Does the use of Google Analytics violate GDPR?

If you haven’t had a chance to see the recent ruling made by Austrian Data Protection Authority concerning a website’s use of Google Analytics violating GDPR we recommend you do:

Austrian DSB: EU-US data transfers to Google Analytics illegal (noyb.eu)

Here’s our take on the recent ruling

In 2020, the European Court of Justice decided that the use of US providers violates GDPR. This recent ruling specifically points to the use of Google Analytics alone as violating GDPR.

Due to its free entry level and widespread adoption, Google Analytics may be an obvious choice to utilise for your website. However, it is currently not fit for purpose. How can that be when the application uses data encryption, offers IP anonymisation, etc? Well, the issue is far greater than not having anonymizeIp set to true. It comes down to how and where data is processed and who owns those servers.

With Google Analytics you push user data with variables “ga(‘set’, ‘anonymizeIp’, true);” to the external JavaScript Google provides. Each client connects directly to Google Analytics revealing their IP address in step 1, downloading a JavaScript where you can manually set a variable to return IP data anonymised. The client will return this information directly to Google Analytics in step 2.

So, you may well see it anonymised, but Google is still processing the user data with IP address and only anonymising for us. A controller is still not allowed to process or store any personally identifiable information on US cloud services where the encryption is not solely managed by that controller.

So, what do we need to consider?

Check that the company you are buying services from is located outside the US
Ensure no personally identifiable information is being stored or processed within the US without being highly encrypted and with you in control of the encryption and keys before it is stored there.

If you are designing a SaaS product, consider your infrastructure and cloud service provider

Data security is a key consideration for any product, but it becomes even more important when personally identifiable information (PII) is involved. Then, you must consider how and where that data is processed and who owns those servers.

Even if you must export some data outside of Europe, utilising European servers to process and encrypt a European’s user data before it is stored anywhere else can be part of the solution.

At Klikk, we care about security and privacy. We are a cloud provider offering state-of-the-art firewalls and modern hardware stored in secure Norwegian data centres. We aren’t in the business of selling data – just great cloud services – so when you’re utilising our infrastructure you can control and process the data at speed without us wanting to peek.

Check out our cloud VPS offering

Cookie Name	Agent	Purpose	Length
smuuid	Sales Manago	Sets a unique visitor ID	12 months
smclient	Sales Manago	Used to track interactions of known users	10 years

Cookie Name	Agent	Purpose	Length
_fw_crm_v	Freshchat	Used to track Visitor/User identity and chat sessions performed by the User	1 year

Cookie Name	Agent	Purpose	Length
zenMode	Matomo Analytics	Check if user has Zen Mode enabled	Session
MATOMO_SESSID	Matomo Analytics	Prevent CSRF security issues	Session
_pk_testcookie	Matomo Analytics	Check if the visitor has cookies enabled	Session
_pk_cvar	Matomo Analytics	Short lived cookie used to temporary store data for the visit.	30 min
_pk_ref	Matomo Analytics	To store referrer-id for analytical purposes.	6 months
_pk_id	Matomo Analytics	Used to store details about the user such as the unique visitor ID.	13 months
_pk_ses	Matomo Analytics	Short lived cookie used to temporary store data for the visit.	30 min
mtm_consent	Matomo Analytics	Enable Matomo Analytics Consent	Session

Cookie Name	Agent	Purpose	Length
bcookie	LinkedIn	Browser-ID cookie that uniquely identifies devices that access LinkedIn to detect abuse on the platform.	2 years
bscookie	LinkedIn	Used to save the state of 2FA for a logged in user	1 year
UserMatchHistory	LinkedIn	Synchronizing LinkedIn ad IDs	6 months
lidc	LinkedIn	To optimize data center selection	1 day

Cookie Name	Agent	Purpose	Length
_fbp	Facebook	To store and track visitors across websites for remarketing purposes.	3 months
c_user	Facebook	Cookie related to Facebook Pixel functionality	3 months
datr	Facebook	To analyse and prevent suspicious activity.	2 years
fr	Facebook	To improve relevance of ads.	3 months
presence	Facebook	Cookie related to Facebook Pixel functionality.	Session
sb	Facebook	Cookie related to Facebook Pixel functionality.	2 years
wd	Facebook	Cookie related to Facebook Pixel functionality.	1 week
xs	Facebook	Cookie related to Facebook Pixel functionality.	3 months

Cookie Name	Agent	Purpose	Length
CONSENT	Google	Store visitors preferences and personalization of ads.	Persistent
NID	Google	Store visitor preferences and personalization of ads on Google. Based on search and interaction.	6 months
OTZ	Google	Link website visiitors to other devices, previously logged in with Google. Tailored advertisment based on device.	1 month
SIDCC	Google	For security and fraud prevention purposes.	3 months
ANID	Google	List ads on Google Sites based of search.	Persistent
SAPISID	Google	Collection of visitor information for videos hosted by YouTube.	Persistent
SSID	Google	Collection of visitor information for videos hosted by YouTube with Google Maps.	Persistent
HSID	Google	For security and fraud prevention purposes.	2 years
APISID	Google	Personalization of ads based on recent searches and interactions.	2 years
SID	Google	For security and fraud prevention purposes.	2 years
__Secure-3PAPISID	Google	Collect information to build a profile based on interest. Show relevant ads through retargeting.	2 years
__Secure-3PSID	Google	Collect information to build a profile based on interest. Show relevant ads through retargeting.	2 years
__Secure-APISID	Google	Collect information to build a profile based on interest. Show relevant ads through retargeting.	8 months
__Secure-HSID	Google	To secure signed and encrypted data digitally signed with unique Google ID. Store most recent login, identify visitors, prevent fraudulent use. Provide targeting to display relevant and personalized ads.	8 months
__Secure-SSID	Google	Store information about how the user uses the website. Ads that might have been seen by the user before entering the site. Customize ads on Google domains.	8 months
1P_JAR	Google	Store recent searches, previous interactions, customization of ads.	1 week
SEARCH_SAMESITE	Google	Prevent risk of CSRF.	5 months
IDE	Google / DoubleClick	Report user interaction after clicking ads, measure efficiency, target ads.	1 year
RUL	Google / DoubleClick	Determine if website advertisment has been displayed properly.	1 year
DSID	Google	Used to identify a signed-in user on non-Google sites and to remember whether the user has agreed to ad personalization.	2 weeks
DV	Google	Used to save user preferences, preferred language, number of search results, check SafeSearch settings.	7 minutes

Cookie Name

Agent

Purpose

Length

CONSENT

Google

Store visitors preferences and personalization of ads.

Persistent

NID

Google

Store visitor preferences and personalization of ads on Google. Based on search and interaction.

6 months

OTZ

Google

Link website visiitors to other devices, previously logged in with Google. Tailored advertisment based on device.

1 month

SIDCC

Google

For security and fraud prevention purposes.

3 months

ANID

Google

List ads on Google Sites based of search.

Persistent

SAPISID

Google

Collection of visitor information for videos hosted by YouTube.

Persistent

SSID

Google

Collection of visitor information for videos hosted by YouTube with Google Maps.

Persistent

HSID

Google

For security and fraud prevention purposes.

2 years

APISID

Google

Personalization of ads based on recent searches and interactions.

2 years

SID

Google

For security and fraud prevention purposes.

2 years

__Secure-3PAPISID

Google

Collect information to build a profile based on interest. Show relevant ads through retargeting.

2 years

__Secure-3PSID

Google

Collect information to build a profile based on interest. Show relevant ads through retargeting.

2 years

__Secure-APISID

Google

Collect information to build a profile based on interest. Show relevant ads through retargeting.

8 months

__Secure-HSID

Google

To secure signed and encrypted data digitally signed with unique Google ID. Store most recent login, identify visitors, prevent fraudulent use. Provide targeting to display relevant and personalized ads.

8 months

__Secure-SSID

Google

Store information about how the user uses the website. Ads that might have been seen by the user before entering the site. Customize ads on Google domains.

8 months

1P_JAR

Google

Store recent searches, previous interactions, customization of ads.

1 week

SEARCH_SAMESITE

Google

Prevent risk of CSRF.

5 months

IDE

Google / DoubleClick

Report user interaction after clicking ads, measure efficiency, target ads.

1 year

RUL

Google / DoubleClick

Determine if website advertisment has been displayed properly.

1 year

DSID

Google

Used to identify a signed-in user on non-Google sites and to remember whether the user has agreed to ad personalization.

2 weeks

Google

Used to save user preferences, preferred language, number of search results, check SafeSearch settings.

7 minutes

Does the use of Google Analytics violate GDPR?

Here’s our take on the recent ruling

So, what do we need to consider?

If you are designing a SaaS product, consider your infrastructure and cloud service provider

We care about your privacy

Cookie preferences

Functional

Sales Manago

FreshChat

Statistical

Matomo Analytics

Marketing

LinkedIn

Facebook

Google Ads Remarketing