Significant developments that will shape the future of digital analytics…
In June, three significant things happened for the future of digital analytics. Actually, three things happened that confirmed the direction of existing travel, but they are no less significant for that.
Firstly, the Italian data protection authority has found that Google Analytics is not compliant with EU GDPR. In this ruling, it follows its counterparts in France and Austria, and makes further similar decisions more likely, as cases have been brought in all 27 EU countries. It’s notable that the Italian response was more forthright than previous decisions, as it said it “draws the attention of all Italian managers of websites, public and private, to the illegality of transfers made to the United States through Google Analytics… and invites all data controllers to verify the compliance of the methods of use of cookies and other tracking tools used on its websites, with particular attention to Google Analytics and other similar services, with the legislation on the protection of personal data”. In effect, this puts all Italian webmasters on notice to check whether correct protocols are in place in relation to Google Analytics, and if not, to do something about it. It’s a more combative response than the others, and makes it sound like the data protection authority is more likely to come after offenders; one of the
However, perhaps more significant is Google’s response to the Italian decision. Google said “Google Analytics helps publishers understand how well their sites and apps are working for their visitors — but not by identifying individuals or tracking them across the web. These organisations, not Google, control what data is collected with these tools, and how it is used. Google helps by providing a range of safeguards, controls and resources for compliance.” So, Google Analytics is just a software tool, and you use it at your own risk. This corporate shrug of the shoulders to their clients’ problems perhaps shows Google’s level of frustration for being singled out by the EU, but it’s perhaps more concerning to clients, in that Google is formally putting the onus on them to ensure compliance.
Which brings us neatly to the second significant thing. June 2022 marks a year before Google Analytics existing code version, called Universal Analytics, will stop collecting data for some customers, with the final deadline being in October 2023 for all paying customers of GA360. This means that many companies’ digital analytics tool will stop working in a year’s time. Google would like people to move to GA4, their new version. However, there are several noticeable challenges with GA4 from an analytical point of view as it stands at the moment – for instance, you can either store your data for 2 months, or 14 months, not for longer, which is a problem when many businesses like to report on a rolling 5 quarter basis.
But most importantly, it is still unclear, even at a year out, how this solution addresses the main issue that triggered Google’s decision to switch to GA4 – UA’s non-compliance with GDPR. In other words, what about those safeguards, controls and resources for compliance that Google specifically mentions? The main one is the ability to store data within the EU, thereby insuring that the data cannot be accessed by US surveillance (which is the premise of the original complaints in the EU courts). As it stands, there is no way of confirming that GA4 data can only be stored in the EU (or a country with an adequacy agreement with the EU), and no timeframe for when this will be established. So, for those Italian analytics managers, there isn’t much additional control available, and no visibility of when this might arrive, so the risks for European businesses have just got larger. The only hope on the horizon might be the long-awaited text of the new Privacy Shield, which Presidents Biden and von der Leyden announced in March, but this probably won’t be available before the end of the year, and there is no timeframe for its potential implementation, and challenges may follow anyway. So, that doesn’t really help legal and compliance officers at the moment, who will either have to accept the risk, or make a decision before the text is available anyway.
The third significant thing may turn out to be the least significant. The UK Government announced its response to its strategic Data: A New Direction consultation from the back end of last year. This is still very high-level, but, despite the fact there are some headline-grabbing points, one of the key points was hidden further into the text, and was not widely reported in the headlines; that the Government will work to ensure continued adequacy with the EU. The companies we consulted with said it was important to maintain adequacy with the EU, given almost all of them are multinational, or work with customers in the EU. Therefore, it was great to see this reflected in the response.
On this basis, the adequacy decision dictates that it’s likely that little will change for most organisations. There are certainly some important changes for smaller, local organisations, which will remove some of the data protection burden from those for whom EU integration is not as important (why does the local parish council need to have a DPO, has been one of the common scenarios put forward, which this would address), but for larger organisations, it seems like GDPR adequacy will continue to be the primary focus.
We are continuing our discussions with DDCMS, and will report back on further nuances as we have them. Watch this space!
Let us assess your current analytics set up, guide your strategic direction or bring knowledge and expertise to the team where it’s needed. Tell us more below.
We just need to know a few things and we will be in touch:
Click here to tell us where you’re at in your analytics journey