Implications of IMY's Google Analytics Ruling
In July 2023, Sweden’s data protection authority, the Swedish Authority for Privacy Protection (IMY), issued orders to four Swedish companies to halt their use of Google Analytics. The reason behind this directive was the violation of the General Data Protection Regulation (GDPR) by these companies, as they were transmitting personal data to the United States through Google Analytics.
The IMY’s decision aligns with a series of similar verdicts from data protection authorities globally, all asserting that Google Analytics breaches GDPR. A pivotal moment came in 2020 when the European Court of Justice (ECJ) invalidated the Privacy Shield agreement, a mechanism that allowed the transfer of personal data between the European Union and the United States, deeming it inadequate for safeguarding European citizens’ privacy.
As a cornerstone of web analytics, Google Analytics faces a significant setback due to IMY’s judgment, with potential ripple effects throughout Europe. This situation places additional scrutiny on businesses across various countries using Google Analytics, compelling them to reconsider their analytics strategies.
While IMY suggests possible collaboration with Google for a GDPR-compliant solution, the feasibility of satisfying both IMY’s demands and other data protection authorities remains uncertain. This situation underscores the paramount significance of privacy and data protection in today’s digital landscape, underscoring the imperative for businesses to choose their data tools prudently.
How to Ensure Compliance
Swedish companies can implement the following adjustments to their Google Analytics practices to ensure compliance and sustain their usage:
IP Anonymization Feature:
Analytics 4 anonymizes IP adresses by default, however if you still use Universal Analytics, here’s how to employ the IP anonymization feature to obscure the last two digits of visitors’ IP addresses, enhancing anonymity.
- Log in to your Google Analytics account and navigate to the “Admin” tab.
- Choose the relevant property under the “Property” column.
- Click on “Tracking Info” and then “Data Collection.”
- Toggle the “IP Anonymization” switch to activate this feature.
Aggregated Data View
Utilize the aggregated data view to exclusively gather consolidated data about visitors, such as total visitor counts and page visits.
- Access your Google Analytics account and select the appropriate property.
- Proceed to the “Admin” tab and click on “Views.”
- Choose “Create View” and provide a name for the new view.
- Select “Aggregated Data View” under “Data Retention.”
Two-Step Opt-In Feature
Apply the two-step opt-in feature, which mandates visitors to explicitly consent before their data is transmitted to Google Analytics.
- Navigate to your Google Analytics account and go to the “Admin” tab.
- Select the pertinent property under the “Property” column.
- Click on “Tracking Info” and then “Data Collection.”
- Toggle the “Consent Mode” switch to enable this feature.
Local Analytics Solutions
Explore local analytics alternatives that don’t transfer data to the United States. Solutions like Matomo, Piwik PRO, and Plausible offer comparable features minus the data transfer concerns.
Commitment to Data Protection
These adaptations should be adapted in line with a company’s specific context. Consulting data protection experts is advised for personalized guidance.
Apart from addressing Google Analytics, Swedish companies should audit their overall data collection and processing routines for GDPR compliance. This includes obtaining consent, enabling data access and correction, and responsibly managing data lifespan.
By taking these measures, Swedish companies can ensure ethical and lawful use of Google Analytics, preserving their commitment to data protection in an increasingly digital world.
