keyboard_return Articles

Google Analytics: according to the Italian Privacy Guarantor violates data protection regulations

calendar_today 30 May 2023

We report a recent measure adopted by the Italian Privacy Guarantor on June 9, 2022 against the company Caffeina Media srl. The companyà in particular, è was admonished for using the Google Analytics service.

Google Analytics è a web analytics service that allows website operators to analyze statistics about each user in order to index and optimize their marketing campaigns. Its growing popularity and use in many countries has raised quite a few concerns with reference to the risk to data security and privacy.

While, on the one hand, the transmission of personal data to and from countries outside the Union is certainly functional and necessary for the expansion of international trade and international cooperation, on the other hand - where personal data are transferred from the Union to controllers, processors, and/or other recipients in third countries and/or international organizations - the level of protection of individuals guaranteed by European law cannot be compromised (Recital 101 of GDPR Regulation 2016/679).

In the case at hand, therefore, according to the Italian Privacy Guarantor, any website that uses Google Analytics - given the absence of guarantees provided by the European legislation - violates the legislation on the protection of personal data through the collection, by means of cookies, of information on users' interactions with the aforementioned site, as well as with individual pages and the services offered.

The findings è in fact, revealed that the use of Google Analytics involves the transfer of personal data to Google LLC based in the United States and, therefore, violates the GDPR Regulation 2016/679. The transfer of such data, in fact, takes place in a country that does not guarantee an adequate level of protection, from which it follows that it must be carried out only in the cases and under the conditions provided by Chapter V of the aforementioned Regulation.

The data collected by Google Analytics

The service offered by Google LLC collects elements such as: unique online data that allow both the identification of the user’s browser or device, and of the operator of the site itself; address, website name and navigation data; IP address of the device used by the user; information related to the browser, operating system, screen resolution, selected language, as well as the date and time of the visit to the website.

The Guarantor dwells on one piece of data in particular, namely, the IP address of the device used by the user, which «constitutes personal data insofar as it allows for the identification of an electronic communication device, thus indirectly making the person concerned identifiable as a user».

In the same sense, Recital 30 of GDPR Regulation 2016/679 reiterates that: «individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. Thisò canò leave traces which, in particular, when combined with unique identifiers and other information received by servers, can be used to create profiles of individuals and identify them».

The data collected by Google Analytics, in particular IP addresses, are, therefore, qualifiable as personal data as they allow the identification of a user, and therefore, subject to the protection of the GDPR Regulation 2016/679.

The’ineffectiveness of the “IP-Anonymization”

service.

The’use of Google Analytics, according to the Guarantor's exposition, would violate data protection regulations even in the event that the site operator used the “IP-Anonymization” service.

Google, in particular, provides users with the ability to choose the “IP-Anonymization” option, which involves sending Google Analytics the user’s IP address after obscuring the least significant octet. This service, however, as the Guarantor itself states, «in fact consists of a pseudonymization of the data related to the user’s network address, since the truncation of the last octet does not prevent Google LLC from re-identifying the same user, taking into account the overall information held by it regarding web users’.

There is, moreover, in the hands of Google itself the possibility, if you log in to your Google profile, to associate your IP address with additional information already in its possession. Despite the’activation of’“IP-Anonymization”, therefore, the system still allows the’user to be identified.

Concluding remarks

In the June 23 order, the Garante has, admonished Caffeina Media srl, obliging it to comply with the GDPR within ninety days, under penalty of suspending data flows made through Google Analytics to the United States. In conclusion, è illicit any transfer of personal data made through Google Analytics to the United States.

Although it is not yet clear what will happen as a result of these announcements, è it is clear that new measures will be taken to protect personal data and its transfer to third countries.

At the moment, the’Authorityà has invited data controllers, data processors and/or other recipients in third countries and/or to international organizations to verify the compliance of the way cookies and other tracking tools used on their websites, with particular attention to Google Analytics and other similar services, are used with the legislation on the protection of personal data.

Informative

We and selected third parties use cookies or similar technologies for technical purposes and, with your consent, also for other purposes as specified in the .
If you close this banner with a tick or click on "Decline", only technical cookies will be used. If you want to select the cookies to be installed, click on 'Customise'. If you prefer, you can consent to the use of all cookies, including cookies other than technical cookies, by clicking on "Accept all". You can change your choice at any time.