In January 2022, a decision by the Austrian data protection authority caused a stir. Google Analytics is banned has been reported in many media.
In this decision, the integration of Google Analytics on websites was considered unlawful. There are a variety of reasons for how this decision was made, but these are not relevant for companies in the current situation. Rather, the question is whether this prohibition is absolute or whether it only had to be pronounced in the specific case on which the decision was based.
given the way Google Analytics is built into most websites, it is banned and the agency’s decision came as no great surprise to those in the know.
there is no fundamental ban, but the legal basis for processing and for transmission to countries outside the EU must be chosen with great care.
The problem of Google Analytics consists of two parts.
Firstly, data is read from the user’s device and information is stored there (cookies), which is not absolutely necessary for the operation of the website, and it is passed on to a third party (Google) who processes the data for its own purposes. According to Section 165 of the Austrian Telecommunications Act (TKG 2021) and Section 25 of the German TTDSG, this is only possible with consent.
Secondly, Google not only processes the data within the European Union, but also transfers it to the USA, using the Standard Contractual Clauses (SCC) approved by the EU Commission.
Many websites fail at the first hurdle, namely obtaining valid consent. Processing begins before the user has even consented, the information is incomplete and misleading, and “dark patterns” are used to “nudge” the user into giving their consent, e.g. by hiding setting options or a prominent and sympathetic appearance of the “Accept all” button. Consent obtained in this way is invalid and the entire processing becomes unlawful.
In order to obtain valid consent, it must meet the following criteria:
Once you have obtained consent for the processing itself in this way, you can take care of the second area of concern, namely transfers to countries outside the European Union.
In exceptional cases, i.e. not as a rule, the GDPR also allows consent as the legal basis for this transmission to other countries. Since the processing of the data is practically inextricably linked to the transmission, both processing steps can be obtained with consent.
And so Google Analytics can be used again on websites.
As a website operator, you must expect that some of your users will not give their consent. Studies have shown that a large proportion of website visitors are no longer measured in this way, and this naturally leads to problems in comparison with previous data or the calculation of conversion rates from online marketing campaigns.
Think about implementing other analysis tools on your website, which are legally valid even without consent, in order to be able to measure these visitors as well.