Last week, the French data watchdog—Commission Nationale de l’informatique et des libertés (CNIL)—ordered three French websites to stop using audience analytics site Google Analytics, deeming the site to be illegal under the General Data Protection Regulation.
The websites have 30 days to comply or risk hefty fines up to €20 million, or 4% of the annual turnover.
The warning came after the French watchdog received several complaints concerning data transfer between the U.S. and European Union by the European Center for Digital Rights (NOYB) in 2020, a nonprofit chaired by privacy activist Max Schrems. NYOB sent these complaints to several regional Data Protection Authorities (DPAs), including the Austrian and French DPAs. The French watchdog has been contacted for a response.
“About half the complaints target the use of Google Analytics, the other half target the use of Facebook Connect,” said Gabriela Zanfir-Fortuna, vp for global privacy at the Future of Privacy Forum, a nonprofit organization that provides privacy protection solutions.
Countless sites rely on Google Analytics to learn more about their audience. As privacy laws tighten, especially in Europe, and a solid framework for transatlantic data flow is still being thrashed out, the number of services flouting GDPR will come to light. The concern, in a global economy, is a future with separate products for the EU and the U.S.
Per the 2016 guidelines by the European Data Protection Supervisor (EDPS), “tracking cookies, such as the Stripe and Google Analytics cookies, are considered personal data, even if the traditional identity parameters of the tracked users are unknown or have been deleted by the tracker after collection.”
This means that companies based in Europe using Google Analytics—which reads cookies that are dropped on peoples’ browsers when they visit a site to gauge whether they are a new or returning user—were shipping people’s personal information to the U.S.
