Swedish Authority for Privacy Protection (IMY) orders companies to STOP USING Google Analytics
The Swedish Authority for Privacy Protection (IMY) today ordered three companies to stop using Google Analytics and issued administrative fines in excess of over 12 million SEK (approximately $1.1 million dollars) to two of the companies following an audit process. Following these fines and the growing pressure across the EU against the use of Google Analytics, should companies look towards a privacy-focused analytics alternative?
What happened today?
Swedish Authority for Privacy Protection (IMY) – today issued fines in excess of 12 million SEK (approximately $1.1 million dollars) and ordered three companies to stop using Google Analytics as it breached GDPR through the transfer of personal data to the United States while using the tool.
This followed an IMY audit of four companies following complaints raised by non-for-profit organisation None of Your Business (NOYB) in light of the Schrems II ruling by the European Court of Justice (CJEU) in 2020.
The audits found that none of the companies involved had sufficient levels of protection for personal data transferred to the US while using Google Analytics.
How did we get here?
In August 2020, NOYB filed complaints against 101 European companies in 30 EU and EEA member alleging that in light of the Schrems II ruling in July 2020 by the European Court of Justice (CJEU) that these 101 companies were in violation of GDPR by transferring personal data (cookies and IP addresses) to the United States through their use of Google Analytics. These targeted complaints from NOYB were designed to create stricter enforcement of the GDPR’s data transfer rules across the EU.
The CJEU judgement in the Schrems II case earlier that year found that the transfer of personal data from the EU to US on the basis of the Privacy Shield Decision was illegal. Prior to the Schrems II ruling, companies could transfer data to the US under the EU-US Privacy Shield, a framework designed to protect the rights of European citizens when transferring data to the United States.
The NOYB complaints led to a dedicated task force being created by the European Data Protection Board to review the 101 identical complaints lodged by NOYB in September of that year. Since then we have seen numerous Data Protection Agencies (DPA’s) across the EU take action against Google Analytics.
In January 2022, Austrian DSB ruled EU-US data transfers to Google Analytics illegal; this was followed by similar ruling by the French Data Protection Authority CNIL, Italian DPA and Denmark DPA (Datatilsynet) releasing similar statements. Norway was the most recent country this year to raise concerns about the compliance of Google Analytics with the General Data Protection Regulation (GDPR).
This growing privacy backlash comes as Google sunsetted Universal Analytics leaving analytics practitioners must decide whether to continue using Google Analytics 4 or choose an alternative privacy focused solution to mitigate further risk when using Google Analytics.
Time for a privacy focused alternative?
Though there has been a rise in the number of privacy focused analytics platforms tend to offer ‘thin’ analytics data lacking session and user data preventing effective attribution and analytics.
Snowplow instead offers a privacy-first and warehouse focused approach to web analytics. Trusted by 1.9+ million applications as an alternative to Google Analytics including Trinny London and Digital Virgo, Snowplow is designed to offer a number of features to maintain compliance and whilst offering a more complete view of the customer journey;
- Private SaaS Deployment model, Snowplow is deployed in your own private cloud in your jurisdiction of choice leaving you in full control of your data. Delivered in real-time to your chosen warehouse or lake.
- Out-of-the-box real-time PII pseudonymization or anonymous tracking and fully anonymous tracking gives customers and you complete control over what is collected.
- Use of first-party server set cookie – see up to 2 years of customer touch points for an accurate and complete picture of a customers journey obfuscating browser cookies limitations including Intelligent Tracking Prevention (ITP) and Firefox’s Enhanced Tracking Protection (ETP).
- Full transparency into customer consent with Snowplow’s ‘basis for tracking’ contexts, you can record a full GDPR context (or other regulatory framework) with every event. Have access to a complete consent status in a single schema table for every user – making it easier to conduct full compliance audits and risk assessments.
Snowplow’s recent announcement at the Snowflake Summit, Snowplow Digital Analytics, Powered By Snowflake, makes it easier than ever to migrate away from Google Analytics with out-of-the-box visualizations to understand user acquisition, campaign performance, marketing attribution and more on your preferred visualization tools including Snowpark, PowerBI, Tableau, Preset and Superset. As well as a migration tool to convert your existing Google Analytics 4 data to match Snowplow’s table structure in the Snowflake Data Cloud meaning you don’t lose your valuable analytics data.
If you are interested in learning more about how Snowplow can help you replace Google Analytics, request a guided walkthrough of the platform’s key features and tools.