apply to any company that sends PII to the USA?
At present, there is no legal basis for a company covered by the GDPR to send personal data to the US or a US-owned company. The US needs to repeal the CLOUD Act, and maybe one or two other things, in order to make this situation work again.
What's really puzzling is that Google Analytics never got banned because of antitrust laws. It's the most obvious example of predatory pricing I've ever seen. How is a smaller company supposed to compete against a free product?
I co-founded a company called Heap that competed against Google Analytics and we were quite successful. Amplitude, Mixpanel, and others have also done so. GA’s free pricing was not really a big issue for us and customers were very willing to pay 6- and 7-figures for a differentiated quality product.
Loved Heap (Analytics?). I advocated for it while working at my previous employer :) I think we were early customers. At the time, its automatic tracking of all events was a godsend compared to hooking up specific tracking after the fact using GA events.
One broad view is that anti-trust is supposed to protect consumers, not competitors.
If a competitor can't produce a quality product that people will pay for, consumers aren't being harmed by the prevalence of a free good-enough product.
In a consumer-protection world where a free and open source Linux had 98% market share in the OS market, Microsoft or Apple would have no leg to stand on to sue its developers over anti-trust. In a competitor-protection world, they would.
The US views anti-trust through a very consumer-focused lens[1], the EU sometimes views it through a more competitor-focused one.
[1] This doesn't mean I agree with it, and there are obvious problems with trying to prove harm in a court of law, if no alternative exists.
Doesn’t predatory pricing mean “we dropped our pricing below profitability in order to kill competitors (and presumably raise our own prices once they’re dead)”?
I think you’d have a very good case against Amazon, and probably Uber/Lyft, and I’ve long wondered why no one sued them over it. But in Google’s case, Analytics is profitable for the same reason Youtube is profitable—Google makes money off the data they gather.
Google Analytics has an enterprise paid version and it starts at 6 figures, Adobe has a very competitive product in the same space. So there's definitively room for a paid product in the market.
It's like with Cloudflare. The free Tier is what gets small companies and hobby developers in. And as they know your system but not the one of others, they'll recommend it to use when your company grows or their employer looks for an analytics system.
But I don't think it's predatory. It clearly worked for cloudflare and seems to work for Tailscale (they openly said they're using the same strategy). It would be predatory if others couldn't match that, but I'd argue many competitors could offer free plans for small websites if they wanted to.
If we enforced a law that said no product can be sold at a loss, we would get rid of almost every single startup and many recently IPOd former unicorns,
There is really no reason to use Google Analytics anymore. There are many great alternatives now, mine is PanelBear.com. Other people love Fathom and Plausible. It’s great to see some unbundling happen.
Yeah, it was another one of those trojan horse programs. Offer something incredibly useful to website owners; something so compelling that they literally can't say no. An oh, it just happens to track the activity of every web user anywhere in the world.
The alternative offerings at the time were fairly awful compared to what google released.
This is consistent with decisions from the Austrian and French data protection authorities (DPAs). Note that Google is a Processor (for this product), meaning that Google itself does not violate GDPR, but only the websites that use it.
Following the Schrems II case, the "threat model" used by EU courts on these matters is "American law enforcement can serve a warrant to American companies." Long story short, any processing that Google does after collection is not considered to offer any protection, because American law enforcement can just tell them not to do that and they won't. Hence, the "Anonymize IP Address" setting in Google Analytics is not considered to have value for GA.
It might theoretically be possible to use GA compliantly by proxying data through an EU-owned service which obfuscates anything considered personal data, at minimum the IP address and various cookie values. This scenario hasn't been confirmed by anyone as compliant, but the regulators seem to always go out of their way to dance around it rather than just saying "GA is non-compliant, always, forever." Still, for the trouble to set up such a service you might as well just stand up a self-hosted first-party analytics solution.
This particular decision on GA is purely about the cross-border transfers, and doesn't seem to touch on whether using cookies for analytics requires consent. That's a separate issue (technically about a separate law).
> meaning that Google itself does not violate GDPR, but only the websites that use it.
This is so baffling to me. Google has subsidiaries in the EU. The fact that it's ok to give a product to a EU client which can't be used in accordance with the law, and the client is responsible, is just idiotic.
To be compliant, Google can just set up data centers specific to GA in one of those EU subsidiaries, so GA admins can choose to have their visitors' data stored only in an EU data center (and promise to not transfer that data to the US). This wouldn't be that hard to do.
The CNIL in France is really pushing companies to not use Google Analytics, and you better listen to them here. It seems US companies should really make changes to how they host/manage data to be able to able to work in EU in the near future. (It isn’t a criticism, simply an assesment).
There's nothing US companies can do to make themselfes legal to use here. The legal framework in the US allows dragnet spying on every non-american and american companies are forced to participate in that effort.
They're perfectly legal if they don't process any PII. If a US company serves static content there's no need to fear the EU; they'll just have to disable illegal external integrations like Google Analytics/Fonts/etc.
A company doing business with other companies might find themselves in a position where they can comply perfectly. Not every company needs to collect PII, though these days every company likes to pretend they do.
So reading the English text it is not clear what exactly is the unlawful part. Is the fact that data is flowing to US based servers (which I assume is trivially managed by changing GA server location to Europe) or the fact it is flowing to an American Headquartered company, regardless of where the data is flowing to?
Can someone comment if the Italian language text is clearer? Or ehat is in the judgement?
There’s a bunch of steps, but jumping to the extreme, a foreign gov having access to the data is the awful part.
Data flowing to the US violates that, assuming Google US cannot refuse US gov requests, the headquarter having access to the data is also not accepted.
Well HN, how about a badge for links indicating whether it uses ga? We have to start somewhere don't we? Or we'll continue to see the web decline. Actually, from my PoV, it might be too late already. Maybe it's just me or people in EU being harassed with banner popups, but I hardly go to any link anymore, and so do many other people I know. It's just not worth it.
> how about a badge for links indicating whether it uses ga?
Sounds like a browser plugin would be best for this, then all links across the web could show it. Or you could just block it in uBO and not think about it again.
I'm an American, but I occasionally use an EU VPN. I don't understand how EU residents can tolerate the number of cookie/privacy/GDPR/whatever popups every site has, even on the sites of EU companies.
We don't. Outside of a few greybeards the vast majority of the population would gladly send all of their data including dick pics and credit card numbers to remove those popups.
The law was absolutely useless because 99% of the websites have an illegal implementation and still added a major annoyance in the form of the popup / banner.
My impression is the lawmakers assumed that companies would do what they go on about in their blogs and marketing material all the time - ensure the best user experience for their customers, which they could do by properly complying with the GDPR.
Instead, the companies took their masks off and decided to beat us over the head with illegal consent popups to trick us into believing that a damaged user experience is the only possible outcome of the GDPR.
We Europeans are generally used to do whatever the government tell us.
We don't have the same culture as Americans.
Don't get me wrong, you had a pretty bad deal as well: without much fanfare, your government grew up so much in the last 200 years that it became the largest employer in the world. You pay loads of taxes (even more than several EU countries) and get very little benefits.
And yet, I'm sure that if we will get to a political solution to the ever-growing cancers that governments are, that solution is more likely to appear in the states than in Europe.
Europe is a hopeless - albeit beautiful - land. The people gave up change 50 years ago.
I use Ahoy too, but I don't have very good visibility into the data. I should spend more time building queries and creating charts. I should probably set up blazer as well: https://github.com/ankane/blazer
It would be really nice if Ahoy came with a web UI that covered all the basics.
Worth mentioning that DPAs tend to work together to prevent conflicting laws across the EU. Following Austrian, French, and now Italian rulings, it's almost guaranteed that the Dutch authority will come to the same conclusion.
I'd be terrified if I was a EU company at this point. There is not logically way these same rules don't apply to using AWS, GCP, and Azure. There isn't enough other cloud hosting with nearly the same capabilities in Europe to handle that day.
GCP and Azure have options to keep all data within the EU, I'm sure AWS has something to at this point. In France GCP is approved for public business, so it seems to be working fine.
On your general point, we're way past the point where a company is allowed to blindly use any random SaaS without caring about what it does with the data or where it goes. The pendulum is clearly swinging back.
> GCP and Azure have options to keep all data within the EU
I wonder how much of a difference this makes, if the DCs still belong to these american companies and this thing exists: https://en.wikipedia.org/wiki/CLOUD_Act
There seems to be a difference between "B2C" stuff like ad tech and tracking and "B2B" like AWS. The latter seems to be more eager to be compliant, I assume only to prevent local / regional competitors to fill a gap but still. Plus all the nice public contracts to be had.
Suppose I run a website in the us and a user in Italy connects to it. Does this mean I’m now breaking the law serving them the website? My connection logs now have pii.
What if I use a cdn that has points of presence in Italy and still pings my server with a head request and the end user ip?
Am I also now breaking Italian law by using google analytics?
> Does this mean I’m now breaking the law serving them the website?
As the article specifically states:
The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.
So, unless you are collecting EU citizens user data, transferring it to US and have the capabilities to enrich such data through additional information you hold, no.
IIRC, it basically only applies if you're actively doing business in the EU, or courting future business.
So, if you have a personal blog that grabs IPs? Not illegal. If you start a merch shop for your blog (or put in ads/sponsored content, etc.), then the whole site needs to be GDPR compliant.
> If you start a merch shop for your blog (or put in ads/sponsored content, etc.), then the whole site needs to be GDPR compliant.
And you do business in the EU. If you have a merch shop, but don't serve EU users (no EU shipping, not accepting EUR as a currency, no EU specific languages (German, French...), ...) there is no problem.
> After introduction of the GDPR in EEA it became common practice for websites located outside EEA to serve HTTP 451 errors to EEA visitors instead of trying to comply with this new privacy law. For instance, many regional U.S. news sites no longer serve web browsers from the EU.
As more and more country specific legal regulations are raised, I wonder who will be the ultimate gatekeepers of the general internet when certain actors behave against the "rules". The current landscape is a complex system of seeming contradictions straddling different levels of public and private, centralized and decentralized, anarchical and moderated, etc.
Will ISPs be forced to cut off traffic from certain areas? Will centralized companies like Google and Reddit be forced to comply with regulations or cut off services in certain areas? Will governments set up firewalls? Will the buck of responsibility be passed upwards to service providers like GA, or downwards to individual site administrators?
I'm actually just about to get rid of Google Analytics on DocSpring.com. I set up a self-hosted instance of Plausible Analytics on Render.com yesterday. I really like it so far. I set it up on a custom subdomain so it's not blocked by any ad blockers, so it's really nice to see analytics data that's almost 100% accurate (unless visitors disable JavaScript.) Especially since DocSpring is a developer tool, so most visitors are using an ad blocker extension. Also it doesn't use any cookies, so I don't need to show a cookie banner. It really feels like a breath of fresh air.
Hindsight is 20/20 but wasn't it clear that the company selling ads shouldn't be in charge of metrics for traffic and ads? Just like the TV channels had to rely on media rating firms.
> A website using Google Analytics (GA) without the safeguards set out in the EU GDPR violates data protection law because it transfers users’ data to the USA, which is a country without an adequate level of data protection.
> Upon expiry of the 90-day deadline set out in its decision, the Italian SA will check that the data transfers at issue are compliant with the EU GDPR, including by way of ad-hoc inspections.
This follows similar decisions by France [1] and Austria [2].
I wonder what the next trendy thing government officials will pretend to care about/fix in order to garner media attention. Something crypto related, maybe?
The last time I checked, the Google Analytics' Terms of Service explicitly prohibited its use on web sites involving healthcare companies.
That gives you an indication of how invasive it is — that even Google doesn't want to handle the personal information, because it can't be made HIPAA-safe.
Naturally, the majority of healthcare web sites use Google Analytics, because nobody ever reads the Terms of Service.
> The last time I checked, the Google Analytics' Terms of Service explicitly prohibited its use on web sites involving healthcare companies.
You're missing a key part of the sentence you're remembering:
> If you are (or become) a Covered Entity or Business Associate under HIPAA, you may not use Google Analytics for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google.
Healthcare companies can absolutely use GA on their websites as long as the website isn't involving PHI or ePHI.
European companies are not allowed to share PII with American companies. That goes for companies with a headquarters in the USA or subsidiaries that may be forced to share data thanks to laws like the US Cloud Act.
Previously, the EU exempted the USA through an "adequacy decision". That was later deemed illegal under EU law as American laws could not guarantee the privacy of EU citizens to the extend the GDPR prescribes. Then the EU tried again, and again such a decision was also overturned in court. The EU is working on another attempt at letting the USA track PII of EU users, but until they do that again (probably for another few years) it's illegal to share PII with American companies in almost all situations.
This is the third time a data processing agency has declared the use of Google Analytics illegal so it shouldn't really come as a surprise to those following tech news.
What's important is that the data is PII and that it's going to a place that can't guarantee privacy to an acceptable standard. Business advantage is irrelevant. The intelligence the data provides is also irrelevant. European privacy laws serve people, not businesses.
That does not change the issue: EU microsoft has a local unfair advantage in EU because it has access to the whole database of linkedin (which they own).
Additionaly, denying remote access is almost impossible to enforce. It would require a efficient and permanent deep monitoring of their servers.
linkedin should be illegal since this data should not be privately own.
I’m supporting of privacy, but it’s amazing how heavy-handed European regulation can be, and how difficult it can make understanding even basic metrics about our business and how those metrics have shifted over time. I suppose their intentions are good though.
Suppose you had an internal tracking library, aggragating data fetch from your own site and mobile clients, all data saved in a data center managed by your country's most reliable provider. EU directives would be a no-brainer.
That scenario has always been an option, and would be the most common case if Google didn't provide their own service for free or at cost. What's happening with the EU feels disruptive only because Google had such an unatural position in the market.
All of that is because of the cloud act, non american companies won't have as much issues. The obvious solution is to remove this spying law breaching EU laws and common sense.
15 years ago Google Analytics was cool. But ar some point Google ditched the "Don't be evil" culture and tried to get as much out of Google Analytics for themselves, that it became unethical.
At what point do operators just start blocking access from EU countries. It's hard to imagine its worth jumping through all the complexities here at some point.
Time to get off my arse and write a self hosted privacy oriented analytics tool. Whatever happened to awstats. The question is - how to monetise on it?
Certainly in UK English we use watchdog to mean any organisation that has an oversight role, frequently government ones. For example the Financial Services Authority might be described as “the banking watchdog”, it is very much a government agency.
The Italian SA is the Italian Data Protection Agency (DPA), one of the per-country European regulators https://ec.europa.eu/justice/article-29/structure/data-prote... . Which acts under the GDPR and predecessor data protection laws, and is very explicitly a governmental regulator.
Good. US citizens should be, at least, disappointed that their government is so bad at protecting their privacy, that US law is so far behind the times.
To those companies and people who find these EU decisions baffling or inconvenient: tough. If you had had respect for your users this would not be an issue. You would already not be spying on them.
To website visitors: if you see a cookie banner, the site is asking permission to spy on you. If that concerns you, close the tab.
The US isn't "behind" it simply has no intention of moving in that direction, despite the 4th amendment making it really clear they're not allowed:
>The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
> To website visitors: if you see a cookie banner, the site is asking permission to spy on you. If that concerns you, close the tab.
There was a recent ACM article on this. They found there was a large number of sites that don't actually ask permission for anything, they are simply informing you of the spying. Not surprisingly, the ones that did allow modifying cookies were all setup in a predatory fashion which discouraged the disabling of tracking.
It's possible for a company, which is seemingly providing you a service since you visited the site, to make money off a targeted ad in exchange for free video streaming/content/entertainment.
The whole thing has always seemed overblown to me. Websites make much more money off targeted ads, allowing them to do things like allow anyone to upload a video of any length and quality for free. And view other videos people upload. In most cases it seemed to me like a fair trade to make. Yet as people point out all the time, technically a website isn't allowed to deny access to someone who refuses targeted ads (through the cookie pop-up), so they're essentially being forced to provide that user content at a loss. Untargeted ads are often worth 90% less or more than their targeted equivalent.
Privacy privacy privacy though, as if someone at Google is manually looking through your history laughing at you.
I believe a part of the data-privacy laws and sentiment in Europe comes both from the WWII and the civil wars/dictatorships/etc that happened across EU. When in our grandparents time (YMMV) the government was compiling list of citizens or checking what they were doing in their private lives, it was not to give them flowers. And while that still sounds pretty far from me, it was also fairly recent in the past so that there's some social residue of the sentiment.
BUT to answer the question directly, credit checks to the level they are performed in the USA sound like a horrifying thing and a total privacy breach for us EU citizens.
European laws are pushing to end Chat providers control over social interactions(which is something that shouldn't be done for profit any way) in the Digital markets act, which forces big apps to provide federation APIs.
The EU with the GDPR made an incentive to not use trackers, dont want that ugly tracker on your site ? Then stop selling data, that's why private analytics like Plausible and Umami have sprung to life.
And also made it clear how much tracking is on the web.
There is also finally a movement to let the US host everything because really, the US isn't trust worthy.
So, the EU laws, gave better awareness about tracking, gave incentives to not use trackers, and is now working on improving the user experience by stopping the monopolization of social interactions.
Have you heard of Robo-calls? Basically there are no Robo-calls in EU, because you can just add yourself to a Government no-call list. If any company doesn’t respect that, they get a huge fine.
> To website visitors: if you see a cookie banner, the site is asking permission to spy on you.
Or you know...count how many unique visitors they have and how to make the site more useful. Do you avoid using cookies on this site but still manage to log in?
Cookies needed to properly provide user authentication, i.e. user session identification, are counted as "technical necessary" cookies and do not need a cookie banner. You only need to ask for cookie consent, if you track visitors with third-party services.
And, to counter your unique visitors claim: you don't need cookies, or any third party service, for that. Everything can be done locally without disrespecting user privacy.
Do you know the difference between cookies and a cookie banner? Do you understand why this site can have login sessions, and even keep track of the number of unique visitors, yet is not required to have a cookie banner?
My buddy is a manager at a chemical plant, and your comment reminds me of a very astute statement he made recently.
“I don’t generally like unions. I’ve worked at both union and non-union plants. But anytime someone else complains about unions, I remind them that if they have a union at their plant, they earned it.“
If I thought the EU was doing this to protect privacy I'd be all for it. They really don't give a fuck as seen by ever bit of legislation they are pushing for. Yes I also do understand that the EU in general view privacy from the government as illegal rather then a right.
The EU has both enacted the most promising and some of the most backwards, stupid and regressive privacy laws. I'm guessing that it depends on what representative guides it and forms it through the various processes, and what the courts do with it. Overall I think they have moved the needle towards more privacy.
> Yes I also do understand that the EU in general view privacy from the government as illegal rather then a right.
That is absolutely not true, at least not by enough people for anyone to be able to make that sort of blanket statement. I'd also wonder what reasons you have for thinking that, it seems to me like all of the 5-eyes used each other to spy on themselves (besides all of the things done by normal police, various levels of federal police, etc.)
Unless there is a very simple "reject" button, I click okay. Between Firefox's native protections, DNS-level blocking and uBlock, I have a lot more confidence in my own protections than I do in their honesty, and it's not worth it to me to uncheck a bunch of boxes.
Well I’m not an expert but I think the main issue is that American citizens have protections that non-Americans do not. The government cannot spy on Americans without a court order.
Unless they have an intelligence sharing agreement with a nation that happens to pick up signals from americans, from who they can request that data. And maybe there exists a network to share the raw data, wouldn't that be convenient? Or you could have a secret court system (FISA) to bypass most of the protections normally granted by due process?
Can you point me to the part of the ban that says it's about protecting users from "spying in general" and not "protecting users from spying by US companies instead of EU companies that EU member states can obtain PII from at any time"?
> "protecting users from spying by US companies instead of EU companies that EU member states can obtain PII from at any time"
I want to quantify this quote. Each EU country can spy on its citizens to similar extent as 3 letter agencies from the US, but in a less analytical/big meta data way (part of it being the US brain draining EU countries for those working in tech).
However, if EU country A wants to have access to its citizens user date on website X located in EU country B, is not an easy process; involving a strict judicial system between those countries.
If you feel this way I hope you do research before visiting any website at all, because you might accidentally connect to a server in the US and your IP address will be in the TCIP stack of that server and probably the logs too. US servers that are intended to serve US customers have no obligations to you.
I've been using clicky on a few of my sites and even though they _assure_ me that it's totally compliant with gdpr I don't really believe them, does anyone have a decent alternative for analytics that respects people's privacy? I just want to see when I get new vs returning visitors on a page. Cloudflare's analytics are okay but I like how granular clicky can get, but if there's no good way to do that I think I'm just gonna ditch clicky and make do with the cdn analytics. Hell, I bet the cdn already does everything I need and I just don't know how to use it right, or I'm not paying for the right tier or something.
There's several self-hosted solutions, as well as several GDPR-compliant SaaS solutions. They generally work pretty well; I've seen people set up, for example, Plausible, in a couple of hours on a cheap VPS.
Google needs to do what apple is doing with PrivateRelay and putting double blind proxies in place so PII can be stripped before Google gets its hands on it.
i’d support any legislation that booted google, fb, ms, adobe, salesforce, and a whole host of other surveillance tech companies from any and all levels of government. it’s literally as important as the separation of church and state. in fact, i’d love to see a constitutional amendment explicitly separating corporate interests from governmental ones, in all facets of civic life (e.g., campaign finance).
This is just naive. Government offices/agencies are so tightly coupled with packages like office 365 that forcefully separating them would require home built solutions which would always be terrible, less secure, and more expensive to the tax payer. There’s a lot of good these products can provide, granted they are properly audited and have high security requirements.
Idk here in France there are cities and state-wide administrations with free/libre stacks based on Linux, LibreOffice, Zimbra and others and things seem to JustWork™. For instance the french Gendarmerie, the cities of Rennes and Arles...
> would require home built solutions which would always be terrible, less secure,
I disagree. It would be relatively straightforward to build such systems on Linux and open source.
> and more expensive to the tax payer
As a proportion of Italy's GDP, the cost would be negligible, especially given that this is a matter of national security, something governments tend to be keen to spend money on.
I didn’t read it as government can’t use commercial products. Just that the corps couldn’t influence politics. But I’m not the OP, so I can’t speak to what was intended.
> are so tightly coupled with packages like office 365
Are they though? Do you know this for a fact? I mean, sure, MS Office is very popular in government settings, but does this really go beyond the possibility of just replacing it with LibreOffice if they so decided?
ah, the ad hominem, never a good sign for the proceeding argument.
there are a number of other office suites that are entirely adequate for bureaucratic organizations to build methodical processes around (which is what bureaucracies do). the capabilities of the underlying tools don’t matter much in this regard.
also, audits aren’t meant to prove anything (like security), but instead to shift liability.
Rubbish, there has been a concertive effort by the US to undermine other countries including so called NATO allies in order to dominate the world, its been going of for decades.
I refuse to use the NHS here in the UK because of the widespread use of Microsoft everywhere.
> in fact, i’d love to see a constitutional amendment explicitly separating corporate interests from governmental ones
I don't think you comprehend the scope of what you're suggesting.
I work for a school district and I'm currently migrating our system from using one commercial bus routing service to another... using Windows, SQL Server, Teams, etc. from Microsoft... using a laptop, dock, three monitors, keyboard, and mouse from HP... and today the elevator was broken so we called a repair company to come fix it... oh, and some company makes the school buses, and the networked phone on my desk, and the printer around the corner, and all of the paper in it... the fluorescent bulbs above me don't grow on trees...
you can't just expect governments, even at the national level, to roll their own everything without interfacing with corporations in any way—this is a hopelessly naïve view of the world. I am just as uncomfortable as you are with data being shared with corporations, but you're going to have to figure out a more realistic set of political goals than what you've outlined here.
it's not really aimed at governments, so much as corporations that feel entitled to sneak in ancillary interests into their products, like surveilling the public. basically, it's to force companies like microsoft to remove all that other shit and provide just the core software, if they want access to government largess. this has beneficial externalities for us, the residents of said governments.
How far does "separating corporate interests from governmental ones" go?
Can the government purchase a car? Hire a private corporation to build a road? Hire a consulting company to check the security of their (now-free-and-without-a-support-contract FOSS?) computer setup?
It's actually quite simple. The government can buy things services from specific providers, but it cannot force you to buy services from specific providers. In other words, it can buy BMWs for government use, but it cannot say "you have to buy a BMW to enter the municipal office".
The same applies to websites. If a government website uses Google analytics, it is essentially requiring you to do business with a specific company (in this case Google) in order to use a government service.
where to draw the line is a fair question in any policy debate, and one i'd expect to draw plenty of lively discussion. it's pretty clear to me that surveillance tech is on the outside of that line, but i'm open to reasonable arguments otherwise.
Not only state... I see absolutely 0 reason for my swiss ebanking in the secured web interface to se google analytics and similar trackers. I can clearly see them being blocked by the likes of ublock origin and ghostery in my firefox. Why the f*k should google know where I go in such private matters (and there are tons more, ie if you are lgbtq+ in one of the many restrictive locations, have some less mainstream political preferences etc.). The data once acquired have no reason to be deleted, ever. Too juicy info, and 7 billion humans is not that large group to aspire to track.
I get why google et al want it for their growth/sales, but they are a private entity not owning internet in any way, extremely foreign to Europe with no clear friendly intentions. One of few times I can say I am proud to be living on old continent.
exactly, we need to decentralize power, and knowledge (information) is power. it seems innocuous when we each leak a little here and there, but surveillance tech is vacuuming up every tiny bit of it.
living in europe doesn't much matter, given the reach of these companies and their interweaving into government systems, along with reciprocal surveillance agreements (however-many-eyes countries).
I agree 100%. I have nearly all google domains blocked in my hosts file and was frustrated to find out google captcha was required on a few government websites. I understand rolling your own can be difficult or expensive but it's the government we're talking about here. They're no strangers to spending.
i mean, that's like asking how is it possible to compartmentalize anything. as elaborated elsewhere, it isn't about literally separating all interests, just those that harm the public. it's about removing the negative externalies that companies like google impose on us via such government contracts.
I understand the feeling, but that's not possible, and moreover, after reflection, why should it be so?
If government can literally fine/shutdown your business arbitrarily (as they do for lockdowns, permits, etc.), then they should have a voice in the government that could treat them so terribly.
Unless you mean to say that government should be so much smaller that it doesn't impose separate business taxes, import/export controls, require permitting and licensing and follow arbitrary regulations on those businesses, which I could get behind. Ideally, if there's no advantage or penalty to avoid by petitioning government, won't everyone stop paying attention to government? No gaming the game can happen then!
The problem is that we can't have it both ways, can't restrict a group from petitioning and then pose rules they MUST follow, without a say. That's not democracy at all.
Companies are just groups of individuals after all, and should have just as much voice as an activist group does, like ACLU or Americans for Tax Reform or whatever.
The government of Italy makes rules that apply to Italians and those doing business with them.
If you’re Italian, you do have a say, and if you’re doing international business in Italy then you accept the sovereign risk of dealing with a foreign state.
you seem to be arguing from the corporate personhood stance. corporations still have an outsized voice via their rich owners. they shouldn't, however, be privileged with extra voice unaccorded the ordinary citizenry.
GDPR and these other regulations in the EU exist because EU cannot stomach the fact that they got beat on tech and instead of innovating they are regulating to try and even the playing field.
All the recent "tech" I see from the US is all about novel ways to screw & exploit people for profit, at the expense of turning society into a dangerous wasteland full of outrage and saturated by advertising.
I wish GDPR compliance would have been opt-in. For example, a GDPR compliant website could have sent a custom header indicating compliance, which the browser could have displayed in the address bar (a bit like HTTPS). Consumers would then have been free make the decision to not use websites which aren't GDPR compliant. Consumers who are more concerned about privacy could have set their browser to automatically block any non GDPR compliant website.
Yes? ...this was the original dream of non-national cyberspace and we almost had a hope at getting it. Then the second chance with web3 but this was also spoiled by people getting too greedy and too nasty too fast.
A parallel anonymous-and-free-for-all-but-with-payments-included, smth. like Tor-but-powered-by-IPFSv9-and-Etherv7, will probably emerge in a couple decades done right after a couple failed iterations. Some techs need hardware to catch up to be cheap enough, and only after a few failed attempts they manage to grow a trend... and it will probably will last until it's used to finance a proper starting of WW3 and by then banning it will be too late.
Anyway, we'll enjoy the hell out of ourselves on the new patreons-but-for-snuff-p03n, so it will all have been worth it :)
No, just GDPR? I don't see any valid reason a user might want to "opt out" of anti-fraud legislation but I do see a reason why a user might want to access the non-GDPR web.
The Venn diagramm of the websites that have a Cookie-Popup right now and the websites that would choose to not be GDPR-compliant is a circle.
This change would mean most website couldn't be used by privacy concious people anymore and that the websites in turn are free to track the sh*t out of everyone else. From my perspective that sounds a lot worse.
The web is a mandatory part of public live for most people by now and it's good and healthy that corporations get push back for not respecting privacy.
Are you implying that the vast majority of consumers aren't concerned with their privacy and would keep using GDPR-compliant websites? If that's the case, isn't the regulation somewhat against the spirit of democracy?
This kind of ridiculous laws do not understand the boundless nature of internet. If you want to protect privacy of netizens simply make a universal law instead of having different laws in different countries.
Since the Internet is not a fiefdom, universal law is moot. Nation states will draft tracking laws that are only only enforceable through tracking in an attempt to gain their slice of authoritarian pie. Pointing to the Google or US is typical strawman BS and gives people a false sense of security because they should assume everyone, not just the Google, is tracking them. Getting people to own their data is an uphill climb, but is ultimately what will curb the negative behavior we're witnessing.
Those decisions are good in theory, but in practice they will kill the free web.
The only people that have the work power to put equivalent alternatives in place are the big corporations, that will anyway find a loophole.
I run my small blog, and I can't spend days or even weeks to setup a subpar analytics solution. I won't even start talking about self-hosting an analytics solution which would probably double my monthly server cost for a website on which I earn 0€.
In 2030, if we continue on that trend, websites will be in two categories: belonging to huge companies, or running illegally. It's baffling that people are applauding the end of the free web.
Because I want to know where my readers come from, which Google terms they searched, etc.? There's a million reasons to want to know stats like this without earning money...
Honestly, at this stage the "free web" can fuck right off. The "free web" you speak of generates a lot of negative externalities everyone else has to put up with. If your "free" web needs to attack everyone with spyware for it to exist then it's not really "free".
> I run my small blog, and I can't spend days or even weeks to setup a subpar analytics solution.
Italy is the 4th in a string of recent decisions across the EU.
(We're tracking these cases on isgoogleanalyticsillegal.com along with details for each.)
Note that it's not illegal to use GA entirely, just illegal to use in its default state which transmits PII to the US.
That is an extremely important nuance which is not obvious from the title.
Most of the people using GA wouldn't be able to set it up correctly. I switched my personal site from GA to Microanalytics, since I wanted to avoid spending time trying to figure out how to configure GA to be conformant.
Google should be the one doing the compliance work. If Italy bans some usage pattern in GA, it's Google that should make it impossible to configure it in non-conformant way.
2 replies →
Some time ago Google gave EU admins the option to select a local regional (EU) server. This means the data is not send to the US. But! It’s still nog fully legal as the Google HQ (and thus the US government( can still access all the data.
if anyone is curious about why that gives the govt. access:
https://en.wikipedia.org/wiki/CLOUD_Act
(God willing they repeal it, even if only for the international commerce implications...)
13 replies →
Why is that not fully legal? Wouldn't the same law prevent Google USA from querying PII data from Google Italia?
14 replies →
Like Adobe, who uses tracking servers in the EU, but Data Processing happens in the US?
The article has the watchdog suggesting exactly that (the specific site has 90 days to use GA in a compliant way, no direct complaint against GA), so it seems from their point of view it's legal.
The title of this post and a lot of the comments are projecting what they want GDPR to be (all non european online entities banned from doing business in the EU) vs how its being enforced.
On the last point: how does that work with cloud computing providers, as all the big ones are US-based?
Isn't it already against Google Analytics' policy to put PII in the platform to begin with?
https://support.google.com/analytics/answer/6366371?hl=en#zi...
Gdpr uses a more expansive definition of personal data, and it includes the IP address and geolocation data, for example.
5 replies →
> just illegal to use in its default state which transmits PII to the US
As I mentioned in a sibling comment, this is technically true but complying with GDPR takes more than unchecking a few boxes. I've never seen any GA set-up that would remotely approach compliance. At minimum, you need to mask IP's before they reach Google, which means standing up a non-Google server to proxy all the hits. That is more complexity than 99+% of GA installations.
That’s a very common implementation of serverside GTM/GA in the EU. If you advertise, you’ll still be sending GCLIDs, though.
2 replies →
My current understanding of google analytics and GDPR compliance is that you can use it in a GDPR compliant manner without that much trouble. On the older UA there is a simple flag that enables IP anonymization and on the new GA4 there is purportedly no need for it as they don't collect or store the IP at all.
For many clients I have set up a cookie compliance tool like Onetrust, which blocks loading of GA and other scripts with one of the consent popups. With this combined configuration (and having verified nothing sneaks through before someone gives consent) most company legal / compliance teams I have worked with have deemed this to be a fully compliant setup. Of course, this might not be actually compliant, but the company legal team has done some research and arrived at this as the most advantageous position currently available.
I think using a compliance based tool like Onetrust also gives a sense of legal security in that if our configuration is properly set up they are advertising that we then get compliance as part of their service, and so responsibility of a violation could potentially be passed to them in a legal setting.
ref: https://support.google.com/analytics/answer/2763052?hl=en
9 replies →
Is it illegal to use my website from Italy? I store PII (and everything else) in the US.
No. It's illegal for you to operate in the EU.
6 replies →
I understand that this is primarily an advertisement for Posthog, but if you're going to keep posting it you might want to keep it up to date. There are only 4 countries on your map and one of them is:
> The Dutch Data Protection Authority warns that the use of Google Analytics 'may soon no longer be allowed', after a ruling by the Austrian privacy regulator. A definitive conclusion is said to come at the beginning of 2022.
At least you removed "the only open source product analytics platform" and the Google fonts since the last time a Posthog employee posted it https://news.ycombinator.com/item?id=29994183
Here are the URLs for those who disable Javascript (from https://github.com/PostHog/isgoogleanalyticsillegal.com)
https://gdprhub.eu/index.php?title=DSB_(Austria_-_2021-0.586...
https://www.cnil.fr/en/use-google-analytics-and-data-transfe...
https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/d...
https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-...
NOYB is the primary source tracking these cases and generally was also responsible for filing the complaints that led to them. All the details are available from NOYB's GDPRhub wiki, https://gdprhub.eu. GDPRhub attempts to provide information on all the European DPAs including how to file complaints. At the least it provides contact info for all the DPAs and English translations of DPA decisions.
As stated in 13 Jan 2022 announcement on noyb.eu, these decisions are generally the result of the "Max Schrems II" decision. After that decision, Schrems filed 101 complaints to DPAs, and now the chickens are coming home to roost.
Note that the "legality" of Google Fonts, under the default configuration, is also in question. Arguably use of Google Fonts is even more widespread than use of Google Analytics.
Forget anonimized GA, I wonder what regulators would say to the likes of Hotjar which even records your screen and can be played back.
They aren't Google, so the anti-"American Big Tech" energy isn't as strong.
yeah, like 'swimming pools only bear a danger of drowning when wet'.
That analogy makes no sense at all.
Empty pools are probably more dangerous.
2 replies →
We are based in Europe and self-host our analytics exactly for this reason. I feel this is just the beginning.
Congrats. We also chose to do the analytics ourselves. No tracking, no cookie banners, and probably better stats as well. One thing that Google did very cleverly was to only give GA users the search terms that visitors used to end up on their site.
Don't you still have to provide a cookie banner as soon as your analytics are storing cookies, even if it's your own?
5 replies →
Isn't the search term in the Referer header?
4 replies →
How are you tracking returning users without cookies? Also if it’s multi-lingual, how are you storing the language prefs?
7 replies →
Same here. We’ve been using goaccess for years on a 300M hits a month. Self-host is the way to go for us.
Comparing goaccess to GA is like comparing an abacus to a MacBook Pro.
Unfortunately, you can't self-host the integration with Google Ads or Search Console, which locks anyone who relies on Google (or Facebook, Microsoft, etc) Ads into the use of Google Analytics/Ads tracking.
Why not? Can’t you still pass the campaign information via the url?
1 reply →
Self-hosting does not automatically make your analytics legal, on the other hand.
Processing of your users' personal data is legal only in the few exceptional scenarios outlined in Article 6.
https://gdprinfo.eu/en-article-6
Our definition of "exceptional scenarios" is clearly not the same... The list of scenarios in article 6 are common business operations covering a huge range of legitimate activities where processing might need to occur; there is little exceptional about them.
1 reply →
Are you using a custom sotware or something like plausible.io?
I've heard about Plausible but haven't tried it yet. We are using Posthog which is a suite for product analytics.
3 replies →
Another decision in a long stream that will make it much harder for EU start-ups companies to catch up to American ones. With absolutely no improvements to actual EU citizen well being.
Maybe a race where the finish line is maximum exploitation of the digital population isn't a race worth running.
Yes, let's all marvel at the accomplishment of making everything funded by exploitative and intrusive but largely useless advertisements.
All digital startups are literally doomed without the indiscriminate collection of personal tracking data.
Side note: thank you modern adtech for consistently recommending me products I already bought days and weeks before. Very effective. Gullible companies just keep paying cold hard cash for these garbage recommendation systems because some sales rep talks fluffy about AI and machine learning, it's so mindblowing....
here I thought maximum exploitation would be selling someones identity on the dark web but I come to find on HN that it's actually hashed analytics data D: !!!
2 replies →
1 reply →
Isn't this an opportunity for EU startups? By choosing to enforce the law on US companies that EU companies are already generally very compliant with, surely the EU has levelled the playing field for EU companies?
It is. Most startups in the EU have to use more and more businesses in the EU. The selection is little, so way more changes to succeed if your EU based and serve both markets.
I run Simple Analytics [1], which is a privacy-first analytics business from the Netherlands. I see a lot of business from the EU just because we are from the EU as well.
[1] https://simpleanalytics.com/?ref=hn
5 replies →
I can already see the taglines: "ConsentCo, tracking that's legal in the EU, unlike Google Analytics"
A little advantage for EU analytics startups, disadvantage for all other EU startups and SMBs who have less options for figuring out what users like about their website and offerings.
1 reply →
So due to this legislations it is more costly/less profitable for a company to have a European customer compared to US customer. Things like GDPR/lawsuits/bad PR etc. doesn't come for free for companies. So if some startup has more ratio of European users it is at a disadvantage.
1 reply →
Setting up something like Matomo instead of GA doesn't looks to me like a huge penalizing factor for a startup.
If anything, EU startups could benefit from better control over the tools they use. One interesting halo effect of Google seeing that much data is also that US startup from ex-googlers get a head start on many insights.
That decision is on the US, once the cloud act will be removed, those services will be legal again
Before the CLOUD Act there was the PATRIOT Act, which had effectively the same provisions.
These things have not been legal since the GDPR went into effect, and in some countries even before then.
2 replies →
take data of your USA customers and sell it to the highest bidder without their consent or even knowledge as you please. don't complain that I have the right to know you do that and disagree to you doing that.
Google doesn't really sell user data.
2 replies →
or maybe EU is starring to rely on their own startups.
If I had to chose an analytics software for a customer's website, I'd chose someone in EU for the sole reason that it would be compliant in both EU and the rest of the World.
I am no EU citizen, however live in Europe and do tech startups. I welcome GDPR as well as this ruling.
It's unethical IMO to send personal data to countries that have weak privacy laws without making it absolutely clear to the user. Which is rarely the case with GA right now.
I switched most my projects to shynet, for me personally that's more than enough information and I have zero worries about tracking and know that some users appreciate my approach.
Edit:// even before GDPR became a thing I worked with several companies who had strict rules about hosting in Europe or even more explicit not hosting in the US.
Let me guess, you're from the US and user surveillance is beneficial to your business so naturally everyone with non-capitalist (read not $$$-centric) ideology is plain wrong. EU startups don't have to "catch up" or even compete with US start ups.
read this with a french accent for whatever reason >.<
Does this imply that the EU is "non-capitalist" or something?
"EU startups don't have to "catch up"..." then don't get surprised when EU talent is poached by US and Asian HRs for x2-x3 rates. And before you're gonna talk about all those "free" (taxpayer funded) services and how no European would ever move to Asia or NA, i'd like to remind you that we're in the remote work world now :)
2 replies →
As an EU citizen, I find it to be a huge improvement to detangle my data from US-American entities. Especially with the election of Trump and January 6th. Maybe Americans haven't fully realized what that meant for US-EU relations for the next hundreds of years. The US is just not a politically stable country until further notice.
Eh? Jan 6 wasn't very noteable (a bunch of disorganized protestors are let into congress, but the state was not meaningfully threatened), the US has long had political instabilities, the business plot was way worse, but who has heard of it now...
since when EU became politically stable? Last time i checked you were at war with Russia.
12 replies →
Actually, the cookie layers of Google have become a lot better in recent months. I doubt that is was Googles initiative, so I think that all this legal stuff is making a difference. Yes, it is a very slow process, but what would be an alternative?
Yes it doesn't solve the startup problem, but honestly there also also a ton of other laws and regulations outside of data protection which make it hard for startups to prosper. Web Analytics seems a relatively minor problem.
Yikes... Have you ever heard of some of the alternatives?
I self-host Plausible which is GDPR compliant and gives me all of the features that Google Analytics is actually good for. There is so much bloat in GA that provides absolutely no extra value.
I'm skeptical that this is a bad deal for EU citizens.
[EDIT] missing and
Nah. The problem here is Google, not analytics in general. You can still use analytics as long as you do it in a privacy-first approach.
These laws also apply to US companies offering their services to in the EU. Frankly, it's about time American companies get reigned in on their privacy abuses. US startup culture has been playing fast and loose with people's data for far too long to disastrous effects.
Perhaps those are start-ups that we don't need in the EU.
That's assuming a European GDPR-compliant alternative to Google analytics wouldn't arise. But of course it will. It's not even a very difficult product to build. If anything this is both sticking it to Google and creating opportunities for European startups to fill the void.
That's ok, that's our decision.
The EU hasn’t shaken off their roots in monarchy. Using the power of the state to go after a single private entity since they have a blood feud with said entity and are now finding all sorts of excuses to hit them economically.
I’ve been following the cases with regard to privacy in the EU and it’s a complete joke. You have all these onerous rules against any web technology making it near impossible for startups to function without an army of lawyers. Think I’m exaggerating? Look up the provisions under GDPR for any business, big or small, to set up a website and then process a single user request for their data even without sign in.
The UK is sick and tired of this and has recently begun moving to ignore these onerous rules. All power to them.
You may be looking at this through a very narrow, heavily politicized lens.
First: GDPR is a compromise, so it's a bit uneven. That's partly due to lobbying by google and friends. Second, privacy very much needs protection. Even if you are perfectly fine giving up your privacy, other people aren't. Third: you can actually process user requests. Depending on how you do it, you don't even have to show a banner. Is that really too intrusive?
25 replies →
> The EU hasn’t shaken off their roots in monarchy.
I know, right. I mean obviously the world's most famous royal family (our British one) isn't really a monarchy so that doesn't count. And they certainly don't get previews and vetos on our laws, or given hundreds of millions from the licence fees for offshore wind farms, or own a notable percentage of the land.
As for GDPR, compliance is pretty straightforward provided you aren't being shady to begin with.
And the new UK proposals are much worse and if they go through as they stand will be a nightmare for anyone serving UK visitors.
2 replies →
> The UK is sick and tired of this and has recently begun moving to ignore these onerous rules. All power to them.
I don't think so; the UK passed the Data Protection Act 2018 just 4 years ago, to bring GDPR into UK law. That is: the DPA is normal statute legislation, unlike the GDPR itself, which is a bureaucrat-made regulation. The DPA was passed by both houses of Parliament.
So what are these mysterious moves to ignore the law? The only such moves I'm aware of are some plans to remove the European Court of Human Rights from UK law (ain't gonna happen - the ECHR is written into the Good Friday Agreement), and the UK's decision to ignore the decision of the ICJ concerning the Chagos Islands.
3 replies →
While I should be happy with narrative (I run https://wideangle.co, GA alternative), let's be honest. It not banned. Nor is it illegal.
It is illegal to use it in such a way that results in Personal Data being siphoned to the US.
Is it hard? Yes. Outright illegal? Nah.
It is good to see a GA competitor not resort to FUD as a marketing tool.
But it's enough of a hurdle that many website owners may just decide to go with a EU-based competitor. Certainly a good ruling for the EU tech scene.
If I understand this correctly, the issue isn't Google Analytics specifically, but "because it transfers users’ data to the USA, which is a country without an adequate level of data protection".
So this could also apply to any company that sends PII to the USA?
At present, there is no legal basis for a company covered by the GDPR to send personal data to the US or a US-owned company. The US needs to repeal the CLOUD Act, and maybe one or two other things, in order to make this situation work again.
Is that for US- or Italian-based users? What if this is an Italian company running a global website with data from non-GDPR country users?
8 replies →
Any company that sends personal data to the USA, yes.
What's really puzzling is that Google Analytics never got banned because of antitrust laws. It's the most obvious example of predatory pricing I've ever seen. How is a smaller company supposed to compete against a free product?
I co-founded a company called Heap that competed against Google Analytics and we were quite successful. Amplitude, Mixpanel, and others have also done so. GA’s free pricing was not really a big issue for us and customers were very willing to pay 6- and 7-figures for a differentiated quality product.
Loved Heap (Analytics?). I advocated for it while working at my previous employer :) I think we were early customers. At the time, its automatic tracking of all events was a godsend compared to hooking up specific tracking after the fact using GA events.
One broad view is that anti-trust is supposed to protect consumers, not competitors.
If a competitor can't produce a quality product that people will pay for, consumers aren't being harmed by the prevalence of a free good-enough product.
In a consumer-protection world where a free and open source Linux had 98% market share in the OS market, Microsoft or Apple would have no leg to stand on to sue its developers over anti-trust. In a competitor-protection world, they would.
The US views anti-trust through a very consumer-focused lens[1], the EU sometimes views it through a more competitor-focused one.
[1] This doesn't mean I agree with it, and there are obvious problems with trying to prove harm in a court of law, if no alternative exists.
Doesn’t predatory pricing mean “we dropped our pricing below profitability in order to kill competitors (and presumably raise our own prices once they’re dead)”?
I think you’d have a very good case against Amazon, and probably Uber/Lyft, and I’ve long wondered why no one sued them over it. But in Google’s case, Analytics is profitable for the same reason Youtube is profitable—Google makes money off the data they gather.
I did hear this in about 2014, so it could well have changed, but I thought Youtube wasn't profitable, or at the very most barely profitable
1 reply →
Google Analytics has an enterprise paid version and it starts at 6 figures, Adobe has a very competitive product in the same space. So there's definitively room for a paid product in the market.
Lots of ways? Better features, better support, better performance.
If you can't beat the free offering, then go home.
"We've tried nothing and we're all out of ideas!"
- A French Ned Flanders, probably
If you can't beat the free offering, then go home.
In the real world of physical goods, there are laws against this. But Google's a tech company, so anything goes.
9 replies →
How many companies use GA as their only analytics system? It isn’t free. It has a free tier.
It's like with Cloudflare. The free Tier is what gets small companies and hobby developers in. And as they know your system but not the one of others, they'll recommend it to use when your company grows or their employer looks for an analytics system.
But I don't think it's predatory. It clearly worked for cloudflare and seems to work for Tailscale (they openly said they're using the same strategy). It would be predatory if others couldn't match that, but I'd argue many competitors could offer free plans for small websites if they wanted to.
If we enforced a law that said no product can be sold at a loss, we would get rid of almost every single startup and many recently IPOd former unicorns,
There is really no reason to use Google Analytics anymore. There are many great alternatives now, mine is PanelBear.com. Other people love Fathom and Plausible. It’s great to see some unbundling happen.
Yeah, it was another one of those trojan horse programs. Offer something incredibly useful to website owners; something so compelling that they literally can't say no. An oh, it just happens to track the activity of every web user anywhere in the world.
The alternative offerings at the time were fairly awful compared to what google released.
I also believe (no proof though!) that you don’t need all that micro detail about your users and it is a distraction for a business.
A rough “how many came” is useful. At least to diagnose if the site had problems. Just talk to people and make your thing good!
The reason we built Scale8.com - Time to replace Google Analytics and Google Tag Manager :)
I'm still a fan of Matomo. Very powerful, easy to self-host and you get full control over your data. Never tried their managed services though.
This is consistent with decisions from the Austrian and French data protection authorities (DPAs). Note that Google is a Processor (for this product), meaning that Google itself does not violate GDPR, but only the websites that use it.
Following the Schrems II case, the "threat model" used by EU courts on these matters is "American law enforcement can serve a warrant to American companies." Long story short, any processing that Google does after collection is not considered to offer any protection, because American law enforcement can just tell them not to do that and they won't. Hence, the "Anonymize IP Address" setting in Google Analytics is not considered to have value for GA.
It might theoretically be possible to use GA compliantly by proxying data through an EU-owned service which obfuscates anything considered personal data, at minimum the IP address and various cookie values. This scenario hasn't been confirmed by anyone as compliant, but the regulators seem to always go out of their way to dance around it rather than just saying "GA is non-compliant, always, forever." Still, for the trouble to set up such a service you might as well just stand up a self-hosted first-party analytics solution.
This particular decision on GA is purely about the cross-border transfers, and doesn't seem to touch on whether using cookies for analytics requires consent. That's a separate issue (technically about a separate law).
> meaning that Google itself does not violate GDPR, but only the websites that use it.
This is so baffling to me. Google has subsidiaries in the EU. The fact that it's ok to give a product to a EU client which can't be used in accordance with the law, and the client is responsible, is just idiotic.
To be compliant, Google can just set up data centers specific to GA in one of those EU subsidiaries, so GA admins can choose to have their visitors' data stored only in an EU data center (and promise to not transfer that data to the US). This wouldn't be that hard to do.
13 replies →
I don’t find it idiotic. It was the client’s decision to spy on its users. I have no sympathy for companies who make that decision.
6 replies →
What about Italian websites that serve customers outside of Italy?
1 reply →
The CNIL in France is really pushing companies to not use Google Analytics, and you better listen to them here. It seems US companies should really make changes to how they host/manage data to be able to able to work in EU in the near future. (It isn’t a criticism, simply an assesment).
There's nothing US companies can do to make themselfes legal to use here. The legal framework in the US allows dragnet spying on every non-american and american companies are forced to participate in that effort.
They're perfectly legal if they don't process any PII. If a US company serves static content there's no need to fear the EU; they'll just have to disable illegal external integrations like Google Analytics/Fonts/etc.
A company doing business with other companies might find themselves in a position where they can comply perfectly. Not every company needs to collect PII, though these days every company likes to pretend they do.
8 replies →
So reading the English text it is not clear what exactly is the unlawful part. Is the fact that data is flowing to US based servers (which I assume is trivially managed by changing GA server location to Europe) or the fact it is flowing to an American Headquartered company, regardless of where the data is flowing to?
Can someone comment if the Italian language text is clearer? Or ehat is in the judgement?
There’s a bunch of steps, but jumping to the extreme, a foreign gov having access to the data is the awful part.
Data flowing to the US violates that, assuming Google US cannot refuse US gov requests, the headquarter having access to the data is also not accepted.
Well HN, how about a badge for links indicating whether it uses ga? We have to start somewhere don't we? Or we'll continue to see the web decline. Actually, from my PoV, it might be too late already. Maybe it's just me or people in EU being harassed with banner popups, but I hardly go to any link anymore, and so do many other people I know. It's just not worth it.
> how about a badge for links indicating whether it uses ga?
Sounds like a browser plugin would be best for this, then all links across the web could show it. Or you could just block it in uBO and not think about it again.
A bit individualist solution but you can block it with NoScript on your browser
I'm an American, but I occasionally use an EU VPN. I don't understand how EU residents can tolerate the number of cookie/privacy/GDPR/whatever popups every site has, even on the sites of EU companies.
We don't. Outside of a few greybeards the vast majority of the population would gladly send all of their data including dick pics and credit card numbers to remove those popups.
The law was absolutely useless because 99% of the websites have an illegal implementation and still added a major annoyance in the form of the popup / banner.
My impression is the lawmakers assumed that companies would do what they go on about in their blogs and marketing material all the time - ensure the best user experience for their customers, which they could do by properly complying with the GDPR.
Instead, the companies took their masks off and decided to beat us over the head with illegal consent popups to trick us into believing that a damaged user experience is the only possible outcome of the GDPR.
We Europeans are generally used to do whatever the government tell us.
We don't have the same culture as Americans.
Don't get me wrong, you had a pretty bad deal as well: without much fanfare, your government grew up so much in the last 200 years that it became the largest employer in the world. You pay loads of taxes (even more than several EU countries) and get very little benefits.
And yet, I'm sure that if we will get to a political solution to the ever-growing cancers that governments are, that solution is more likely to appear in the states than in Europe.
Europe is a hopeless - albeit beautiful - land. The people gave up change 50 years ago.
2 replies →
I've slowly started ripping Google Analytics out of my Rails projects and replacing it with https://github.com/ankane/ahoy.
It's so much better! I can just use SQL to see what's going in and not get overwhelmed with 100's of visualizations and complicated dashboards.
I use Ahoy too, but I don't have very good visibility into the data. I should spend more time building queries and creating charts. I should probably set up blazer as well: https://github.com/ankane/blazer It would be really nice if Ahoy came with a web UI that covered all the basics.
Agreed. It would be a really great open source project to have a dashboard with all the basics in addition to standard Ahoy event captures.
Regarding forbidden countries, it’s not forbidden in the Netherlands, yet. They will announce a verdict in a form of a report by the end of 2022 [1].
To give people an option and pink something else over Google Analytics, I have built an alternative, Simple Analytics [2].
It doesn’t use cookies or any form of tracking and you get still the useful data that 80% of the website owners need.
[1] https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/interne... (in Dutch)
[2] https://simpleanalytics.com
Worth mentioning that DPAs tend to work together to prevent conflicting laws across the EU. Following Austrian, French, and now Italian rulings, it's almost guaranteed that the Dutch authority will come to the same conclusion.
Yes, I think so too.
How do you track "visitors"?
With a referrer, see these docs [1]
[1] https://docs.simpleanalytics.com/explained/unique-visits
I'd be terrified if I was a EU company at this point. There is not logically way these same rules don't apply to using AWS, GCP, and Azure. There isn't enough other cloud hosting with nearly the same capabilities in Europe to handle that day.
GCP and Azure have options to keep all data within the EU, I'm sure AWS has something to at this point. In France GCP is approved for public business, so it seems to be working fine.
On your general point, we're way past the point where a company is allowed to blindly use any random SaaS without caring about what it does with the data or where it goes. The pendulum is clearly swinging back.
> GCP and Azure have options to keep all data within the EU
I wonder how much of a difference this makes, if the DCs still belong to these american companies and this thing exists: https://en.wikipedia.org/wiki/CLOUD_Act
1 reply →
There seems to be a difference between "B2C" stuff like ad tech and tracking and "B2B" like AWS. The latter seems to be more eager to be compliant, I assume only to prevent local / regional competitors to fill a gap but still. Plus all the nice public contracts to be had.
I use NoScript and block Google analytics, facebook, etc. It's nice that they use a domain separate from google.com, making it easy to block.
Yes. I have all their analytics and ad network domains blocked in my hosts file.
Meanwhile, COVID-19 certificate app for Czech Republic citizen's uses Google Analytics. We are not the same. Good job Italy!
Suppose I run a website in the us and a user in Italy connects to it. Does this mean I’m now breaking the law serving them the website? My connection logs now have pii.
What if I use a cdn that has points of presence in Italy and still pings my server with a head request and the end user ip?
Am I also now breaking Italian law by using google analytics?
> Does this mean I’m now breaking the law serving them the website?
As the article specifically states:
The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.
So, unless you are collecting EU citizens user data, transferring it to US and have the capabilities to enrich such data through additional information you hold, no.
IIRC, it basically only applies if you're actively doing business in the EU, or courting future business.
So, if you have a personal blog that grabs IPs? Not illegal. If you start a merch shop for your blog (or put in ads/sponsored content, etc.), then the whole site needs to be GDPR compliant.
> If you start a merch shop for your blog (or put in ads/sponsored content, etc.), then the whole site needs to be GDPR compliant.
And you do business in the EU. If you have a merch shop, but don't serve EU users (no EU shipping, not accepting EUR as a currency, no EU specific languages (German, French...), ...) there is no problem.
1 reply →
https://en.m.wikipedia.org/wiki/HTTP_451
> After introduction of the GDPR in EEA it became common practice for websites located outside EEA to serve HTTP 451 errors to EEA visitors instead of trying to comply with this new privacy law. For instance, many regional U.S. news sites no longer serve web browsers from the EU.
https://en.wikipedia.org/wiki/HTTP_451
As more and more country specific legal regulations are raised, I wonder who will be the ultimate gatekeepers of the general internet when certain actors behave against the "rules". The current landscape is a complex system of seeming contradictions straddling different levels of public and private, centralized and decentralized, anarchical and moderated, etc.
Will ISPs be forced to cut off traffic from certain areas? Will centralized companies like Google and Reddit be forced to comply with regulations or cut off services in certain areas? Will governments set up firewalls? Will the buck of responsibility be passed upwards to service providers like GA, or downwards to individual site administrators?
Nah, they’ll just slap them with a fine now again as a substitute for direct taxation and let them do what they do basically unchanged.
Once the Europeans have to use a foreign proxy to see the regular internet, like the Chinese, then we will have a real discussion on online privacy.
Have you tried to go to rt.com hany time recently?
1 reply →
We already do.
I'm actually just about to get rid of Google Analytics on DocSpring.com. I set up a self-hosted instance of Plausible Analytics on Render.com yesterday. I really like it so far. I set it up on a custom subdomain so it's not blocked by any ad blockers, so it's really nice to see analytics data that's almost 100% accurate (unless visitors disable JavaScript.) Especially since DocSpring is a developer tool, so most visitors are using an ad blocker extension. Also it doesn't use any cookies, so I don't need to show a cookie banner. It really feels like a breath of fresh air.
Hindsight is 20/20 but wasn't it clear that the company selling ads shouldn't be in charge of metrics for traffic and ads? Just like the TV channels had to rely on media rating firms.
Not sure an ad company should he in charge of a browser either
Oh and don't forget a major OS
From the article:
> A website using Google Analytics (GA) without the safeguards set out in the EU GDPR violates data protection law because it transfers users’ data to the USA, which is a country without an adequate level of data protection.
> Upon expiry of the 90-day deadline set out in its decision, the Italian SA will check that the data transfers at issue are compliant with the EU GDPR, including by way of ad-hoc inspections.
This follows similar decisions by France [1] and Austria [2].
[1] https://iapp.org/news/a/cnil-is-latest-authority-to-rule-goo...
[2] https://iapp.org/news/a/far-reaching-implications-anticipate...
2008-2018: Banking reform
2018-202?: Data privacy
I wonder what the next trendy thing government officials will pretend to care about/fix in order to garner media attention. Something crypto related, maybe?
The last time I checked, the Google Analytics' Terms of Service explicitly prohibited its use on web sites involving healthcare companies.
That gives you an indication of how invasive it is — that even Google doesn't want to handle the personal information, because it can't be made HIPAA-safe.
Naturally, the majority of healthcare web sites use Google Analytics, because nobody ever reads the Terms of Service.
> The last time I checked, the Google Analytics' Terms of Service explicitly prohibited its use on web sites involving healthcare companies.
You're missing a key part of the sentence you're remembering:
> If you are (or become) a Covered Entity or Business Associate under HIPAA, you may not use Google Analytics for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google.
Healthcare companies can absolutely use GA on their websites as long as the website isn't involving PHI or ePHI.
I don't understand.
They can host locally the data and remotely query it.
What's important is the "intelligence" the data does provide: giving critical and unfair advantage for those who have the whole data.
For instance, microsoft has an unfair advantage almost anywhere because they have access to the whole linkedin database.
European companies are not allowed to share PII with American companies. That goes for companies with a headquarters in the USA or subsidiaries that may be forced to share data thanks to laws like the US Cloud Act.
Previously, the EU exempted the USA through an "adequacy decision". That was later deemed illegal under EU law as American laws could not guarantee the privacy of EU citizens to the extend the GDPR prescribes. Then the EU tried again, and again such a decision was also overturned in court. The EU is working on another attempt at letting the USA track PII of EU users, but until they do that again (probably for another few years) it's illegal to share PII with American companies in almost all situations.
This is the third time a data processing agency has declared the use of Google Analytics illegal so it shouldn't really come as a surprise to those following tech news.
What's important is that the data is PII and that it's going to a place that can't guarantee privacy to an acceptable standard. Business advantage is irrelevant. The intelligence the data provides is also irrelevant. European privacy laws serve people, not businesses.
That does not change the issue: EU microsoft has a local unfair advantage in EU because it has access to the whole database of linkedin (which they own).
Additionaly, denying remote access is almost impossible to enforce. It would require a efficient and permanent deep monitoring of their servers.
linkedin should be illegal since this data should not be privately own.
I’m supporting of privacy, but it’s amazing how heavy-handed European regulation can be, and how difficult it can make understanding even basic metrics about our business and how those metrics have shifted over time. I suppose their intentions are good though.
Suppose you had an internal tracking library, aggragating data fetch from your own site and mobile clients, all data saved in a data center managed by your country's most reliable provider. EU directives would be a no-brainer.
That scenario has always been an option, and would be the most common case if Google didn't provide their own service for free or at cost. What's happening with the EU feels disruptive only because Google had such an unatural position in the market.
All of that is because of the cloud act, non american companies won't have as much issues. The obvious solution is to remove this spying law breaching EU laws and common sense.
15 years ago Google Analytics was cool. But ar some point Google ditched the "Don't be evil" culture and tried to get as much out of Google Analytics for themselves, that it became unethical.
As long as they haven't died ...
I'm building my own open source analytics solution exactly for this reason.
At what point do operators just start blocking access from EU countries. It's hard to imagine its worth jumping through all the complexities here at some point.
Bring it on. Anything that disconnects people from the American tech industry and encourages domestic competition is a good thing.
Sure. Block access to 450 millions people because it is inconvenient to respect their privacy.
They already do. Example: https://www.tribpub.com/gdpr/baltimoresun.com/
Time to get off my arse and write a self hosted privacy oriented analytics tool. Whatever happened to awstats. The question is - how to monetise on it?
What is a watchdog in this case, isn't it a non-governmental organization?
in that case how can they ban anything and what does that mean?
This is an English translation from "Garante" which is actually a stronger word - more like Guarantor. It is an official authority with teeth.
Exactly. Just to clarify, this is the authority responsible for those multi-million dollars fines against faang
Certainly in UK English we use watchdog to mean any organisation that has an oversight role, frequently government ones. For example the Financial Services Authority might be described as “the banking watchdog”, it is very much a government agency.
Why do you think watchdogs have to be non-governmental?
For example:
https://www.theguardian.com/technology/2022/may/05/uk-watchd...
It's likely a bad translation.
The Italian SA is the Italian Data Protection Agency (DPA), one of the per-country European regulators https://ec.europa.eu/justice/article-29/structure/data-prote... . Which acts under the GDPR and predecessor data protection laws, and is very explicitly a governmental regulator.
Aren‘t there like about 100 google analytics clones available that do exactly the same thing?
I wonder what will happen with websites that use payments integration like PayPal or Stripe.
Man, wish we’d do that in the US. Not sure what else to insightfully add after all these years.
Google is sucking in so much data that at the end it will be outlawed everywhere.
anyone runs self hosted matomo/piwik instance for analytics?
These guys are my heros
Good. US citizens should be, at least, disappointed that their government is so bad at protecting their privacy, that US law is so far behind the times.
To those companies and people who find these EU decisions baffling or inconvenient: tough. If you had had respect for your users this would not be an issue. You would already not be spying on them.
To website visitors: if you see a cookie banner, the site is asking permission to spy on you. If that concerns you, close the tab.
I'm not disappointed I'm infuriated. Because the US uses technology companies to get around the 4th amendment all the time: https://www.salon.com/2013/04/24/government_giving_att_other...
The US isn't "behind" it simply has no intention of moving in that direction, despite the 4th amendment making it really clear they're not allowed:
>The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
> To website visitors: if you see a cookie banner, the site is asking permission to spy on you. If that concerns you, close the tab.
There was a recent ACM article on this. They found there was a large number of sites that don't actually ask permission for anything, they are simply informing you of the spying. Not surprisingly, the ones that did allow modifying cookies were all setup in a predatory fashion which discouraged the disabling of tracking.
The whole system is broke at the moment.
It’s because they’re allowed to use the word “cookies” for it.
If they were required to use specific wording, like for instance “injecting surveillance artefacts” people would probably care a bit more.
2 replies →
Pragmatically, to what extent do you believe the European laws have protected Europeans above and beyond how American laws have protected Americans?
Basically, what class of badness are Americans subjected to due to behind-the-times data protection laws, that Europeans are protected from?
It's possible for a company, which is seemingly providing you a service since you visited the site, to make money off a targeted ad in exchange for free video streaming/content/entertainment.
The whole thing has always seemed overblown to me. Websites make much more money off targeted ads, allowing them to do things like allow anyone to upload a video of any length and quality for free. And view other videos people upload. In most cases it seemed to me like a fair trade to make. Yet as people point out all the time, technically a website isn't allowed to deny access to someone who refuses targeted ads (through the cookie pop-up), so they're essentially being forced to provide that user content at a loss. Untargeted ads are often worth 90% less or more than their targeted equivalent.
Privacy privacy privacy though, as if someone at Google is manually looking through your history laughing at you.
4 replies →
You won't get a good answer to this because there isn't one. These no realistic, practical harm to people that this EU law is preventing.
1 reply →
I believe a part of the data-privacy laws and sentiment in Europe comes both from the WWII and the civil wars/dictatorships/etc that happened across EU. When in our grandparents time (YMMV) the government was compiling list of citizens or checking what they were doing in their private lives, it was not to give them flowers. And while that still sounds pretty far from me, it was also fairly recent in the past so that there's some social residue of the sentiment.
BUT to answer the question directly, credit checks to the level they are performed in the USA sound like a horrifying thing and a total privacy breach for us EU citizens.
European laws are pushing to end Chat providers control over social interactions(which is something that shouldn't be done for profit any way) in the Digital markets act, which forces big apps to provide federation APIs.
The EU with the GDPR made an incentive to not use trackers, dont want that ugly tracker on your site ? Then stop selling data, that's why private analytics like Plausible and Umami have sprung to life. And also made it clear how much tracking is on the web.
There is also finally a movement to let the US host everything because really, the US isn't trust worthy.
So, the EU laws, gave better awareness about tracking, gave incentives to not use trackers, and is now working on improving the user experience by stopping the monopolization of social interactions.
Have you heard of Robo-calls? Basically there are no Robo-calls in EU, because you can just add yourself to a Government no-call list. If any company doesn’t respect that, they get a huge fine.
> To website visitors: if you see a cookie banner, the site is asking permission to spy on you.
Or you know...count how many unique visitors they have and how to make the site more useful. Do you avoid using cookies on this site but still manage to log in?
Cookies needed to properly provide user authentication, i.e. user session identification, are counted as "technical necessary" cookies and do not need a cookie banner. You only need to ask for cookie consent, if you track visitors with third-party services. And, to counter your unique visitors claim: you don't need cookies, or any third party service, for that. Everything can be done locally without disrespecting user privacy.
3 replies →
Do you know the difference between cookies and a cookie banner? Do you understand why this site can have login sessions, and even keep track of the number of unique visitors, yet is not required to have a cookie banner?
4 replies →
My buddy is a manager at a chemical plant, and your comment reminds me of a very astute statement he made recently.
“I don’t generally like unions. I’ve worked at both union and non-union plants. But anytime someone else complains about unions, I remind them that if they have a union at their plant, they earned it.“
When union plants are shuttered in favor of non-union plants, did they earn that too? Or does this logic only apply in one direction?
3 replies →
Sounds like a manager's take on unions, at least he sounds somewhat reasonable. Good on him
1 reply →
Yes “we care about privacy. But we also want a back door to all encrypted communications”.
https://appleinsider.com/articles/22/05/11/eu-plans-to-requi...
America is the LTS branch of Democracy.
Privacy improvements will be pulled in along with independent political parties in the next kernel update.
1 reply →
I think the support contract ended a while back
more like the archived repository on Github
More like the bitrotting prototype ;)
1 reply →
and global wealth.
If a modern democracy requires an ever-growing government I think I will stick to Democracy Stable.
8 replies →
An equivalent regulation to the one banning GA in the US would not ban GA because the data centers are in the US.
No one is asking for exactly the same law, just the same results: more privacy.
If I thought the EU was doing this to protect privacy I'd be all for it. They really don't give a fuck as seen by ever bit of legislation they are pushing for. Yes I also do understand that the EU in general view privacy from the government as illegal rather then a right.
The EU has both enacted the most promising and some of the most backwards, stupid and regressive privacy laws. I'm guessing that it depends on what representative guides it and forms it through the various processes, and what the courts do with it. Overall I think they have moved the needle towards more privacy.
> Yes I also do understand that the EU in general view privacy from the government as illegal rather then a right.
That is absolutely not true, at least not by enough people for anyone to be able to make that sort of blanket statement. I'd also wonder what reasons you have for thinking that, it seems to me like all of the 5-eyes used each other to spy on themselves (besides all of the things done by normal police, various levels of federal police, etc.)
> To website visitors: if you see a cookie banner, the site is asking permission to spy on you. If that concerns you, close the tab.
I'd love to see how often people do anything besides click okay anyway (I'd be very surprised if it wasn't 99%+).
Unless there is a very simple "reject" button, I click okay. Between Firefox's native protections, DNS-level blocking and uBlock, I have a lot more confidence in my own protections than I do in their honesty, and it's not worth it to me to uncheck a bunch of boxes.
3 replies →
Well I’m not an expert but I think the main issue is that American citizens have protections that non-Americans do not. The government cannot spy on Americans without a court order.
Unless they have an intelligence sharing agreement with a nation that happens to pick up signals from americans, from who they can request that data. And maybe there exists a network to share the raw data, wouldn't that be convenient? Or you could have a secret court system (FISA) to bypass most of the protections normally granted by due process?
> The government cannot spy on Americans without a court order.
Have I got news for you. Specifically at least 100 years of news.
The word "spy" is so loose these days. I'd consider the vast swaths of metadata other companies compile on me "spying" to an extent.
> You would already not be spying on them.
Can you point me to the part of the ban that says it's about protecting users from "spying in general" and not "protecting users from spying by US companies instead of EU companies that EU member states can obtain PII from at any time"?
> "protecting users from spying by US companies instead of EU companies that EU member states can obtain PII from at any time"
I want to quantify this quote. Each EU country can spy on its citizens to similar extent as 3 letter agencies from the US, but in a less analytical/big meta data way (part of it being the US brain draining EU countries for those working in tech).
However, if EU country A wants to have access to its citizens user date on website X located in EU country B, is not an easy process; involving a strict judicial system between those countries.
I think your logic may be a bit muddled, or I misunderstand your question (but, if I take it literally, my answer would be “no”.)
Not spying ⇒ not using GA ⇒ this ruling moot.
If you feel this way I hope you do research before visiting any website at all, because you might accidentally connect to a server in the US and your IP address will be in the TCIP stack of that server and probably the logs too. US servers that are intended to serve US customers have no obligations to you.
What about Australian citizens?
I've been using clicky on a few of my sites and even though they _assure_ me that it's totally compliant with gdpr I don't really believe them, does anyone have a decent alternative for analytics that respects people's privacy? I just want to see when I get new vs returning visitors on a page. Cloudflare's analytics are okay but I like how granular clicky can get, but if there's no good way to do that I think I'm just gonna ditch clicky and make do with the cdn analytics. Hell, I bet the cdn already does everything I need and I just don't know how to use it right, or I'm not paying for the right tier or something.
matomo is something you can self host
Note that you must make sure that your host is not in the US as well.
There's several self-hosted solutions, as well as several GDPR-compliant SaaS solutions. They generally work pretty well; I've seen people set up, for example, Plausible, in a couple of hours on a cheap VPS.
Google needs to do what apple is doing with PrivateRelay and putting double blind proxies in place so PII can be stripped before Google gets its hands on it.
This is why we built Scale8.com !
An open-source and privacy-friendly alternative to Google Analytics & Google Tag Manager :)
GA is simply not compliant...
https://scale8.com/blog/is-ga-gdpr-compliant/
i’d support any legislation that booted google, fb, ms, adobe, salesforce, and a whole host of other surveillance tech companies from any and all levels of government. it’s literally as important as the separation of church and state. in fact, i’d love to see a constitutional amendment explicitly separating corporate interests from governmental ones, in all facets of civic life (e.g., campaign finance).
This is just naive. Government offices/agencies are so tightly coupled with packages like office 365 that forcefully separating them would require home built solutions which would always be terrible, less secure, and more expensive to the tax payer. There’s a lot of good these products can provide, granted they are properly audited and have high security requirements.
Idk here in France there are cities and state-wide administrations with free/libre stacks based on Linux, LibreOffice, Zimbra and others and things seem to JustWork™. For instance the french Gendarmerie, the cities of Rennes and Arles...
10 replies →
> would require home built solutions which would always be terrible, less secure,
I disagree. It would be relatively straightforward to build such systems on Linux and open source.
> and more expensive to the tax payer
As a proportion of Italy's GDP, the cost would be negligible, especially given that this is a matter of national security, something governments tend to be keen to spend money on.
3 replies →
I didn’t read it as government can’t use commercial products. Just that the corps couldn’t influence politics. But I’m not the OP, so I can’t speak to what was intended.
1 reply →
> are so tightly coupled with packages like office 365
Are they though? Do you know this for a fact? I mean, sure, MS Office is very popular in government settings, but does this really go beyond the possibility of just replacing it with LibreOffice if they so decided?
4 replies →
Most developed countries have several offices/agencies that already run 'home built' solutions, they just don't get talked about much.
2 replies →
your whole argument is based on the assumption that proprietary software is superior in every single metric. thats just patently false.
ah, the ad hominem, never a good sign for the proceeding argument.
there are a number of other office suites that are entirely adequate for bureaucratic organizations to build methodical processes around (which is what bureaucracies do). the capabilities of the underlying tools don’t matter much in this regard.
also, audits aren’t meant to prove anything (like security), but instead to shift liability.
42 replies →
Russia has that. Just typewriters and stationary.
Sounds like it would create jobs too, that's a plus not a minus lol
7 replies →
less secure? can it get worse than ms, outlook and active directory foo? they incepted their own industry around their unsecurity, lol.
terrible and more expensive is also a joke, but not as big, you still could got to ibm or oracle if you want to pay more for less, admitted
The legal and moral question is one of data sovereignty, not tools vendor. I suggest the GP comment be read with that context in mind.
Rubbish, there has been a concertive effort by the US to undermine other countries including so called NATO allies in order to dominate the world, its been going of for decades.
I refuse to use the NHS here in the UK because of the widespread use of Microsoft everywhere.
> in fact, i’d love to see a constitutional amendment explicitly separating corporate interests from governmental ones
I don't think you comprehend the scope of what you're suggesting.
I work for a school district and I'm currently migrating our system from using one commercial bus routing service to another... using Windows, SQL Server, Teams, etc. from Microsoft... using a laptop, dock, three monitors, keyboard, and mouse from HP... and today the elevator was broken so we called a repair company to come fix it... oh, and some company makes the school buses, and the networked phone on my desk, and the printer around the corner, and all of the paper in it... the fluorescent bulbs above me don't grow on trees...
you can't just expect governments, even at the national level, to roll their own everything without interfacing with corporations in any way—this is a hopelessly naïve view of the world. I am just as uncomfortable as you are with data being shared with corporations, but you're going to have to figure out a more realistic set of political goals than what you've outlined here.
it's not really aimed at governments, so much as corporations that feel entitled to sneak in ancillary interests into their products, like surveilling the public. basically, it's to force companies like microsoft to remove all that other shit and provide just the core software, if they want access to government largess. this has beneficial externalities for us, the residents of said governments.
4 replies →
How far does "separating corporate interests from governmental ones" go?
Can the government purchase a car? Hire a private corporation to build a road? Hire a consulting company to check the security of their (now-free-and-without-a-support-contract FOSS?) computer setup?
It's actually quite simple. The government can buy things services from specific providers, but it cannot force you to buy services from specific providers. In other words, it can buy BMWs for government use, but it cannot say "you have to buy a BMW to enter the municipal office".
The same applies to websites. If a government website uses Google analytics, it is essentially requiring you to do business with a specific company (in this case Google) in order to use a government service.
12 replies →
The issue (per original article) is one of data sovereignty, and I’d identify a sibling concern of adopting open data formats.
If those are sacrosanct, the choice of tools vendor matters far less.
where to draw the line is a fair question in any policy debate, and one i'd expect to draw plenty of lively discussion. it's pretty clear to me that surveillance tech is on the outside of that line, but i'm open to reasonable arguments otherwise.
They tried with the church and did not succeed. Why do you think they can succeed with SW.
FWIW I think the "church and state" analogy is genius, it totally resonated with me. I'm going to steal that!
Not only state... I see absolutely 0 reason for my swiss ebanking in the secured web interface to se google analytics and similar trackers. I can clearly see them being blocked by the likes of ublock origin and ghostery in my firefox. Why the f*k should google know where I go in such private matters (and there are tons more, ie if you are lgbtq+ in one of the many restrictive locations, have some less mainstream political preferences etc.). The data once acquired have no reason to be deleted, ever. Too juicy info, and 7 billion humans is not that large group to aspire to track.
I get why google et al want it for their growth/sales, but they are a private entity not owning internet in any way, extremely foreign to Europe with no clear friendly intentions. One of few times I can say I am proud to be living on old continent.
exactly, we need to decentralize power, and knowledge (information) is power. it seems innocuous when we each leak a little here and there, but surveillance tech is vacuuming up every tiny bit of it.
living in europe doesn't much matter, given the reach of these companies and their interweaving into government systems, along with reciprocal surveillance agreements (however-many-eyes countries).
I agree 100%. I have nearly all google domains blocked in my hosts file and was frustrated to find out google captcha was required on a few government websites. I understand rolling your own can be difficult or expensive but it's the government we're talking about here. They're no strangers to spending.
> i’d love to see a constitutional amendment explicitly separating corporate interests from governmental ones
How is that possible, since corporations are, by definition, creations of government through law?
i mean, that's like asking how is it possible to compartmentalize anything. as elaborated elsewhere, it isn't about literally separating all interests, just those that harm the public. it's about removing the negative externalies that companies like google impose on us via such government contracts.
2 replies →
I understand the feeling, but that's not possible, and moreover, after reflection, why should it be so?
If government can literally fine/shutdown your business arbitrarily (as they do for lockdowns, permits, etc.), then they should have a voice in the government that could treat them so terribly.
Unless you mean to say that government should be so much smaller that it doesn't impose separate business taxes, import/export controls, require permitting and licensing and follow arbitrary regulations on those businesses, which I could get behind. Ideally, if there's no advantage or penalty to avoid by petitioning government, won't everyone stop paying attention to government? No gaming the game can happen then!
The problem is that we can't have it both ways, can't restrict a group from petitioning and then pose rules they MUST follow, without a say. That's not democracy at all.
Companies are just groups of individuals after all, and should have just as much voice as an activist group does, like ACLU or Americans for Tax Reform or whatever.
The government of Italy makes rules that apply to Italians and those doing business with them.
If you’re Italian, you do have a say, and if you’re doing international business in Italy then you accept the sovereign risk of dealing with a foreign state.
you seem to be arguing from the corporate personhood stance. corporations still have an outsized voice via their rich owners. they shouldn't, however, be privileged with extra voice unaccorded the ordinary citizenry.
this is the start of the unbundling of alphabet
ottime notizie. vietare google e monetizzare le bellissime spiagge, e mangiare pasta autentica.
I don’t think you’re really Italian ahahah
e w la fica
You do maybe
The US should economically retaliate.
GDPR and these other regulations in the EU exist because EU cannot stomach the fact that they got beat on tech and instead of innovating they are regulating to try and even the playing field.
> the fact that they got beat on tech
What tech is the EU missing out on?
All the recent "tech" I see from the US is all about novel ways to screw & exploit people for profit, at the expense of turning society into a dangerous wasteland full of outrage and saturated by advertising.
No thanks.
Hmmm, or maybe they exist because EU has a little bit more respect for privacy of its citizens than US?
I wish GDPR compliance would have been opt-in. For example, a GDPR compliant website could have sent a custom header indicating compliance, which the browser could have displayed in the address bar (a bit like HTTPS). Consumers would then have been free make the decision to not use websites which aren't GDPR compliant. Consumers who are more concerned about privacy could have set their browser to automatically block any non GDPR compliant website.
Bizarre idea. Should websites be allowed to opt out of anti-fraud legislation? Anti-money laundering? Human rights protections?
Yes? ...this was the original dream of non-national cyberspace and we almost had a hope at getting it. Then the second chance with web3 but this was also spoiled by people getting too greedy and too nasty too fast.
A parallel anonymous-and-free-for-all-but-with-payments-included, smth. like Tor-but-powered-by-IPFSv9-and-Etherv7, will probably emerge in a couple decades done right after a couple failed iterations. Some techs need hardware to catch up to be cheap enough, and only after a few failed attempts they manage to grow a trend... and it will probably will last until it's used to finance a proper starting of WW3 and by then banning it will be too late.
Anyway, we'll enjoy the hell out of ourselves on the new patreons-but-for-snuff-p03n, so it will all have been worth it :)
5 replies →
No, just GDPR? I don't see any valid reason a user might want to "opt out" of anti-fraud legislation but I do see a reason why a user might want to access the non-GDPR web.
9 replies →
The Venn diagramm of the websites that have a Cookie-Popup right now and the websites that would choose to not be GDPR-compliant is a circle.
This change would mean most website couldn't be used by privacy concious people anymore and that the websites in turn are free to track the sh*t out of everyone else. From my perspective that sounds a lot worse.
The web is a mandatory part of public live for most people by now and it's good and healthy that corporations get push back for not respecting privacy.
> This change would mean most website couldn't be used by privacy concious people anymore
wouldn’t the market react?
1 reply →
> Consumers who are more concerned about privacy could have set their browser to automatically block any non GDPR compliant website.
It may not be your intent, but defaults matter and what you're wishing for here is de-facto scuttling of the GDPR.
Are you implying that the vast majority of consumers aren't concerned with their privacy and would keep using GDPR-compliant websites? If that's the case, isn't the regulation somewhat against the spirit of democracy?
1 reply →
This kind of ridiculous laws do not understand the boundless nature of internet. If you want to protect privacy of netizens simply make a universal law instead of having different laws in different countries.
Since the Internet is not a fiefdom, universal law is moot. Nation states will draft tracking laws that are only only enforceable through tracking in an attempt to gain their slice of authoritarian pie. Pointing to the Google or US is typical strawman BS and gives people a false sense of security because they should assume everyone, not just the Google, is tracking them. Getting people to own their data is an uphill climb, but is ultimately what will curb the negative behavior we're witnessing.
We need a RFC for protecting the internet.
I’m afraid it does understand the boundless nature of the internet, and it wants the owner of the server to do something about it.
Other countries may not want to protect privacy at all. Italians are making rules to protect Italians.
We need RFC’s , We do not need stupid laws written hundreds of years ago.
How does one "simply make a universal law"?
By publishing a RFC.
1 reply →
Those decisions are good in theory, but in practice they will kill the free web.
The only people that have the work power to put equivalent alternatives in place are the big corporations, that will anyway find a loophole.
I run my small blog, and I can't spend days or even weeks to setup a subpar analytics solution. I won't even start talking about self-hosting an analytics solution which would probably double my monthly server cost for a website on which I earn 0€.
In 2030, if we continue on that trend, websites will be in two categories: belonging to huge companies, or running illegally. It's baffling that people are applauding the end of the free web.
Why does your small blog need an "analytics solution" in the first place, if you earn $0?
Because I want to know where my readers come from, which Google terms they searched, etc.? There's a million reasons to want to know stats like this without earning money...
8 replies →
Honestly, at this stage the "free web" can fuck right off. The "free web" you speak of generates a lot of negative externalities everyone else has to put up with. If your "free" web needs to attack everyone with spyware for it to exist then it's not really "free".
> I run my small blog, and I can't spend days or even weeks to setup a subpar analytics solution.
tail -f /var/log/nginx/access.log