← Back to context

Comment by naet

3 years ago

My current understanding of google analytics and GDPR compliance is that you can use it in a GDPR compliant manner without that much trouble. On the older UA there is a simple flag that enables IP anonymization and on the new GA4 there is purportedly no need for it as they don't collect or store the IP at all.

For many clients I have set up a cookie compliance tool like Onetrust, which blocks loading of GA and other scripts with one of the consent popups. With this combined configuration (and having verified nothing sneaks through before someone gives consent) most company legal / compliance teams I have worked with have deemed this to be a fully compliant setup. Of course, this might not be actually compliant, but the company legal team has done some research and arrived at this as the most advantageous position currently available.

I think using a compliance based tool like Onetrust also gives a sense of legal security in that if our configuration is properly set up they are advertising that we then get compliance as part of their service, and so responsibility of a violation could potentially be passed to them in a legal setting.

ref: https://support.google.com/analytics/answer/2763052?hl=en

9 comments

naet

Reply
jeroenhd  3 years ago

I'm not so sure your take on IP address anonymization. The source states:

    The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.

The Google documentation says:

    The IP-anonymization feature in Universal Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to Google Analytics.

IANAL but I'm pretty sure the IP anonymization setting is no longer an acceptable way of getting GDPR compliance. It may have been acceptable under Austrian or French ruling before, I don't know about those, but from 90 days from now you'll have to explicitly require consent for _at least_ all Italian users.

As a side note, OneTrust has the worst of the worst cookie banners, to the point that I no longer even open websites that have that crap installed. It's also illegal by making it harder to reject tracking than to opt-in, there just haven't been any specific lawsuits about this party yet.

  • snowwrestler  3 years ago

    That Google documentation is for the IP anonymization feature of Universal Analytics, which is being sunset in about a year.

    Google announced earlier this year that Google Analytics 4, its successor, does not log or store IP address at all.

    I don’t know whether UA or GA4 service was the subject of the Italy case, but I would not be surprised if it was UA. Most sites have not switched over to GA4 yet.

    • autoexec  3 years ago

      > Google announced earlier this year that Google Analytics 4, its successor, does not log or store IP address at all.

      So if I go to a website and it has me load code from Google's servers it's still got to send my IP address to them. I'm not sure why we'd take them at their word that they won't keep that data around (I'd like to see that independently verified). but it'll be sent to the server logs if nothing else. What does not storing the IP address even mean? Do they hash it and store that instead? Do they do a quick lookup and just flag your dossier logging the connection and when it happened before dropping the IP info?

      If people care about their privacy I think it's probably best not to send information to Google in the first place. There are alternatives to google analytics after all.

      2 replies →

    • denton-scratch  3 years ago

      > Google Analytics 4, its successor, does not log or store IP address at all.

      The fact that it receives the IP address at all renders it illegal in Italy, and probably anywhere GDPR is in force. And IP address truncation doesn't get you anywhere; it's Google that does the truncating, so the whole address is actually sent to Goo, by which time it has departed from GDPR jurisdiction.

majewsky  3 years ago

> For many clients I have set up a cookie compliance tool like Onetrust

Every time I've seen a cookie popup from Onetrust, it was obviously illegal because "Reject all" was not the easiest option. It's fine if "Accept all" is as easy as "Reject all", but nothing is allowed to be easier than "Reject all". Have they fixed that yet?

  • erikgaal  3 years ago

    This is actually a setting within OneTrust which has a terrible default. We (had to) use OneTrust on eurovision.tv, but configured it ourselves to have three equally styled options.