Attribution 18 min read

Are Your Web Analytics Illegal?

By QueryClick 13 April, 2022

On first review, a webinar on ‘whether your analytics are illegal’ might sound like a dry topic.

But the reality is that there has been a huge amount of discourse over the last week relating to this. And, here at QueryClick, it’s proving to be something of a hot topic amongst both our audience and our customer base.

Which is perhaps not surprising, as it is an issue that goes right to the heart of your chosen approach to attribution – and whether or not it sits on the right side of the law from a data gathering and processing perspective.

This was also clearly reflected in our poll on the webinar where are an ‘eye-opening’ 83% of respondents indicated that they weren’t confident their web analytics are GDPR compliant!

With this in mind we put together a short webinar session run by Chris Liversidge, our CEO at QueryClick to:

  • share the current state of play on the rulings
  • discuss some of the measurement concerns and opportunities the ruling presents for us as marketers
  • clarify the risk involved and touch on quite sensitive components like GDPR compliance within EU regulation

In this blog, we give an overview of the webinar itself which is also available to watch here.

Google Analytics: What’s the latest news around legality?

It is no understatement to say that the legality of digital measurement is very much up in the air at the moment.

In fact, on 25th March, we saw the US and EU announce a third attempt at agreeing a transatlantic data sharing agreement.

Now, those of you who’ve been quite close to the topic of data compliance in the EU – and how that relates to using analytics packages that interact with the US – will know:

  • the first attempt at this transatlantic agreement was the ‘safe Harbour’ agreement which was designed to ensure that data transfers between the EU and US complied with European data directives
  • that was then refined and followed up by what became termed the Privacy Shield agreement which was aimed at allowing US businesses, or EU companies working with US companies to adequately meet the data protection and transfer requirements of GDPR
  • and this most recent announcement – made literally last Friday – doesn’t yet have a name associated with it. And actually, it’s still very light on detail as an agreement – as it was simply announced by President Biden

So, clearly, there’s a little bit more that has to happen before we can get some understanding of what, if anything fundamental, has changed in this transatlantic sharing agreement.

Now, we’ll go into a little bit of detail about what is important to change for that agreement to not be found illegal. As both previous approaches – Privacy Shield and safe harbour – have been found to be inadequate.

The key figure involved in this, who we’ll come back to, is Max Schrems. He is a privacy advocate who has had key court cases passed which are really the foundation stone of questions about privacy. And respecting data privacy and rights of European and UK individuals in particular.

So, what can we say about the state of play right now? Given we know that there is a new agreement, but we don’t know much about the exact detail of that.

Let’s look at why the existing agreements have been found illegal, and what the actual detail is around that:

  • Helpfully Google themselves put out a recent webinar two weeks ago, discussing the recent finding in France, that Google Analytics – as it currently exists – is illegal under data compliance laws in the EU. You can listen to the detail here.
  • This follows on from a previous finding in Austria. Both of which are founded on something called the Schrems II legal finding which we will look at in a bit more detail. What’s relevant though, as it stands today, is that the Data Protection Authority has ruled that in its current state, Google Analytics is illegal from a GDPR compliance basis.
  • GDPR, is a European initiative and here in the UK, GDPR has been incorporated into the UK GDPR. And there are two types of GDPR, essentially, as a result of that. However, as they are both integrated it is illegal in both the UK and Europe to use Google Analytics as it stands.

So, what is it that is illegal, or is being found to be illegal by the European Court of Justice – and by the advocates following on from the Schrems II ruling?

What does Google Analytics being ruled illegal mean – and what is Schrems II?

In 2020, Max Schrems’ case was brought and issued to the Court of Justice in Europe.

It found that the Privacy Shield framework, so the second agreement on the topic, does not provide safeguards for data sharing to US data centres. And therefore, is not compliant with GDPR as it stands.

So, in effect, that is the crucial point here – where customer data becomes accessible. In the US, it is not possible for the analytics provider to guarantee that that data will not be accessed by authorities in the US. And, as a result of that, it is therefore illegal – or not compliant – under the GDPR regulation.

That is really the point at issue. And that is the area where identifying some detail about any new agreement will help us understand if it is likely to also be found illegal. As the previous two agreements have been.

What is Google’s response to the ruling?

So, Google did respond to the finding in France that Google Analytics is illegal. Here are the main threads of the fall-out from that.

GA/Universal and GA360 will remain illegal

Google has decided to take a look at how it can become compliant and remove the data sharing aspect of Google Analytics, but only in its GA4 product. So, both GA/Google Universal and GA360 are impacted.

It’s worth clarifying at this point, that there are two kinds of key infrastructures that Google uses for analytics.

  • GA/Google Universal – the existing fairly well established, widely used Google Analytics or Google Universal (as they renamed it) which exists in its free form
  • GA 360 – its paid GA360 form of the above

The main difference between those two being that the free version does not include some of the advanced features of GA360. And also uses significant sampling – which means that, typically, it’s only about 14% or less of your actual data that’s being used to generate your reports (on the free version).

So, Google has gone on record to say it is not going to try and change the architecture of Universal. So that means that both GA360 and the free version of Google Analytics will remain illegal – as it stands under GDPR compliance – for any European or UK business.

Google is committing to making GA4 compliant

Instead, what Google is going to do is – in the next month or so (and they haven’t committed beyond that to a date) – they intend to release functionality to enable you to select European data centres to be the only store of data for your GA4 deployment, if you’re already using that. So that would make the use of GA4 legal under the current understanding of GDPR and the Schrems II lawsuit.

So, there is a period of time, between now and the end of May when, regardless of whether you are using GA or universal, you will be illegal as currently defined by GDPR.

Although it’s probably unlikely that there will be significant legal action taken given the announcement on Friday. Until, at least, the shape of any new data sharing agreement becomes clearer.

Google acknowledges it cannot unify data

The other thing that really came out of Google’s announcement, reacting to GA being found to be illegal, is an acknowledgment that GA4 will be the only way that they are going to allow analytics going forward.

So earlier in the month, Google announced that it was sunsetting the Universal Analytics version of GA. In June 2023, Google will switch off that existing version of Universal Analytics, which we know has been a real workhorse for many of us in providing analytics detail over the years.

It has a lot of excellent prebuilt reporting, which everyone’s very familiar with. But it has some fundamental challenges. And not least of which are an inability to join any meaningful social activity that you might be undertaking using Facebook or TikTok or other data silos. It is also heavily dependent on requiring a cookie or an ID to unify sessions in any meaningful way.

The real difference between Universal Analytics and GA4 is that GA4 uses something called an event stream architecture.

So, it’s been built around a product that Google acquired called Google Firebase, principally used initially for App Tracking. And that is a very robust, granular architecture to use an event stream architecture. But GA4 also suffers from the same challenge that the Universal Analytics product has, of not being able to unify sessions where there isn’t an ID for it to join onto.

It does attempt to use something called Google Signals. Which is essentially if you are logged into a Google account, on a particular device that’s being tracked, Google will use that almost as another cookie.

To join your ID into the session that’s being recorded. However, we haven’t seen many results from that ourselves to make much of a difference between just a pure cookie-based approach.

GA4 is not going to provide audiences for remarketing

There was another pretty major announcement made last week by Google on this topic in their webinar series, where they indicated that GA4 is not going to provide audiences that can be used for Google Ads remarketing.

There has been a lot of discussion about GA4 and its ability to replace Universal Analytics. Because it is a different architecture, it does not come out of the box with the kind of reports that we’re all used to. It requires significant configuration efforts to track events that Universal Analytics would attract out of the box.

There is also no data portability between Universal Analytics and GA4.

So today, there is a significant challenge for all of us as marketers if we are relying on Universal Analytics.

If you want to have things like year-on-year reporting, you need to make sure that you are on top of either your GA4 deployment or another analytics solution today. To take advantage of a smooth transition from that sunset date.

So that is problematic. More problematic, however, is the fact that there will no longer be an option for building remarketing lists from GA4 audiences.

Retargeting is often a high performing part of the mix for many marketers, because it targets people who are already quite a long way down the consideration path as audiences. And the reality is that losing that will likely have a very significant impact on our ability to deliver ROAS.

And, so, I think it’s worth considering how you can build strategies that are not reliant on retargeting going forwards.

This section is a lot to take in, so in the interest of a short summary at this point:

  • July 1 2023, Google is sunsetting Universal Analytics – the old workhorse of its analytic products
  • That will remain illegal until that point, under GDPR, as it stands right now.
  • Google is attempting to make GA4 legal by preventing data being moved across to the US and they plan to try and release that next month. So, we’ll need to stay close to that to see if that does occur
  • GA4 will not provide audiences for remarketing

Can I really unify analytics and remain GDPR compliant today?

This is the million-dollar question on the back of the analysis above.

As it stands, Google Analytics is not compliant, it has been found to be illegal. And so therefore there is existential risk for anyone using GA in their analytics stack. So, the simple answer to ‘is there an alternative?’ Is quite simply ‘yes’.

At QueryClick, we have spent eight years developing quite a significant piece of technology in our Corvidae product which is completely compliant from a GDPR perspective (in fact, we are actually compliant for deployment in banking environment, and so on).

With extremely rigorous controls in place, not least on retaining the data within the EU where it’s relevant. But also in the anonymity of the data that’s being processed by the system.

Without going into the technical detail too much. By moving away from requiring an ID to stitch sessions together – which is what cookies and Google signals is for. And using AI to model the probability that a session is a continuation of a previous session, we can deliver significantly higher performance. So, as you can see below from a live client result from nearly eight years ago. At that point, we were able to get above 85% accuracy in terms of attribution, using AI instead of cookie-based systems.

That’s now up at 95%+ accuracy for our Corvidae platform using some new AI that we have developed in partnership with the leading Data Science University facility in EMEA.

Compliance is an important part of the mix for all customers. And compliance does not mean that you should settle for a substandard or somehow second-rate measurement system. AI essentially allows compliant collection and 95%+ accuracy in your analytics. So a huge improvement on GA that’s delivering only 20% accuracy using a cookie-based system.

And moving to 95% accuracy, immediately opens up some avenues for better optimisation strategies.

Stay up to date on developments

We hope you found our ‘state of play’ assessment useful. Don’t forget that the full webinar is available to watch again here and keep up to date with all upcoming events on our website.

Identify wasted spend with our ROI calculator

Own your marketing data & simplify your tech stack.

Have you read?

See all articles
QueryClick

An Introduction to CRO

How do we drive our users to perform the most desired action online? With CRO, we dive into the personas that interact with your site and mesh that with site...