Google Analytics – Shared Responsibility

von Andreas Ofner

As one of the most widely used tools for website operators, extensive statistical evaluations of website usage can be carried out with Google Analytics.

For this reason, the German data protection supervisory authorities saw themselves prompted at the data protection conference on May 12, 2020 to resolve and publish new information on the use of Google Analytics.

The ongoing adaptation of Google Analytics by Google expanded the tool for statistical analysis (range measurement) with a multitude of other functions with which website operators can pursue various purposes.

Due to this fact, the processing in connection with Google Analytics is no longer classified as order processing according to Art. 28 GDPR. Many purposes and means of data processing when using Google Analytics are now exclusively specified by Google on its own responsibility and contractually accepted by the site operator. The principle of order processing is therefore no longer given, since according to Article 4 No. 7 i. V. m. Art. 28 para. 10 GDPR, the person responsible has to determine the purposes and means of processing himself.

Google continues to offer an order processing contract, but also points out the separate responsibility for certain processing processes in the “Google Measurement Controller-Controller Data Protection Terms”. In addition, Google makes it clear in the terms of use that Google processes the data for its own purposes, in particular for the purpose of providing its web analysis and tracking service. According to Article 28 (10) GDPR, Google is no longer a processor.

The use of Google Analytics in its entirety can therefore no longer be separated into the roles of processor and / or person responsible.

According to the assessment of the data protection conference and taking into account the current case law of the European Court of Justice, Google and the Google Analytics users are jointly responsible for data processing, so that the requirements of Art. 26 GDPR must be observed.

Was the use of Google Analytics so far based on the legal basis of a legitimate interest according to Art. 6 Para. 1 lit. f) GDPR, this legal basis is no longer tenable due to the further development of this tool. The user does not have to reasonably expect that his personal data will be passed on to third parties and comprehensively evaluated with the aim of creating personal advertising and linking it with the personal data obtained from other contexts. This processing differs considerably from the function of a pure statistical evaluation on your own website. In view of the specific data processing steps when using Google Analytics, the interests, fundamental rights and freedoms of the users regularly outweigh the interests of the website operator.

As a result, after the decision of the data protection conference, further use of Google Analytics is usually only legal with the effective consent of the website visitor in accordance with. Art. 6 para. 1 lit. a), Art. 7 GDPR possible.

Consent is only effective if the requirements according to Art. 4 No. 11, Art. 7 GDPR and possibly Art. 8 GDPR are fulfilled. This means in particular:

Website operators must ensure that the consent records the specific processing activity through the integration of Google Analytics and the associated transmission of user behavior to Google LLC.

The consent must describe clearly, clearly and in an easily understandable way that the data processing is essentially carried out by Google, the data is not anonymous, which data is processed and that Google uses it for any of its own purposes such as profiling and with other data such as any Linked to Google accounts. A trivial clue, such as “This site uses cookies to improve your surfing experience” or “uses cookies for web analysis and advertising measures” is not sufficient, but misleading because the associated processing is not made transparent.

Users must actively consent, i.e. the consent must not be imputed and preset without any action on the part of the user. An opt-out procedure is not sufficient; rather, the user must express his consent by actively doing (e.g. clicking a button). Google must be explicitly listed as the recipient of the data. Before the active consent of the user, no data may be collected or elements from Google websites may be reloaded. The mere use of a website (or an app) does not constitute effective consent.

Consent is only voluntary if the person concerned has options and a free choice. It must also be able to refuse consent without suffering any disadvantages. The coupling of a contractual service to the consent to data processing that is not required for the performance of the contract can, in accordance with Art. 7 Para. 4 GDPR, result in the consent not being voluntary and thus ineffective.

Pay attention to the following design guidelines in order to implement the requirements for effective consent:

  • Use headings that clearly state the scope of the decision, such as B. “Data processing of your user data by Google”.
  • Describe links clearly and unambiguously. Access to the legal notice and data protection declaration must not be prevented or restricted.
  • Make the subject of consent clear. Users of Google Analytics must make it clear for what purpose Google Analytics is used, that the usage data is processed by Google LLC, this data is stored in the USA, both Google and government authorities have access to this data, this data with other data of the user such as the search history, personal accounts, the usage data of other devices and all other data that Google has about this user
  • Enable a simple and always accessible mechanism (e.g. button) to revoke the consent given by the user. Google does provide a browser add-on to deactivate Google Analytics, but this is not a sufficient option for revocation.
  • In accordance with your information obligation under Art. 13 GDPR, inform the users of your website comprehensively about the processing of personal data through the use of Google Analytics.
  • Continue to have IP addresses shortened. For this purpose, the tracking code must be supplemented with the “_anonymizeIp” function on every website with a Google Analytics integration.

    We are happy to support you with the necessary changes. We are also happy to check your entire website or online shop for GDPR compliance. Simply contact us using our contact form or call us at 08505 – 91927-0.

assets/images/6/Andreas-Ofner-1024x695-1-5798bff9.jpg
Andreas Ofner

Unser Spezialist im Bereich Datenschutz: „Als TÜV zertifizierter Datenschutzbeauftragter + Datenschutzauditor bringe ich Erfahrungen aus den Bereichen IT, Datenschutz, Betriebsrat und Konzernentwicklung – auch im internationalen Umfeld – mit.“ Seit 2016 ist der ausgebildete Meister in Energieanlagenelektronik und Technische Betriebswirt, im Team der aigner business solutions GmbH.