EU websites using Google Analytics and Facebook are being targeted by European privacy group noyb after the invalidation of the Privacy Shield. They filed a complaint against 101 websites for continuing to send data to the US.
The Privacy Shield previously allowed for EU data to be transferred to the US. However, this was invalidated by the Court of Justice of the European Union (CJEU) on July 16, 2020. The CJEU deemed it illegal for any websites to transfer the personal data of European citizens to the US.
They also made it clear in a press release that « data subjects can claim compensation for inadmissible data exports (marginal no. 143 of the judgment). This should in particular include non-material damage (“compensation for pain and suffering”) and must be of a deterrent amount under European law. » Which puts extra financial pressure on websites to take the new ruling seriously.
Immediate action is required after Google Privacy Shield invalidation
As the ruling is effective immediately, there’s a pressing need for websites using Google Analytics to act, or face getting fined.
What does this mean for you?
If you’re using Google Analytics the safest bet is to stop using it immediately.
If you still need to use it, then you’ll need to inform your visitors via a clear consent screen. This banner needs to make clear their personal data will be sent to the US, and to educate them about any potential risk related to this. They will then need to explicitly agree to this.
Another downside of cookie consent screens is that you may also suffer a damaging loss of visitors. After implementing cookie consent best practices, the UK’s data regulator the Information Commissioner’s Office (ICO) found a 90% drop in traffic, “implying a ninety percent drop in opt-in rates.”
With an acceptance rate for such consent screens being lower than 10% your analytics becomes guesswork rather than science.
Looking for a privacy-respecting alternative to Google Analytics?
Privacy compliant Matomo Analytics is one of the best Google Analytics alternatives availalble.
With Matomo you’re able to continue using analytics without facing the wrath of both the GDPR and the CJEU. Matomo On-Premise lets you choose where your data is stored, so you can ensure no data is processed in the US. Matomo Cloud servers are in Europe so you’re covered and compliant under GDPR.
Matomo is privacy-friendly and can be tweaked to comply with all privacy laws. Including the GDPR, HIPAA, CCPA and PECR. The benefits of this include: not needing to use tracking or cookie consent screens (like with GA); and avoiding fines because no personal data is collected. You also get 100% accurate data and the ability to protect your user’s privacy.