EU websites using Google Analytics and Facebook are being targeted by European privacy group noyb after the invalidation of the Privacy Shield. They filed a complaint against 101 websites for continuing to send data to the US.
“A quick analysis of the HTML source code of major EU webpages shows that many companies still use Google Analytics or Facebook Connect one month after a major judgment by the Court of Justice of the European Union (CJEU) - despite both companies clearly falling under US surveillance laws, such as FISA 702. Neither Facebook nor Google seem to have a legal basis for the data transfers.”
noyb website
The Privacy Shield previously allowed for EU data to be transferred to the US. However, this was invalidated by the Court of Justice of the European Union (CJEU) on July 16, 2020. The CJEU deemed it illegal for any websites to transfer the personal data of European citizens to the US.
They also made it clear in a press release that « data subjects can claim compensation for inadmissible data exports (marginal no. 143 of the judgment). This should in particular include non-material damage (“compensation for pain and suffering”) and must be of a deterrent amount under European law. » Which puts extra financial pressure on websites to take the new ruling seriously.
Immediate action is required after Google Privacy Shield invalidation
The Berlin Commissioner for Data Protection and Freedom of Information therefore calls on all those responsible under its supervision to observe the decision of the ECJ [CJEU]. Those responsible who transfer personal data to the USA - especially when using cloud services - are now required to immediately switch to service providers in the European Union or in a country with an adequate level of data protection.
The Berlin Commissioner for Data Protection and Freedom of Information
As the ruling is effective immediately, there’s a pressing need for websites using Google Analytics to act, or face getting fined.
What does this mean for you?
If you’re using Google Analytics, the safest bet is to stop using it immediately and start using an alternative like Matomo.
Check out our live online Matomo demo and start your free 21-day trial now.
"Neither Google Analytics nor Facebook Connect are necessary for the operation of these websites and could therefore have been replaced or at least deactivated in the meantime."
Max Schrems, Honorary Chairman of noyb
If you still need to use it, then you’ll need to inform your visitors via a clear consent screen. This banner needs to make clear their personal data will be sent to the US, and to educate them about any potential risk related to this. They will then need to explicitly agree to this.
Another downside of cookie consent screens is that you may also suffer a damaging loss of visitors. After implementing cookie consent best practices, the UK’s data regulator the Information Commissioner’s Office (ICO) found a 90% drop in traffic, “implying a ninety percent drop in opt-in rates.”
With an acceptance rate for such consent screens being lower than 10% your analytics becomes guesswork rather than science.
Looking for a privacy-respecting alternative to Google Analytics?
Privacy compliant Matomo Analytics is one of the best Google Analytics alternatives available.
With Matomo you’re able to continue using analytics without facing the wrath of both the GDPR and the CJEU. Matomo On-Premise lets you choose where your data is stored, so you can ensure no data is processed in the US.
Matomo is privacy-friendly and can be tweaked to comply with all privacy laws. Including the GDPR, HIPAA, CCPA and PECR. The benefits of this include: not needing to use tracking or cookie consent screens (like with GA); and avoiding fines because no personal data is collected. You also get 100% accurate data and the ability to protect your user’s privacy.
Try our live demo or start a free 21-day trial now – no credit card required.