Skip to content(if available)orjump to list(if available)

Italian watchdog bans use of Google Analytics

corywatilo

Italy is the 4th in a string of recent decisions across the EU.

(We're tracking these cases on isgoogleanalyticsillegal.com along with details for each.)

Note that it's not illegal to use GA entirely, just illegal to use in its default state which transmits PII to the US.

stingraycharles

That is an extremely important nuance which is not obvious from the title.

tut-urut-utut

Most of the people using GA wouldn't be able to set it up correctly. I switched my personal site from GA to Microanalytics, since I wanted to avoid spending time trying to figure out how to configure GA to be conformant.

Google should be the one doing the compliance work. If Italy bans some usage pattern in GA, it's Google that should make it impossible to configure it in non-conformant way.

throwaway2037

I agree 100% with your second paragraph. I also hope they introduce massive "percent of revenue" fines when Google "forgets" to ban illegal activity on their (near-monopoly) advertising platform. Massive fines has genuinely changed the behaviour of sales & trading at global investment banks. We can do the same for FAANG and friends.

mywittyname

It's not that bad: https://support.google.com/analytics/answer/6366371?hl=en#zi...

The most difficult aspect is dealing with URLs. But a company that is large enough to be customizing URLs per user, is large enough to make a few JS changes to ensure they aren't sending those details to GA.

null

[deleted]

digitalengineer

Some time ago Google gave EU admins the option to select a local regional (EU) server. This means the data is not send to the US. But! It’s still nog fully legal as the Google HQ (and thus the US government( can still access all the data.

kixiQu

if anyone is curious about why that gives the govt. access:

https://en.wikipedia.org/wiki/CLOUD_Act

(God willing they repeal it, even if only for the international commerce implications...)

toyg

This will never be repealed. It was introduced to effectively enshrine a right US authorities have had since the PATRIOT Act was introduced 17 years prior, since that act had become politically contentious and was left to expire.

If anybody seriously thinks US authorities will quietly lose a key power after enjoying it for 21 years, I have a few bridges ready to be sold.

DyslexicAtheist

something I'm not getting here. If you buy a EU engineered IoT home appliance that has PII including, whether a user is presently inside their home, then every company I know operating in this market uses US based clouds (what other options are there LOL) to do things like digital twin or device shadows but by using a local availability zone.

So this is very different than GA, but depending on the threat-model can be worse. Also very similar metrics can be gathered from the data as from a GA cookie (are they eating, cooking, showering, watching TV).

CloudAct would (or should) in this case also apply here or what am I missing?

godshatter

Presumably the Five Eyes alliance could also mean that servers in Australia, Canada, New Zealand, and the UK may also be unusable since they share intelligence information with the US.

concordDance

> (God willing they repeal it, even if only for the international commerce implications...)

It's hard to express how impossible this is. It is very very strongly in the state's interest to keep powers like this. We're more likely to get communism...

googlryas

Why is that not fully legal? Wouldn't the same law prevent Google USA from querying PII data from Google Italia?

digitalengineer

If Google US can access the data, that means the US government by extension can also. This is exactly what GDPR doesn’t want happening. More details in this open letter by Max Schrems “ the Court has clearly held that US surveillance laws and practices violate Article 7, 8 and 47 of the Charter of Fundamental Rights” https://noyb.eu/en/open-letter-future-eu-us-data-transfers

marcosdumay

Italian laws do not apply to Google USA.

y42

Like Adobe, who uses tracking servers in the EU, but Data Processing happens in the US?

cavisne

The article has the watchdog suggesting exactly that (the specific site has 90 days to use GA in a compliant way, no direct complaint against GA), so it seems from their point of view it's legal.

The title of this post and a lot of the comments are projecting what they want GDPR to be (all non european online entities banned from doing business in the EU) vs how its being enforced.

sebazzz

On the last point: how does that work with cloud computing providers, as all the big ones are US-based?

minsc_and_boo

Isn't it already against Google Analytics' policy to put PII in the platform to begin with?

https://support.google.com/analytics/answer/6366371?hl=en#zi...

rgbrenner

Gdpr uses a more expansive definition of personal data, and it includes the IP address and geolocation data, for example.

dudus

And to be clear Google Analytics has a setting to "anonymize" the IP address which deletes the last octet of the address and makes geolocation less accurate.

Then there's an argument that the IP address still reaches Google servers before it's deleted. But that's just splitting hairs at this point. If Google doesn't process the data with IP the IP address I see no harm.

IP addresses are not something that you can choose to not send at all. It's kind of required by the TCP/IP stack. If that was the case users in EU could not access any website in the USA.

anothernewdude

Yeah, it uses the definition of personal data that includes information that isn't personal.

lmkg

> just illegal to use in its default state which transmits PII to the US

As I mentioned in a sibling comment, this is technically true but complying with GDPR takes more than unchecking a few boxes. I've never seen any GA set-up that would remotely approach compliance. At minimum, you need to mask IP's before they reach Google, which means standing up a non-Google server to proxy all the hits. That is more complexity than 99+% of GA installations.

closewith

That’s a very common implementation of serverside GTM/GA in the EU. If you advertise, you’ll still be sending GCLIDs, though.

Nextgrid

If only ad clicks send back tracking parameters (and nothing else) it might actually fall into legitimate interest.

naet

My current understanding of google analytics and GDPR compliance is that you can use it in a GDPR compliant manner without that much trouble. On the older UA there is a simple flag that enables IP anonymization and on the new GA4 there is purportedly no need for it as they don't collect or store the IP at all.

For many clients I have set up a cookie compliance tool like Onetrust, which blocks loading of GA and other scripts with one of the consent popups. With this combined configuration (and having verified nothing sneaks through before someone gives consent) most company legal / compliance teams I have worked with have deemed this to be a fully compliant setup. Of course, this might not be actually compliant, but the company legal team has done some research and arrived at this as the most advantageous position currently available.

I think using a compliance based tool like Onetrust also gives a sense of legal security in that if our configuration is properly set up they are advertising that we then get compliance as part of their service, and so responsibility of a violation could potentially be passed to them in a legal setting.

ref: https://support.google.com/analytics/answer/2763052?hl=en

jeroenhd

I'm not so sure your take on IP address anonymization. The source states:

    The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.
The Google documentation says:

    The IP-anonymization feature in Universal Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to Google Analytics.
IANAL but I'm pretty sure the IP anonymization setting is no longer an acceptable way of getting GDPR compliance. It may have been acceptable under Austrian or French ruling before, I don't know about those, but from 90 days from now you'll have to explicitly require consent for _at least_ all Italian users.

As a side note, OneTrust has the worst of the worst cookie banners, to the point that I no longer even open websites that have that crap installed. It's also illegal by making it harder to reject tracking than to opt-in, there just haven't been any specific lawsuits about this party yet.

majewsky

> For many clients I have set up a cookie compliance tool like Onetrust

Every time I've seen a cookie popup from Onetrust, it was obviously illegal because "Reject all" was not the easiest option. It's fine if "Accept all" is as easy as "Reject all", but nothing is allowed to be easier than "Reject all". Have they fixed that yet?

stickfigure

Is it illegal to use my website from Italy? I store PII (and everything else) in the US.

dmitriid

No. It's illegal for you to operate in the EU.

stickfigure

What does that mean? Europeans use my website.

remram

I understand that this is primarily an advertisement for Posthog, but if you're going to keep posting it you might want to keep it up to date. There are only 4 countries on your map and one of them is:

> The Dutch Data Protection Authority warns that the use of Google Analytics 'may soon no longer be allowed', after a ruling by the Austrian privacy regulator. A definitive conclusion is said to come at the beginning of 2022.

At least you removed "the only open source product analytics platform" and the Google fonts since the last time a Posthog employee posted it https://news.ycombinator.com/item?id=29994183

1vuio0pswjnm7

Here are the URLs for those who disable Javascript (from https://github.com/PostHog/isgoogleanalyticsillegal.com)

https://gdprhub.eu/index.php?title=DSB_(Austria_-_2021-0.586...

https://www.cnil.fr/en/use-google-analytics-and-data-transfe...

https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/d...

https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-...

NOYB is the primary source tracking these cases and generally was also responsible for filing the complaints that led to them. All the details are available from NOYB's GDPRhub wiki, https://gdprhub.eu. GDPRhub attempts to provide information on all the European DPAs including how to file complaints. At the least it provides contact info for all the DPAs and English translations of DPA decisions.

As stated in 13 Jan 2022 announcement on noyb.eu, these decisions are generally the result of the "Max Schrems II" decision. After that decision, Schrems filed 101 complaints to DPAs, and now the chickens are coming home to roost.

Note that the "legality" of Google Fonts, under the default configuration, is also in question. Arguably use of Google Fonts is even more widespread than use of Google Analytics.

ricardobayes

Forget anonimized GA, I wonder what regulators would say to the likes of Hotjar which even records your screen and can be played back.

FateOfNations

They aren't Google, so the anti-"American Big Tech" energy isn't as strong.

tin7in

We are based in Europe and self-host our analytics exactly for this reason. I feel this is just the beginning.

rambambram

Congrats. We also chose to do the analytics ourselves. No tracking, no cookie banners, and probably better stats as well. One thing that Google did very cleverly was to only give GA users the search terms that visitors used to end up on their site.

m3adow

Don't you still have to provide a cookie banner as soon as your analytics are storing cookies, even if it's your own?

y42

> Don't you still have to provide a cookie banner as soon as your analytics are storing cookies, even if it's your own?

You need consent for every kind of storage usage on client side if you create profiles to analyze the them for marketing goals. If not, and no PII is being processed, no consent is required. Eg you could easily aggregate your server logs without a consent.

adrr

How are you tracking returning users without cookies? Also if it’s multi-lingual, how are you storing the language prefs?

rambambram

> How are you tracking returning users without cookies?

We're not. And that's exactly the point, because we don't want to track. I make a distinction between tracking, analyzing and stats. What we do is guess who are the unique visitors (and who are not), and I say guess because it's guesswork since the browser can spew out any kind of info.

tpxl

> Also if it’s multi-lingual, how are you storing the language prefs?

Cookies you require for functionality (ie. login cookies, language settings) require no consent, but do require to be laid out in a cookie policy.

nedt

Why would you need that? All businsess that aren't online can't collect that data and we still have newspapers and supermarkets. If you are interested in that data just ask your users.

guelo

Isn't the search term in the Referer header?

Taywee

Nope. They forward through an in-between that obscures it. They argue that because search results are personalized, being able to see the search terms can give you information about the visitor that can compromise their privacy. Google doesn't want anybody violating user privacy except for Google.

closewith

Not for many years. The only way to get Google search term data now is through the Search Console product, which integrates with GA.

joshyi

Same here. We’ve been using goaccess for years on a 300M hits a month. Self-host is the way to go for us.

archon810

Comparing goaccess to GA is like comparing an abacus to a MacBook Pro.

closewith

Unfortunately, you can't self-host the integration with Google Ads or Search Console, which locks anyone who relies on Google (or Facebook, Microsoft, etc) Ads into the use of Google Analytics/Ads tracking.

quickthrower2

Why not? Can’t you still pass the campaign information via the url?

closewith

You can send campaign data that way, but to run any kind of effective campaign on Google Ads, you also need to send conversion data back if the user who clicks on your ad actually does the thing you want. You can either use GA or Google Ads own tracking option to set a cookie with a unique ID associated with that ad click and then send that to Google when they convert.

A privacy-conscious serverside GTM/GA implementation won't leak any personal data like IP address to Google, but there's no way to avoid sending the GCLID if you advertise.

A lot of companies are dependent on Google Ads for demand generation, so it's the reason they are sticking with GA even as the writing's on the wall.

Rygian

Self-hosting does not automatically make your analytics legal, on the other hand.

Processing of your users' personal data is legal only in the few exceptional scenarios outlined in Article 6.

https://gdprinfo.eu/en-article-6

giobox

Our definition of "exceptional scenarios" is clearly not the same... The list of scenarios in article 6 are common business operations covering a huge range of legitimate activities where processing might need to occur; there is little exceptional about them.

Rygian

Processing of personal information is unlawful except in the conditions listed in the article.

So "exceptional" in the sense that they are exceptions to a more general rule, as of opposed to the sense of being extraordinary.

V__

Are you using a custom sotware or something like plausible.io?

tin7in

I've heard about Plausible but haven't tried it yet. We are using Posthog which is a suite for product analytics.

stevoski

Plausible et al all are a pale imitation of GA. They all offer a dashboard with some basic filtering. But they offer little in the way of true analytics features, that allow you to slice, dice, and compare data.

cm2012

Another decision in a long stream that will make it much harder for EU start-ups companies to catch up to American ones. With absolutely no improvements to actual EU citizen well being.

nathanaldensr

Maybe a race where the finish line is maximum exploitation of the digital population isn't a race worth running.

neuronic

Yes, let's all marvel at the accomplishment of making everything funded by exploitative and intrusive but largely useless advertisements.

All digital startups are literally doomed without the indiscriminate collection of personal tracking data.

Side note: thank you modern adtech for consistently recommending me products I already bought days and weeks before. Very effective. Gullible companies just keep paying cold hard cash for these garbage recommendation systems because some sales rep talks fluffy about AI and machine learning, it's so mindblowing....

RubyRidgeRandy

here I thought maximum exploitation would be selling someones identity on the dark web but I come to find on HN that it's actually hashed analytics data D: !!!

MarcelOlsz

I wish the internet was purely an informational no bullshit interface/store instead of all this crap. I welcome these changes. Convert it back into a piece of furniture. Oh no we can't make a billion dollars for no reason.

iLoveOncall

waffleiron

So lets legalise child labour? Get rid of OSHA?

Where you draw the line is cultural and personal, so don’t dismiss things like this so easily.

jimnotgym

Isn't this an opportunity for EU startups? By choosing to enforce the law on US companies that EU companies are already generally very compliant with, surely the EU has levelled the playing field for EU companies?

AdriaanvRossum

It is. Most startups in the EU have to use more and more businesses in the EU. The selection is little, so way more changes to succeed if your EU based and serve both markets.

I run Simple Analytics [1], which is a privacy-first analytics business from the Netherlands. I see a lot of business from the EU just because we are from the EU as well.

[1] https://simpleanalytics.com/?ref=hn

hnbad

Frankly, as a EU company (based in Germany no less) I'm steering clear of any US SaaS whenever possible. Even if they operate in the EU they're usually a legal headache because privacy compliance is added as an afterthought and they'll often carelessly transfer data to US servers based on assumptions that should have been abandoned when Privacy Shield was torn down in the courts.

Out of the big cloud providers only Azure feels even remotely safe to use (if only because of the privacy reputation of Google and Amazon).

jeroenhd

I can already see the taglines: "ConsentCo, tracking that's legal in the EU, unlike Google Analytics"

cm2012

A little advantage for EU analytics startups, disadvantage for all other EU startups and SMBs who have less options for figuring out what users like about their website and offerings.

hef19898

Assuming any of that actually helps to grow revenue, or that it is the only way to find out what your users want. Plus, GDPR isn't making tracking illegal in general, it is just heavily regulating it. If it was just properly enforced, the internet would be a much nicer place...

Side note, I'm slowly getting tired of people ignoring regulations and compliance simply out of laziness.

YetAnotherNick

So due to this legislations it is more costly/less profitable for a company to have a European customer compared to US customer. Things like GDPR/lawsuits/bad PR etc. doesn't come for free for companies. So if some startup has more ratio of European users it is at a disadvantage.

herbst

GDPR is rarely enforced, we are still In a transition phase and many who start out choose to just ignore it to a degree.

I don't see how it's more costly or less profitable. Judging by the amount of lawsuits per capita I think it's way more likely to get sued in the US than Europe. And guess what's more expensive or complicated for a European company?

makeitdouble

Setting up something like Matomo instead of GA doesn't looks to me like a huge penalizing factor for a startup.

If anything, EU startups could benefit from better control over the tools they use. One interesting halo effect of Google seeing that much data is also that US startup from ex-googlers get a head start on many insights.

realusername

That decision is on the US, once the cloud act will be removed, those services will be legal again

toyg

Before the CLOUD Act there was the PATRIOT Act, which had effectively the same provisions.

These things have not been legal since the GDPR went into effect, and in some countries even before then.

realusername

Oh yeah sure, that also would not work with the patriot act.

To be compliant with the GDPR, the US needs data laws which only affects citizens on their own soil and not overreaching to EU citizens.

baq

take data of your USA customers and sell it to the highest bidder without their consent or even knowledge as you please. don't complain that I have the right to know you do that and disagree to you doing that.

dehrmann

Google doesn't really sell user data.

speedgoose

No, it’s too valuable. They sell services using the data such as Google ads.

FateOfNations

That seems to be a detail that a lot of people miss. Google, Facebook, etc. don't sell user data. What they do offer is services where they use that data to optimize ad delivery.

On my part, I'm not too concerned with that... they operate on a massive scale and no human is looking at my individual data. The result is me seeing fewer ads that are irrelevant, which is good for everyone (for example, no one benefits from showing me an ad for feminine hygiene products, and if Google and Facebook can make sure that doesn't happen, all the better).

peoplefromibiza

or maybe EU is starring to rely on their own startups.

If I had to chose an analytics software for a customer's website, I'd chose someone in EU for the sole reason that it would be compliant in both EU and the rest of the World.

herbst

I am no EU citizen, however live in Europe and do tech startups. I welcome GDPR as well as this ruling.

It's unethical IMO to send personal data to countries that have weak privacy laws without making it absolutely clear to the user. Which is rarely the case with GA right now.

I switched most my projects to shynet, for me personally that's more than enough information and I have zero worries about tracking and know that some users appreciate my approach.

Edit:// even before GDPR became a thing I worked with several companies who had strict rules about hosting in Europe or even more explicit not hosting in the US.

xnickb

Let me guess, you're from the US and user surveillance is beneficial to your business so naturally everyone with non-capitalist (read not $$$-centric) ideology is plain wrong. EU startups don't have to "catch up" or even compete with US start ups.

skdd8

read this with a french accent for whatever reason >.<

caracustard

Does this imply that the EU is "non-capitalist" or something?

"EU startups don't have to "catch up"..." then don't get surprised when EU talent is poached by US and Asian HRs for x2-x3 rates. And before you're gonna talk about all those "free" (taxpayer funded) services and how no European would ever move to Asia or NA, i'd like to remind you that we're in the remote work world now :)

xnickb

Replying to a comment that states: "not everything revolves around money" with "but we make more money".

openplatypus

While I should be happy with narrative (I run https://wideangle.co, GA alternative), let's be honest. It not banned. Nor is it illegal.

It is illegal to use it in such a way that results in Personal Data being siphoned to the US.

Is it hard? Yes. Outright illegal? Nah.

stevoski

It is good to see a GA competitor not resort to FUD as a marketing tool.

dx034

But it's enough of a hurdle that many website owners may just decide to go with a EU-based competitor. Certainly a good ruling for the EU tech scene.

calibas

If I understand this correctly, the issue isn't Google Analytics specifically, but "because it transfers users’ data to the USA, which is a country without an adequate level of data protection".

So this could also apply to any company that sends PII to the USA?

solar-ice

At present, there is no legal basis for a company covered by the GDPR to send personal data to the US or a US-owned company. The US needs to repeal the CLOUD Act, and maybe one or two other things, in order to make this situation work again.

minsc_and_boo

Is that for US- or Italian-based users? What if this is an Italian company running a global website with data from non-GDPR country users?

solar-ice

You can find the scope of the GDPR in Article 3 of the GDPR: https://gdpr-info.eu/art-3-gdpr/

Read these as individual clauses; the Regulation applies if any one of them is met. An Italian company serving customers anywhere in the world is covered by the first clause.

jakubp

GDPR covers EU citizens. I don't think it says anything about non-EU citizens.

M2Ys4U

Any company that sends personal data to the USA, yes.

nwellnhof

What's really puzzling is that Google Analytics never got banned because of antitrust laws. It's the most obvious example of predatory pricing I've ever seen. How is a smaller company supposed to compete against a free product?

raviparikh

I co-founded a company called Heap that competed against Google Analytics and we were quite successful. Amplitude, Mixpanel, and others have also done so. GA’s free pricing was not really a big issue for us and customers were very willing to pay 6- and 7-figures for a differentiated quality product.

Nagyman

Loved Heap (Analytics?). I advocated for it while working at my previous employer :) I think we were early customers. At the time, its automatic tracking of all events was a godsend compared to hooking up specific tracking after the fact using GA events.

vkou

One broad view is that anti-trust is supposed to protect consumers, not competitors.

If a competitor can't produce a quality product that people will pay for, consumers aren't being harmed by the prevalence of a free good-enough product.

In a consumer-protection world where a free and open source Linux had 98% market share in the OS market, Microsoft or Apple would have no leg to stand on to sue its developers over anti-trust. In a competitor-protection world, they would.

The US views anti-trust through a very consumer-focused lens[1], the EU sometimes views it through a more competitor-focused one.

[1] This doesn't mean I agree with it, and there are obvious problems with trying to prove harm in a court of law, if no alternative exists.

Wowfunhappy

Doesn’t predatory pricing mean “we dropped our pricing below profitability in order to kill competitors (and presumably raise our own prices once they’re dead)”?

I think you’d have a very good case against Amazon, and probably Uber/Lyft, and I’ve long wondered why no one sued them over it. But in Google’s case, Analytics is profitable for the same reason Youtube is profitable—Google makes money off the data they gather.

permo-w

I did hear this in about 2014, so it could well have changed, but I thought Youtube wasn't profitable, or at the very most barely profitable

IX-103

As of 2019, I was still hearing it wasn't profitable. Though that may be starting to change: https://arstechnica.com/gadgets/2021/04/youtube-is-now-build...

dudus

Google Analytics has an enterprise paid version and it starts at 6 figures, Adobe has a very competitive product in the same space. So there's definitively room for a paid product in the market.

tantalor

Lots of ways? Better features, better support, better performance.

If you can't beat the free offering, then go home.

bryan_w

"We've tried nothing and we're all out of ideas!"

- A French Ned Flanders, probably

reaperducer

If you can't beat the free offering, then go home.

In the real world of physical goods, there are laws against this. But Google's a tech company, so anything goes.

foota

It's not illegal to give things away for free unless it's dumping.

minsc_and_boo

Which real world country?

In the U.S. most antitrust law is based on protecting what's best for the consumer, not protecting the competition from a free alternative.

jokethrowaway

What a horrible law.

The market should just create a better solution or find investors to call the bluff of the offending company and make even more money

adrr

How many companies use GA as their only analytics system? It isn’t free. It has a free tier.

dx034

It's like with Cloudflare. The free Tier is what gets small companies and hobby developers in. And as they know your system but not the one of others, they'll recommend it to use when your company grows or their employer looks for an analytics system.

But I don't think it's predatory. It clearly worked for cloudflare and seems to work for Tailscale (they openly said they're using the same strategy). It would be predatory if others couldn't match that, but I'd argue many competitors could offer free plans for small websites if they wanted to.

scarface74

If we enforced a law that said no product can be sold at a loss, we would get rid of almost every single startup and many recently IPOd former unicorns,

encoderer

There is really no reason to use Google Analytics anymore. There are many great alternatives now, mine is PanelBear.com. Other people love Fathom and Plausible. It’s great to see some unbundling happen.

sixothree

Yeah, it was another one of those trojan horse programs. Offer something incredibly useful to website owners; something so compelling that they literally can't say no. An oh, it just happens to track the activity of every web user anywhere in the world.

The alternative offerings at the time were fairly awful compared to what google released.

quickthrower2

I also believe (no proof though!) that you don’t need all that micro detail about your users and it is a distraction for a business.

A rough “how many came” is useful. At least to diagnose if the site had problems. Just talk to people and make your thing good!

scale8

The reason we built Scale8.com - Time to replace Google Analytics and Google Tag Manager :)

dx034

I'm still a fan of Matomo. Very powerful, easy to self-host and you get full control over your data. Never tried their managed services though.

lmkg

This is consistent with decisions from the Austrian and French data protection authorities (DPAs). Note that Google is a Processor (for this product), meaning that Google itself does not violate GDPR, but only the websites that use it.

Following the Schrems II case, the "threat model" used by EU courts on these matters is "American law enforcement can serve a warrant to American companies." Long story short, any processing that Google does after collection is not considered to offer any protection, because American law enforcement can just tell them not to do that and they won't. Hence, the "Anonymize IP Address" setting in Google Analytics is not considered to have value for GA.

It might theoretically be possible to use GA compliantly by proxying data through an EU-owned service which obfuscates anything considered personal data, at minimum the IP address and various cookie values. This scenario hasn't been confirmed by anyone as compliant, but the regulators seem to always go out of their way to dance around it rather than just saying "GA is non-compliant, always, forever." Still, for the trouble to set up such a service you might as well just stand up a self-hosted first-party analytics solution.

This particular decision on GA is purely about the cross-border transfers, and doesn't seem to touch on whether using cookies for analytics requires consent. That's a separate issue (technically about a separate law).

V__

> meaning that Google itself does not violate GDPR, but only the websites that use it.

This is so baffling to me. Google has subsidiaries in the EU. The fact that it's ok to give a product to a EU client which can't be used in accordance with the law, and the client is responsible, is just idiotic.

humanistbot

To be compliant, Google can just set up data centers specific to GA in one of those EU subsidiaries, so GA admins can choose to have their visitors' data stored only in an EU data center (and promise to not transfer that data to the US). This wouldn't be that hard to do.

gostsamo

No, they can't as far as I get it. The american cloud act entitles US law enforcement to serve orders to US companies and their foreign branches. So, if you are american with a company in the EU, the important part is that you are an american, not that the company is in a foreign jurisdiction.

nisegami

It really makes no difference where the data is stored once it's accessible by a US company:

"The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil."

from https://en.wikipedia.org/wiki/CLOUD_Act

openplatypus

As mentioned by other commentators, this is not enough. Schrems II ruling exposed the risk here. If servers are in EU but are undereffective control (even via proxy) of country with inadequate control (US, RU, CN), then you can't use data location as argument.

MrQuimico

The problem is not only the geo location of the datacenters. As long as these subsidiaries are under the control of a USA corporation, this is illegal, since the USA corporation can be requested by the USA gov to share any data they may have not matter where it's stored. Only options are a 100% GDPR compliant solution (European or from a country with similar laws) or self-host. Hopefully another Privacy Shield like agreement will be in place soon.

shadowgovt

Building out the infrastructure necessary for Cloud to be compliant with region-stored data was a multi-year project.

Huge swathes of Google's architecture (especially its legacy architecture) have deeply-ingrained location-agnosticism assumptions. It turns out to be extremely complex and expensive to remove those assumptions given the way Google handles data once it hits their datacenter fabric.

(Not impossible, mind, just that this assertion that it wouldn't be that hard to do is in "I could build Twitter in a weekend" territory).

dylan604

It wouldn't be hard for Googs to do this on their own so that they comply with the rules/laws in the markets they are operating vs giving it to the end user as an option in the configs. Most people using GA probably wouldn't know what any of that meant anyways. They just want the numbers so their marketing people can tell them what to do next. I'm talking the people running sites on Wix type sites vs having an actual dev team that can push back against a marketing department

leephillips

I don’t find it idiotic. It was the client’s decision to spy on its users. I have no sympathy for companies who make that decision.

pessimizer

Why do you have to be sympathetic to the client in order to also condemn Google? If someone was selling bleach as a cure for autism through a network of distributors, do you have to be sympathetic to the distributors in order to condemn the manufacturer?

V__

> It was the client’s decision to spy on its users.

Calling it spying is a little far-fetched I think, when the problem was the transfer ip addresses to US servers, not Analytics itself.

rattlesnakedave

It was the client’s decision to use the service.

gretch

What about Italian websites that serve customers outside of Italy?

V__

If they serve customers outside the EU, then they should comply with those laws or not serve them at all.

louhike

The CNIL in France is really pushing companies to not use Google Analytics, and you better listen to them here. It seems US companies should really make changes to how they host/manage data to be able to able to work in EU in the near future. (It isn’t a criticism, simply an assesment).

f1refly

There's nothing US companies can do to make themselfes legal to use here. The legal framework in the US allows dragnet spying on every non-american and american companies are forced to participate in that effort.

jeroenhd

They're perfectly legal if they don't process any PII. If a US company serves static content there's no need to fear the EU; they'll just have to disable illegal external integrations like Google Analytics/Fonts/etc.

A company doing business with other companies might find themselves in a position where they can comply perfectly. Not every company needs to collect PII, though these days every company likes to pretend they do.

IX-103

When PII includes IP addresses it's kind of hard not to process. How else are you supposed to group metrics over a session (since cookies are also forbidden)?

This seems to ban third-party analytics by any US company. The cynic in me feels this is a little convenient in how it advantages EU organizations over foreign ones...

M2Ys4U

>They're perfectly legal if they don't process any PII.

Personal data, not PII. The GDPR does not care about PII (except to the extent that the set of things that are PII is a subset of things that are personal data).

sfifs

So reading the English text it is not clear what exactly is the unlawful part. Is the fact that data is flowing to US based servers (which I assume is trivially managed by changing GA server location to Europe) or the fact it is flowing to an American Headquartered company, regardless of where the data is flowing to?

Can someone comment if the Italian language text is clearer? Or ehat is in the judgement?

makeitdouble

There’s a bunch of steps, but jumping to the extreme, a foreign gov having access to the data is the awful part.

Data flowing to the US violates that, assuming Google US cannot refuse US gov requests, the headquarter having access to the data is also not accepted.

bradgessler

I've slowly started ripping Google Analytics out of my Rails projects and replacing it with https://github.com/ankane/ahoy.

It's so much better! I can just use SQL to see what's going in and not get overwhelmed with 100's of visualizations and complicated dashboards.

nathan_f77

I use Ahoy too, but I don't have very good visibility into the data. I should spend more time building queries and creating charts. I should probably set up blazer as well: https://github.com/ankane/blazer It would be really nice if Ahoy came with a web UI that covered all the basics.

bradgessler

Agreed. It would be a really great open source project to have a dashboard with all the basics in addition to standard Ahoy event captures.

tannhaeuser

Well HN, how about a badge for links indicating whether it uses ga? We have to start somewhere don't we? Or we'll continue to see the web decline. Actually, from my PoV, it might be too late already. Maybe it's just me or people in EU being harassed with banner popups, but I hardly go to any link anymore, and so do many other people I know. It's just not worth it.

aembleton

> how about a badge for links indicating whether it uses ga?

Sounds like a browser plugin would be best for this, then all links across the web could show it. Or you could just block it in uBO and not think about it again.

butterNaN

A bit individualist solution but you can block it with NoScript on your browser

ronsor

I'm an American, but I occasionally use an EU VPN. I don't understand how EU residents can tolerate the number of cookie/privacy/GDPR/whatever popups every site has, even on the sites of EU companies.

iLoveOncall

We don't. Outside of a few greybeards the vast majority of the population would gladly send all of their data including dick pics and credit card numbers to remove those popups.

The law was absolutely useless because 99% of the websites have an illegal implementation and still added a major annoyance in the form of the popup / banner.

solar-ice

My impression is the lawmakers assumed that companies would do what they go on about in their blogs and marketing material all the time - ensure the best user experience for their customers, which they could do by properly complying with the GDPR.

Instead, the companies took their masks off and decided to beat us over the head with illegal consent popups to trick us into believing that a damaged user experience is the only possible outcome of the GDPR.

null

[deleted]

jokethrowaway

We Europeans are generally used to do whatever the government tell us.

We don't have the same culture as Americans.

Don't get me wrong, you had a pretty bad deal as well: without much fanfare, your government grew up so much in the last 200 years that it became the largest employer in the world. You pay loads of taxes (even more than several EU countries) and get very little benefits.

And yet, I'm sure that if we will get to a political solution to the ever-growing cancers that governments are, that solution is more likely to appear in the states than in Europe.

Europe is a hopeless - albeit beautiful - land. The people gave up change 50 years ago.

trasz

>We Europeans are generally used to do whatever the government tell us.

As opposed to those who used to do whatever the private companies tell them?

tannhaeuser

Err, just to avoid further misunderstanding: I'm pro-GDPR ;) and think it's right to confront users with the hydra behind the crap on the web. What I think has destroyed the web is attention economy, monopolies, the race to the bottom, and lack of incentive for quality content.

Agree though that Europeans could do with more libertarianism and less trust in state; it's something that's been a big issue for me since at least CoVid hysteria.