The Italian Supervisory Authority (SA) recently ruled that Google Analytics was non-compliant with EU data protection rules. They banned the popular analytics tool, finding that the protections Google applied were not sufficient to address the risk. The SA suggested the use of Google Analytics violates the bloc’s data protection rules over the data export issue.
Compounding the trouble, an eCommerce website using Google Analytics without the safeguards set out in the EU GDPR violates data protection law. This potentially puts any eCommerce business at a major risk. France and Austria have also deemed the tool illegal, and Denmark is the latest EU country to do so. Technically, the Schrems II case in 2020 made data transfers between Europe and the US illegal. However, that case found the existing agreement, the Privacy Shield, between the US and the EU was not compatible.
The American law allows its government to requisition client data from companies on national security grounds. Something which is prohibited under GDPR.
The effect on the e-Commerce industry
Millions of European businesses are poised to be affected by the banning of Google Analytics, resulting in several possible scenarios. The first is a total ban of Google Analytics in Europe, leaving American companies unable to operate in the EU.
Another possibility is US-based tech companies switch to storing and consolidating data in Europe to ensure they’re compliant with GDPR. But that goes against the CLOUD Act that requires American service providers to provide US authorities with any domestic or international data, when asked, that is stored in their servers.
A third option is EU businesses finding an alternative to Google Analytics. Another possibility is enforcement of the Innovation and Choice Online Act, which targets big tech companies for potential antitrust and consumer choice violations.
According to Mikel Lindsaar, CEO at StoreConnect,
“Now more than ever, small and mid-size companies need to own their data. Everything they collect from their customers should end up in their own store and database, making them compliant with GDPR.”
Other Analytics Options
While EU authorities and the US work to reach a data transfer agreement, there are other analytics options available beyond Google’s. Solutions like StoreConnect allows customer data to be maintained within a business’ own systems and not exported at all. This lets small to mid-size companies continue to gain useful data from “internal” analytics while remaining GDPR compliant.
“With StoreConnect, small and mid-size companies CAN own their data,” continues Lindsaar. “Businesses will have the information that enables them to understand what their customers are doing in their store, while being GDPR compliant.”
StoreConnect provides a Salesforce-native eCommerce solution 3.0 for small- to- medium- sized businesses. It enables these companies to enter the global eCommerce marketplace and scale to grow at any pace imaginable.
Enterprise Times: What this means for business
Businesses using Google Analytics must have a technical understanding of their data flows. This includes where the data is going, who is receiving the data and how the data is protected. Cookies are also used to track data, but they are not the only means of collecting and transferring data.
Google Analytics and similar services can receive personal data through other means. For instance, a website or app could still send personal data to Google via HTTP parameters or browser/device fingerprinting, among other means, to track users across web properties.
That is why it’s essential a technical analysis is conducted to learn which of these types of services are used by a website or app. Furthermore, what mitigations are needed. Otherwise, US enterprises, in fact, enterprises across the globe, may well fall foul of the EU law without realising it.