This article details the recent regulatory changes impacting cross-Atlantic data transfers and highlights the challenges marketers are facing. We’ll also demonstrate why you should look for an EU-based web analytics solution and outline the steps you need to take to ensure fully compliant analytics.

The current state of data transfers between the EU and the US

The transfer of personal data between the EU and the US has been disputed for years, primarily due to fundamental differences in privacy laws. The EU’s General Data Protection Regulation (GDPR) enforces strict individual rights and control over personal data. The US, however, operates with more fragmented privacy laws, and intelligence agencies have broad data access powers under legislation such as the Foreign Intelligence Surveillance Act (FISA 702).

These concerns have triggered major legal challenges, including the Schrems I and Schrems II cases, invalidating previous data transfer frameworks (Safe Harbor and Privacy Shield). The core issue is that these frameworks failed to adequately protect EU citizens’ data against US government surveillance.

Recent political developments 

Recent developments in the US political landscape and European regulatory actions have intensified the situation, with significant implications for businesses, regulators, and transatlantic relations. Donald Trump’s return to the US presidency is a major source of uncertainty. 

Situation in the United States

Early in his new term, Trump questioned the Biden-era executive orders that underpin the Transatlantic Data Privacy Framework (DPF), adopted in July 2023. It introduced three key elements:

• Data Protection Review Court (DPRC): An independent redress body allowing EU individuals to challenge how US intelligence agencies handle data with binding decision-making authority.
• Executive order 14086: Signed by President Biden in October 2022, establishes proportionality and necessity requirements for US surveillance activities.
• Self-certification system: Requires US companies to publicly commit to DPF principles for streamlined transfers administered by the Department of Commerce.

Read more: Everything you need to know about the Data Privacy Framework (Privacy Shield 2.0)

However, the most destabilizing event was the loss of quorum at the US Privacy and Civil Liberties Oversight Board (PCLOB) after Trump requested the resignation of its Democratic members in January 2025. The shutdown of PLOB, a core oversight body referenced in the DPF, has intensified European doubts about the long-term viability and independence of US redress mechanisms for EU citizens. As privacy advocate Max Schrems of NOYB points out, the current oversight mechanisms “may not even stand the test of just the first days of a Tump presidency.”

European regulatory actions

In response to these developments, European Data Protection Authorities (DPAs) and governments are taking a series of regulatory and political actions, signaling a broader shift in the EU-US relationship:

• Norway: The Norwegian DPA issued a new guidance warning against EU-US data transfers, citing concerns about the legal framework’s stability and adequacy.
• Netherlands: The Dutch Parliament voted to reduce reliance on US tech companies, requiring government agencies to prioritize European cloud and data processing alternatives.
• Denmark: The Danish Ministry of Industry recommended that companies develop exit strategies from American cloud services.
• Germany: Germany’s Interior Minister stated that businesses should develop contingency plans, as the government can no longer guarantee the long-term stability of transatlantic data flow mechanisms.

These steps reflect a growing consensus in Europe that relying on US-based solutions carries increasing legal and strategic risks.

Read more about the wave of decisions by European DPAs declaring the use of Google Analytics (GA) illegal under GDPR:

• Norwegian DPA warns against EU-US data transfers – what it means for your website
• Denmark’s data protection authority says Google Analytics is illegal under GDPR
• Sweden’s data protection authority orders companies to stop using Google Analytics
• Google Analytics might soon be banned in Norway
• Is Google Analytics (3 & 4) GDPR-compliant? [Updated]

Why you need an EU-based web analytics solution

The current regulatory environment is unstable. With European authorities increasingly willing to issue immediate compliance orders, companies relying on US-based analytics tools risk sudden operational paralysis. Using non-compliant data tools risks fines of up to 4% of global revenue under GDPR. A single enforcement decision could leave marketers scrambling to replace core infrastructure overnight. 

Main challenges for marketers

As the legal landscape shifts faster than ever, marketers face new and pressing challenges. Understanding these risks is the first step toward securing your data strategy.

Campaign interruptions that devastate performance metrics

Regulatory actions often come without warning. In past cases, enforcement orders have immediately suspended marketing tools tied to unlawful data transfers. For marketers, this means pausing campaigns mid-flight, cutting off personalization, and creating reporting gaps that impede optimization.

Analytics blackouts that force blind decision-making

Turning off third-party analytics due to compliance concerns means you’re flying blind. You lose the ability to segment audiences, evaluate creative performance, or justify spend allocation. Many brands using tools like GA or Meta Ads have already reported shifting to temporary EU-hosted or server-side alternatives that may offer reduced capabilities and slower insights.

Attribution failures that cut down your budget

Attribution is how marketers defend their budgets. However, trust in the numbers declines when tracking breaks due to deactivation, missing consent, or blocked data transfers. Without complete visibility into multi-channel performance, marketing ROI becomes harder to prove, and budget reductions follow.

Wasted ad spend that drains resources

Without real-time feedback, marketers overinvest in underperforming ads and can’t scale what’s working. This has been a common pain point for brands forced to migrate analytics setups under pressure, often leading to weeks of reduced optimization and reactive decisions.

Personalization gaps that stall conversions

With consent under scrutiny and restricted data flows, many marketers are forced to revert to generic messaging strategies. When you lose the ability to personalize content by behavior, preferences, or segments, conversion can be significantly lower. 

Competitive disadvantage that costs market share

As some companies scramble to react to policy changes, others with EU-hosted analytics and consent-first marketing stacks gain a competitive advantage. Even short periods of interrupted optimization can create lasting performance gaps.

Key features to look for in your next analytics platform

Selecting an analytics platform that is future-proof and fully compliant with European standards is essential. As 78% of EU users say they would abandon brands that mishandle data, proactively adopting compliant solutions signals responsibility and builds loyalty. Here is the list of the most important features you should seek:

Full data residency and processing within the EU/EEA

Ensure all user data is collected, processed, and stored exclusively within the EU or EEA to avoid legal uncertainties related to international data transfers.

Compliance with GDPR and upcoming regulations (Data Act, DORA)

Your analytics provider should meet current GDPR requirements and be prepared for new EU regulations like the Data Act and DORA to demonstrate a commitment to ongoing compliance.

Transparent data governance and security certifications (ISO 27001, SOC2)

Look for platforms with recognized security certifications, such as ISO 27001 or SOC2, demonstrating robust data governance, risk management, and security practices.

Compliant consent management and automation of data subject rights

The analytics platform should offer built-in tools for managing user consent, automating responses to data subject requests, and documenting compliance actions.

Flexibility to integrate with other marketing tools

Choose analytics platforms that connect easily with your existing marketing stack, CRM, and advertising tools to streamline tracking and boost campaign performance.

User-friendly interface with customizable dashboards

An intuitive, customizable dashboard empowers your team to access insights quickly and tailor reports to specific business needs.

Support for anonymization and pseudonymization of personal data

Select an analytics platform that offers strong anonymization and pseudonymization features, such as IP masking and cookieless tracking, to reduce compliance risks.

Clear data export and deletion options

Your next analytics platform should provide straightforward options for exporting, deleting, and modifying user data to fulfill the GDPR’s rights to data portability and to be forgotten.

Leading EU-based analytics alternatives

Finding alternatives to US-based analytics platforms that carry EU-US data transfer risks is not an easy task. Find below a list of providers that offer varying combinations of compliance protection, marketing optimization, and operational integration.

Piwik PRO Analytics Suite

Piwik PRO Analytics Suite is a comprehensive EU-based analytics platform designed to ensure full compliance with data protection laws while delivering powerful marketing insights. It offers flexible hosting options across multiple EU countries, supports both event-based tracking and session-level aggregation, and enables advanced user behavior analysis with features like funnels and user flows.

Plausible

Plausible is a lightweight, privacy-focused analytics tool fully hosted in the EU. As it doesn’t use cookies or collect personal data, you don’t need to include it in your website consent banner or cookie policy. It’s an open-source and GDPR-compliant solution that offers transparent and minimalistic analytics.

Simple Analytics

Simple Analytics is a Dutch provider that processes and stores all data within the EU, ensuring full GDPR compliance. It does not use cookies or track personal data, so you don’t need to include it in your website consent banner or cookie policy. The platform delivers easy-to-understand reports, suitable for companies that need simple, privacy-respecting insights.

Statcounter

Statcounter is an open-source, self-hosted analytics tool designed for EU-based organizations. It collects no personal data and uses no cookies, ensuring GDPR compliance and a privacy focus. The platform only provides essential website metrics, making it basic, privacy-first analytics.

	Country	Analytics capabilities	Free version	Privacy friendliness
Piwik PRO	Poland
Plausible	Estonia
Simple Analytics	Netherlands
Statcounter	Ireland

Visit our pricing page for more details about the available plans.

Piwik PRO Analytics Suite – the ideal EU-based web analytics platform for marketers

Transitioning to Piwik PRO ensures you meet stringent data protection requirements and maintain or even enhance your analytical capabilities. These key features prove it is the best choice for compliant, EU-based web analytics.

Simplified privacy compliance

Piwik PRO enables you to collect data in a manner that is fully compliant with privacy laws, including GDPR, HIPAA, CCPA, and TTDSG. Privacy settings embedded directly in the user interface make managing compliance intuitive and straightforward.

Complete EU data sovereignty

It offers hosting across multiple EU countries, guaranteeing data residency and complete control over where your data is stored. Such options help you adhere to local data residency requirements, minimizing transfer risks.

Data residency and sovereignty

Piwik PRO allows you to choose data storage locations, ensuring compliance with local data residency requirements.

Advanced analytics with familiar concepts

Piwik PRO supports both event-based tracking and session-level aggregation, allowing marketers to analyze user behavior with advanced reports such as funnels and user flows. 

Also, to avoid chaos with your data, you can implement Piwik PRO alongside your existing Google Analytics setup. This will ensure continuity in your reporting when the EU-US DTF is invalidated as well as the safety of your data in case of any further changes in European or US privacy laws. 

Seamless migration and setup

Implement Piwik PRO with a single tracking tag and start analyzing data in under an hour. The platform follows a familiar logic for those transitioning from Universal Analytics or GA4.

Well-integrated product suite

Benefit from an advanced analytics ecosystem that includes a Customer Data Platform, a Tag Manager, a Consent Manager, and multiple integration options for better data activation and personalization.

The strong connection between analytics and consent management

EU-based consent management is equally important when implementing an EU-based analytics platform. Proper analytics becomes meaningless if your consent management platform still transfers data to the US. The solution is simple: pair your EU-based analytics with EU-based consent management to create a compliant and fully protected marketing intelligence system.

Cookie Information, headquartered in Copenhagen with a few data centers across the EU, has established itself as the marketer’s first choice when both compliance protection and performance optimization are priorities. 

As an EU-based consent management platform, Cookie Information benefits your marketing operations in at least 5 ways:

• Industry-leading consent optimization technology.
• Proprietary cookie scanning engine that automatically identifies and categorizes all marketing technologies, including those commonly missed by basic scanners.
• A strong consent record and export system designed to satisfy inquiries by data protection authorities (DPAs) about marketing data flows.
• Seamless integration with all major CMSs such as Shopify, Drupal, and WordPress, as well as advertising and analytics platforms like Google Tag Manager and Piwik PRO.
• Multi-language cookie consent banners for a localized website experience.

Conclusion: How to protect marketing performance and compliance when the future is uncertain

With international politics potentially reducing your ROI, acting proactively to protect your marketing operations is crucial. 

Start with a comprehensive audit of your marketing technology, focusing on EU-US data transfers and compliance mechanisms. Next, you should deploy EU-based analytics tools to replace the ones sending data to the US, ensuring both compliance and uninterrupted marketing insights. Review advertising platform data flows to implement EU data residency options where possible. 

As with your remaining marketing stack you should implement an EU-based consent management solution that optimizes consent rates and integrates easily with your existing setup. Finally, make sure to showcase your privacy-first approach to marketing – positioning your brand as the privacy leader in your niche – to build consumer trust.

A risk-free decision is implementing an European analytics solution like Piwik PRO alongside your current US-based analytics tools. With free options available, this parallel approach ensures marketing continuity while building valuable historical data in a privacy-compliant environment.

By following these strategic steps, you’ll minimize regulatory risks, avoid disruptions, and secure your marketing performance in the turbulent EU privacy landscape.

The post EU-US data transfers uncertainties: How an EU-based analytics platform can improve your marketing performance appeared first on Piwik PRO.

In February 2025, Norway’s Data Protection Authority (Datatilsynet) issued new guidance on data transfers to the United States, highlighting growing concerns about the legal framework supporting these transfers – the EU-US Data Transfer Agreement. 

But why is this a matter of concern? The recent shake-up at the US Privacy and Civil Liberties Oversight Board (PCLOB) has left it unable to function properly. As a result, without a working oversight board, the US may struggle to guarantee adequate privacy protection measures – putting your data compliance at serious risk.

What are the consequences for marketers and website owners? If the EU decides to revoke the US adequacy decision, restrictions could be imposed immediately – without a transition period. That means if you’re still using Google Analytics or similar US-based services, you could suddenly find yourself/your business violating the General Data Protection Regulation (GDPR) overnight.

The key takeaways from Norway’s new guidance

“An adequacy decision will remain in force until it is revoked by the Commission. (…) if it is revoked, there will most likely not be a transition period.”

Olya Vasylyk, Digest Editor at TechGDPR

Here’s what the Norwegian DPA’s warning means for you if you’re handling EU/EEA user data:

Immediate risk for US services
The Privacy and Civil Liberties Oversight Board (PCLOB), which was meant to protect privacy rights in the US, is no longer operational. This raises red flags about the legal stability of transatlantic data transfers.

The current adequacy decision is still valid
Despite concerns over the PCLOB’s operational status, the EU-US Data Privacy Framework remains in effect – for now.

European Commission oversight
The European Commission is actively monitoring the situation and may revise or revoke the adequacy decision if significant privacy risks emerge.

Expert warnings
Privacy experts and legal advisors strongly recommend that you start planning an exit strategy now, rather than wait for new restrictions to take effect.

No grace period
If the EU withdraws the US adequacy decision, you may have no time to react, exposing you to financial fines and data disruption.

“Organizations that rely on their EU-US Data Privacy Framework (DPF) certification for transatlantic data transfers should consider developing a contingency plan to prevent potential disruption to the transfer of essential personal data.”

Mary T. Costigan of Counsel Jackson Lewis P.C.

Why data transfers between the EU and US are so controversial

The transfer of personal data between the EU and US has been a long-standing point of contention due to fundamental differences in privacy laws. The EU enforces strict privacy rights under the General Data Protection Regulation (GDPR), ensuring that individuals have control over their personal data. The US, however, has more fragmented privacy laws, with intelligence agencies having broad powers to access data under regulations like the Foreign Intelligence Surveillance Act (FISA 702).

These concerns have led to major legal battles, including the Schrems I and Schrems II cases, which invalidated previous data transfer frameworks (Safe Harbor and Privacy Shield) because they failed to offer adequate protection for EU citizens’ data. The current EU-US Data Privacy Framework (DPF) is now under scrutiny, with Norway’s DPA warning that its validity could be short-lived. If it’s overturned, businesses relying on data transfers to the US could face immediate compliance risks.

The role of the European Commission in data transfers

The European Commission is responsible for assessing whether non-EU countries offer adequate data protection.  This process results in adequacy decisions like the one granted to the US under the DPF.

However, adequacy decisions are not permanent. They can be revoked or suspended if conditions change, and the Commission is obligated to continuously monitor the legal and political landscape in countries that receive the EU data. The recent turmoil surrounding the Privacy and Civil Liberties Oversight Board (PCLOB) in the US has raised new doubts about whether the DPF can continue to meet the EU’s high data protection standards.

This means that relying solely on the DPF for legal data transfers may not be a sustainable long-term strategy for businesses. To avoid data disruption, you should explore alternative compliance measures such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or switching to EU-based solutions.

What this means for marketers and website owners

If you’re running analytics on your website, now is the time to stay alert and prepare for any scenario. We’ve seen this before in 2020 – when Privacy Shield was invalidated, several European regulators quickly cracked down on Google Analytics and other US-based services. If history repeats itself and the EU-US DPF agreement is now revoked, we could see a domino effect of similar enforcement actions, following the latest concerns raised by the Norwegian DPA.

This means that if you continue using Google Analytics or similar US-based marketing solutions that rely on data transfers – such as ad networks, email platforms, and customer data platforms (CDPs), you could soon be violating GDPR. Waiting for regulators to act could leave you scrambling at the last minute. Instead, you should take control now by switching to a privacy-compliant analytics solution such as Piwik PRO Analytics Suite.

European regulatory actions against Google Analytics

After the Schrems II ruling invalidated Privacy Shield in 2020, and before the European Commission adopted a new adequacy decision in 2023 – the EU-US Data Privacy Framework – European regulators wasted no time in taking action. Several data protection authorities (DPAs) ruled that using Google Analytics and other US-based services violated GDPR, citing concerns over inadequate safeguards against the US surveillance.

These enforcement decisions created a ripple effect, forcing European businesses to rethink their analytics strategies. Here’s a look at how different countries responded:

• Denmark: The Danish DPA (Datatilsynet) concluded that the use of Google Analytics violates the GDPR, as it involves transferring personal data to the US, which does not offer an adequate level of data protection.
• Austria: The Austrian DPA ruled that data transfers to Google in the US via Google Analytics breach Chapter V of the GDPR, due to insufficient safeguards against US surveillance.
• France: The French DPA (CNIL) determined that the use of Google Analytics is illegal under the GDPR, as it involves transferring personal data to the US without adequate protection.
• Italy: The Italian Data Protection Authority (Garante) found that the use of Google Analytics violates the GDPR, as it results in the transfer of personal data to the US, which lacks adequate data protection measures.
• Sweden: Sweden’s data protection authority (IMY) ruled that four companies had unlawfully transferred personal data to the US by using Google Analytics. The IMY stated that companies using Google Analytics fail to implement sufficient safeguards against US government surveillance, violating GDPR requirements.
• Norway: The Norwegian DPA declared that the use of Google Analytics was illegal prior to the EU-US Data Privacy Framework adequacy decision, indicating potential for future restrictions.

How you can prepare for potential data transfer disruptions

Transatlantic data flows account for more than half of Europe’s data flows and about half of US data flows globally (US Chamber). This underscores the importance of ensuring compliant and secure data transfer mechanisms between the EU and the US. To mitigate these risks and ensure continued compliance, you should take proactive steps now. Some key actions include:

1. Review contracts with US providers: Audit all agreements with analytics, marketing, and cloud service providers based in the US to understand data processing terms and compliance measures.
2. Implement Standard Contractual Clauses (SCCs): If you continue working with US providers, ensure that SCCs are in place to provide additional legal safeguards for cross-border data transfers.
3. Assess alternative digital marketing tools: Consider migrating to EU-based analytics and marketing solutions that operate within GDPR-compliant frameworks and offer full data residency options.
4. Monitor regulatory developments: Stay updated on changes to data transfer regulations, including potential shifts in the EU-US Data Privacy Framework and rulings from other European DPAs.
5. Enhance data protection policies: Strengthen internal policies on data minimization, user consent management, and encryption to align with best practices in privacy compliance.

While not all of these compliance steps fall directly within the marketing department’s responsibilities, marketers play a crucial role as advocates for privacy-first strategies, by ensuring compliance protects not just user data but also the company’s reputation and ROI. By proactively championing privacy compliance, you help secure sustainable and legally sound digital marketing and analytics strategies that maintain customer trust and business continuity.

A practical approach to transitioning to GDPR-compliant analytics

Looking for a low-risk path to analytics compliance? You can implement Piwik PRO alongside your existing Google Analytics setup rather than making an immediate switch. 

This parallel tracking approach offers you several advantages. It maintains continuity in your reporting and historical data access while you explore a compliant analytics alternative. Third, running both solutions simultaneously allows your team to gradually transition at their own pace, learning the new platform while still having access to familiar tools and reports. 

This dual-solution implementation creates a safety net for your measurement strategy regardless of how regulatory decisions unfold, while building valuable historical data in a privacy-compliant European platform.

Norwegian DPA’s broader concerns beyond Google Analytics

While much of the discussion around data transfers has focused on Google Analytics, Norway’s DPA highlights a much broader issue – US companies across multiple industries process EU personal data, raising legal and compliance risks.

Many businesses use US-based services beyond analytics, including:

• Cloud providers like Amazon Web Services (AWS) and Microsoft Azure.
• Marketing platforms like HubSpot and Mailchimp.
• Customer Relationship Management (CRM) software like Salesforce.
• Ad-tech solutions that track users across websites.
• Consent management platforms (CMPs) such as OneTrust and TrustArc.

If the EU-US adequacy decision is revoked, all these services could be in legal jeopardy for businesses processing EU citizen data. Norway’s DPA encourages companies to audit their data flows now, ensuring they know where personal data is processed and whether it complies with GDPR.For businesses seeking a sustainable approach, shifting towards EU-hosted, privacy-first solutions will help ensure compliance without relying on regulatory frameworks that could change at any moment.

Piwik PRO Analytics Suite: A safe and compliant Google Analytics alternative 

Piwik PRO Analytics Suite is the best GA4 alternative for marketers who want to gain valuable and actionable analytics insights while ensuring full GDPR compliance. Here’s why:

8 reasons to replace Google Analytics 4 with Piwik PRO Analytics Suite

1. Fully GDPR-compliant: Built with privacy in mind, unlike US-based platforms that risk legal challenges.
2. Data residency and sovereignty: Piwik PRO allows you to choose data storage locations, ensuring compliance with local data residency requirements.
3. Easy privacy compliance: Collect data with full respect for privacy laws, including GDPR, HIPAA, CCPA, and TTDSG. The platform includes privacy settings directly in the UI.
4. 100% data ownership: No third-party sharing, so you retain control over all user data.
5. Advanced analytics with familiar concepts: Piwik PRO supports both event-based tracking and session-level aggregation, allowing marketers to analyze user behavior with advanced reports such as funnels and user flows.
6. More reliable data collection: Capture up to 70% more data compared to Google Analytics, all while staying privacy-compliant. Piwik PRO offers session-level data collection in anonymous profiles that align with EU regulations.
7. Painless migration & seamless setup: Implement Piwik PRO with a single tracking tag and start analyzing data in under an hour. The platform follows a familiar logic for those transitioning from Universal Analytics or GA4.
8. Well-integrated product suite: Benefit from an advanced analytics ecosystem that includes a Customer Data Platform, a Tag Manager, a Consent Manager, and multiple integration options for better data activation and personalization.

Don’t just take our word for it: hear from our customers on Piwik PRO’s benefits

Still unsure if Piwik PRO is the right choice to confidently replace Google Analytics? See what the experts have to say about the advantages of switching to Piwik PRO for a privacy-compliant, powerful analytics solution:

Success Story

ICTRecht finds a privacy-focused analytics partner and valuable marketing insights in Piwik PRO

There has been a lot of discussion surrounding the legality of Google Analytics in Europe due to data transfers from the EU to the US. We didn’t want to wait for developments, nor did we want to stay in the gray area of legality. So we started looking around for alternatives. A partner organization had recently switched to Piwik PRO and put us in touch.

Emke de Vries

Online Marketer at ICTRecht

Success Story

DKMS optimizes online campaigns and donor registration funnels with GDPR-compliant analytics

It became pretty clear at that time that we needed to step away from Google Analytics, because of GDPR and the invalidation of the Privacy Shield framework. We realized we had to replace it with a European, privacy-compliant platform and implement a consent manager to respect the rights of our visitors.

Kay Beutling

Digital Project Manager at DKMS

Piwik PRO benefits by Melonie Dodaro

• Comprehensive reporting: The Analytics feature provides a complete view of your website’s performance, from visitor behavior to conversion tracking.
• User-friendly interface: The platform’s intuitive design makes it easy to navigate and extract valuable insights without a steep learning curve.
• Privacy compliance: Piwik PRO’s commitment to data privacy ensures that your analytics practices align with regulations like GDPR.
• Customizable dashboards: Tailor your analytics view to focus on the metrics that matter most to your business.
• Dedicated support: Access to a responsive support team ready to assist with any questions or challenges.

In A marketer’s quest for better website insights by Melanie Dodaro, Global B2B Marketing Strategist.

Getting started with Piwik PRO Analytics Suite: A step-by-step guide

Transitioning to Piwik PRO ensures compliance with data protection regulations while maintaining robust analytics capabilities. Here’s how to get started:​

1. Research your analytics needs: Identify the key insights and features your business relies on and ensure they align with compliance requirements.
2. Compare Piwik PRO with your current solution: Explore Piwik PRO’s capabilities to determine how it meets your needs and where it can even offer deeper privacy-first insights.
3. Request a demo: Schedule a personalized demo to see Piwik PRO in action and discuss integration with your existing marketing stack.
4. Plan your migration: Work with Piwik PRO’s team to develop a seamless transition strategy, ensuring minimal data loss and downtime.
5. Set up & customize: Configure dashboards, reports, and user permissions to align with your business objectives. We offer flexible support for onboarding and implementation.
6. Train your team: Provide onboarding resources and training to maximize the value of their new analytics platform. A good place to start is Piwik PRO’s YouTube channel, which offers a dedicated playlist with Piwik PRO Analytics video tutorials.
7. Optimize & monitor: Continuously refine your analytics setup based on insights while ensuring ongoing compliance with privacy regulations.

Find your Google Analytics replacement

Regulatory uncertainty is increasing, and Norway’s warning makes it clear: US-based analytics tools could soon be non-compliant across the EU. However, global data regulations are tightening beyond the EU. Countries like China (PIPL), India (DPDP Act), Brazil (LGPD), and Canada (CPPA) are all implementing stricter privacy frameworks. Businesses that rely on cross-border data transfers need a future-proof strategy that prioritizes privacy-first solutions, EU-based vendors, and data sovereignty.

Waiting until restrictions are enforced could mean scrambling to find a solution while facing potential fines and data loss. Piwik PRO Analytics Suite is the best alternative to Google Analytics, providing a powerful, privacy-focused analytics solution that keeps your business ahead of changing regulations without disrupting your analytics and marketing data. Plus, you can implement it alongside your Google Analytics setup instead of switching immediately.

FAQ 

Why are EU-US data transfers under scrutiny again?

The Norwegian DPA has raised concerns about the operational status of the US Privacy and Civil Liberties Oversight Board (PCLOB), which plays a key role in ensuring US data protection standards. If the EU-US Data Privacy Framework (DPF) is revoked, businesses relying on US-based services like Google Analytics could suddenly find themselves non-compliant with GDPR.

What happens if the EU revokes the Data Privacy Framework (DPF)?

If the EU revokes the adequacy decision for the EU-US Data Privacy Framework (DPF), companies relying on Google Analytics or other US-based tech tools could suddenly be in violation of GDPR, with no transition period. This could lead to financial fines and operational disruptions.

Is Google Analytics a GDPR-compliant choice for EU businesses?

While the EU-US Data Privacy Framework (DPF) is currently in place, concerns remain about its long-term stability. The Norwegian DPA and other European regulators warn that Google Analytics still poses compliance risks because it involves transferring personal data to the US, where surveillance laws (like FISA 702) allow government access to foreign data.

Multiple European Data Protection Authorities (DPAs) – including those in France, Austria, Denmark, Italy, Sweden, and Norway – have ruled in the past that Google Analytics violates GDPR due to US surveillance risks. If you’re still using Google Analytics, your company could be at risk of enforcement actions should the DPF be withdrawn by the European Commission.

Solution: To future-proof your analytics, switch to a privacy-compliant alternative like Piwik PRO Analytics Suite, which offers GDPR-compliant data hosting in the EU.

What is the best alternative to Google Analytics for GDPR compliance?

A privacy-compliant alternative to Google Analytics is Piwik PRO Analytics Suite. Unlike US-based tools, Piwik PRO offers:

• Full GDPR compliance with EU-based hosting options.
• 100% data ownership, meaning your data stays private.
• Advanced analytics capabilities, including event tracking, funnels, and user flows.

Migrating from GA4 to Piwik PRO is simple, making the transition easy with:

• One-click data import options.
• Customizable dashboards to match your existing setup.
• Comprehensive onboarding support to help teams transition smoothly.

What makes Piwik PRO Analytics Suite different from other Google Analytics alternatives?

Piwik PRO Analytics Suite is built with privacy at its core, offering:

• Data residency options within the EU, US, or private cloud.
• No third-party data sharing—you own 100% of your analytics data.
• Integrated privacy tools, including built-in consent management.
• Advanced analytics and tag management in one platform.

How can I confidently switch from Google Analytics without losing insights?

Piwik PRO Analytics Suite provides a familiar analytics experience while improving data collection reliability (up to 70% more data than GA4), privacy compliance, and advanced reporting features like funnels and user flows. It also offers easy migration tools for a seamless transition.

How do I start transitioning away from Google Analytics?

To replace Google Analytics, first audit your data flows, then evaluate privacy-compliant analytics platforms. Piwik PRO Analytics Suite makes it easy to migrate with a our plan, allowing businesses to test the platform before fully transitioning. You can also request a free demo customized to your needs.

What other US-based services might be affected by EU data transfer regulations?

Beyond Google Analytics, any US-based marketing, cloud, or analytics platform handling EU data – including for example HubSpot, Mailchimp, Salesforce, and AWS – could be impacted if the adequacy decision is revoked. You should assess all third-party tools that process user data now to be prepared with alternative tools.

How can I prepare for potential EU-US data transfer disruptions?

To stay ahead of regulatory changes, businesses should:

• Audit current data flows to identify any dependencies on US-based services.
• Explore privacy-compliant alternatives like Piwik PRO Analytics Suite.
• Consider running your US-based and new EU alternative analytics platform – such as Piwik PRO – in parallel to ensure continued reporting while you test the new tool.
• Implement Standard Contractual Clauses (SCCs) for additional safeguards.
• Monitor regulatory updates and plan for a smooth transition.

What’s the safest way to future-proof my analytics strategy?

To avoid regulatory uncertainty, switch to an EU-hosted analytics provider with strong privacy protections, like Piwik PRO Analytics Suite, that allows you to implement a reliable data privacy strategy. This ensures long-term compliance with GDPR and other evolving global privacy laws.

Can I run a hybrid setup with both EU- and US-based tools?

For a transitional period and to minimize disruption, it can be a practical approach though. Consider implementing a European analytics solution like Piwik PRO alongside your existing Google Analytics setup. With our options available, this parallel tracking strategy ensures reporting continuity while you evaluate an EU-based analytics alternative that respects data sovereignty.

The post Norwegian DPA warns against EU-US data transfers – what it means for your website analytics appeared first on Piwik PRO.

Dive into the fourth and final episode of our video series with Brian Clifton, a renowned digital analytics and privacy expert. He presents the history of digital analytics, including technologies and mindsets surrounding the analytics industry. The first part is dedicated to the origins of web analytics tools, the second focuses on the increased interest in privacy in data collection, and the third discusses challenges in ensuring proper data quality for effective decision-making. 

In this part, Brian talks about the importance of staying current with technological advancements to maintain proper data quality. He also shares insights into the future of digital analytics, emphasizing the need to balance automation and human knowledge to enhance marketing strategies.

The complexity of data quality in digital analytics

Over the years, many have viewed data collection as a daunting task, particularly for those without technical expertise. However, it has become clear that the real challenge is not gathering data – it’s effectively making sense of it. Analysts must connect a host of data points to extract meaningful insights that drive informed decision-making.

This content is hosted by a third party (YouTube). By clicking the button below, you consent to loading the video.

Poorly collected or noisy data can lead to tricky conclusions, making robust data-cleaning processes essential. Once data quality is compromised, correcting flawed data can be an intensive task and may require starting over from scratch.

“It’s very easy to collect poor-quality data without knowing it’s poor quality. However, it’s very hard to clean it later. Monitoring data quality at the point of collection is crucial for effective decision-making.”

Brian Clifton, Digital analytics and privacy expert

There is a school of thought that businesses should embrace aggregate tracking methods alongside individualized tracking. This dual approach enables organizations to gain insights into overall trends while respecting individual privacy rights, aligning more closely with consumer privacy choices. For those users that grant consent to be tracked, individualized tracking allows for the website to provide a more personalised experience.

Privacy and ethical use of data

As digital analytics has evolved, so has awareness of privacy responsibilities. Analysts now find themselves focused not only on educating data stakeholders about web analytics, but also on their obligations regarding protection of users’ data. Striking a balance between collecting valuable insights and upholding user privacy remains a persistent challenge.

“I think GDPR is the best thing since sliced bread as it has put control in the hands of users, and not with far away and opaque tech vendors. Privacy laws are here to stay, because that is what users want and I believe the US will eventually adopt a federal privacy law similar to GDPR, instead of having fragmented state-level regulations.”

Brian Clifton, Digital analytics and privacy expert

Organizations must navigate the complexities of compliance to avoid severe penalties, including hefty fines and reputational damage. As marketers adjust to these new realities, they must rethink their strategies to rely less on extensive personal data and more on aggregated insights that respect individual privacy.

Adapting to new analytics tools supported by AI

With rapid advancements in analytical tools, now is the time for organizations to reassess their technological stack. By exploring alternatives beyond traditional platforms, companies can better tailor their approaches to meet contemporary analytical needs.

This content is hosted by a third party (YouTube). By clicking the button below, you consent to loading the video.

The role of analysts is becoming increasingly specialized, with AI augmenting human capabilities by enabling faster restructuring and comparison of data. Technologies like ChatGPT have dramatically transformed digital marketing by shifting focus from keyword-based searches to conversational queries. This evolution challenges the traditional role of the analyst, though building insights based on a solid understanding of the data is still key.

“Advanced web analytics isn’t about the tools; it’s about doing the basics very well and applying them in a clever way.”

Brian Clifton, Digital analytics and privacy expert

Making sense of data to drive meaningful change

AI has the potential to revolutionize digital marketing by providing rapid insights through data interpretation. While some jobs may be displaced by automation, AI creates new opportunities by handling time-intensive, complex tasks, allowing analysts to widen their analytical scope for even greater insights.

“There’s huge potential here – not to replace humans but to augment their capabilities with superpowers. AI serves as a smart, always-on, never forgetful assistant. It helps the analyst work faster and more efficiently, even trying new ideas that were previously too cumbersome to explore. The role of the analyst is becoming increasingly more important to businesses.”

Brian Clifton, Digital analytics and privacy expert

The future of digital analytics hinges on building trust and privacy while embracing technological advancements and AI-driven tools. By prioritizing data quality, respecting user privacy, leveraging new technologies, and fostering collaboration among teams, analysts can effectively navigate this dynamic landscape and drive meaningful change within their organizations. 

The post 25 years of digital analytics with Brian Clifton: The real challenge for the future is to make sense of data appeared first on Piwik PRO.

Let’s dive into the third episode of our video series with Brian Clifton, a renowned digital analytics and privacy expert. He presents the history of digital analytics, including technologies and mindsets surrounding the analytics industry. The first part was dedicated to the origins of web analytics tools, and the second focused on the increased interest in privacy in data collection.

In the third part, Brian discusses challenges in ensuring proper data quality and explores how organizations can overcome them to build their audience’s trust, enabling more informed and effective decision-making. You can watch the videos in the corresponding sections of this article.

The importance of data in modern organizations

As data analysis now impacts all aspects of a business, it has become difficult to locate where data analytics actually fits within organizational structures. Data democratization can cause greater buy-in and innovation, but it can also result in a lack of data ownership- in other words, it becomes unclear who, precisely, is responsible for it.

This content is hosted by a third party (YouTube). By clicking the button below, you consent to loading the video.

There are two important challenges that arise when dealing with data in larger organizations:

• Understanding the audience’s perspective: Data experts often struggle to simplify complex concepts for those with less experience, such as marketers who engage with analytics less frequently. It’s essential to present data in a consistent and accessible way without losing key insights.
• Determining the role of analytics: Analytics is often used across multiple departments, making it difficult to establish clear ownership and governance. Organizations need to ensure that their data strategy aligns with overall business objectives, rather than it being siloed by each department.

“One of the great challenges with analytics is it doesn’t fit in any one place anymore; it’s everywhere, and because it’s everywhere, it’s very difficult to take ownership of it. As with any project without an owner, there is no leadership, and that results in teams working in their own data silos.”

Brian Clifton, Digital analytics and privacy expert

Businesses need to adopt a holistic approach to fully leverage the power of data-informed decisions. This means engaging multiple stakeholders across different departments and ensuring that the impact of data-driven decisions is understood and aligned with the overall business strategy. While it can be challenging to broaden the scope of a data project, especially when budget constraints and departmental boundaries come into play, it is essential for long-term success.

The impact of data quality on decision-making processes

Modern organizations rely on data to make informed decisions across all levels of the business. Whether it’s determining the success of a marketing campaign, optimizing supply chain logistics, achieving efficient staffing levels, or enhancing customer service, data provides the information needed to guide strategic choices. As the digital landscape expands, the amount of data available to organizations has grown exponentially, providing new opportunities to gain a competitive edge.

However, the abundance of data also presents challenges. It’s not just about having access to data but understanding what data is relevant, how to analyze it, and how to apply insights effectively.

“Currently, large chunks of collected data are simply noise. Data noise is not only distracting, but can be costly to process and store, can bury the useful signals you need, and are a business risk for privacy compliance. Auditing your data has never been so important.”

Brian Clifton, Digital analytics and privacy expert

The evolution of data collection and usage practices reflects a broader shift in how businesses operate. The days of simply gathering as much data as possible just because you can are over. Now, the focus is on collecting and using the right data to benefit both the organization and its customers.

Moving data handling from IT to other departments

In the early days, analytics was primarily an IT function focused on building and maintaining the website. In the mid-2000s, it expanded into marketing, becoming a key tool for driving strategy. Today, however, the reach of data analytics extends, impacting various departments. 

This content is hosted by a third party (YouTube). By clicking the button below, you consent to loading the video.

Effective collaboration between IT, marketing, and legal teams is key to navigating the complexities of modern data management. By working together, the teams ensure the four pillars of analytics are in place: that data is accurate, compliant, actionable, and aligned with the organization’s strategic goals.

“Once you get teams out of their silos and working together, they start to think in terms of answering the business questions, rather than focusing on what data to collect. That is where the conversation should start.”

Brian Clifton, Digital analytics and privacy expert

Using data analytics to provide meaningful insights rather than just numbers

Being “data-driven” is a buzzword, because it’s not enough just to collect numbers. The real value lies in being data-informed, which means understanding what the data truly represents and using it to drive meaningful decisions. Many organizations focus on headline numbers without investing time and energy in thinking about what insights they can derive from this data and how they can act on them.

This content is hosted by a third party (YouTube). By clicking the button below, you consent to loading the video.

Data must be accurate, consistent, and aligned with business objectives to be truly valuable. This requires a robust data governance process in which business questions drive data collection, not the other way around. 

It’s also essential to ensure high-quality data is gathered ethically and with proper user consent. Data should inform strategic decisions, helping businesses understand customer behavior, optimize processes, and ultimately create more value. With these insights, it becomes a powerful tool for growth and innovation.

The post 25 years of digital analytics with Brian Clifton: Being data-informed, not just data-driven appeared first on Piwik PRO.

Personally identifiable information (PII) and personal data are two classifications of data that often confuse organizations that collect, store and analyze such data. Both terms cover common ground, classifying information that could reveal an individual’s identity directly or indirectly. 

PII is used in the US, but no specific legal document defines it. The legal system in the United States is a blend of numerous federal and state laws and sector-specific regulations, all of which describe and classify different pieces of information under the PII umbrella. 

On the other hand, personal data has one legal definition established by the General Data Protection Regulation (GDPR), which is accepted as law across the European Union (EU).

But why is all that so important? As a website admin, app creator or product owner, you need to be aware that visitors and users could share sensitive information with you. These traces might enable you to identify individuals, so you must handle such data carefully. From a legal standpoint, it could be a matter of breaches and violations with serious consequences. Grasping the bigger picture is crucial for your organization’s security and legal compliance.

Read more: Piwik PRO is officially HIPAA-certified!

What is personally identifiable information (PII)?

Personally identifiable information (PII) is often referenced by US government agencies and non-governmental organizations. However, as the US lacks one overriding law about PII, the legal definition of the term may vary from jurisdiction to jurisdiction and state to state.

The most common definition is provided by the National Institute of Standards and Technology (NIST), which states that:

However, the line between PII and other kinds of information is blurry. As stressed by the US General Services Administration, the “definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified”.

What pieces of information are considered PII?

According to NIST, PII can be divided into linked and linkable information.

Linked information

Linked information can also be defined as direct identifiers. 

Direct identifiers are unique to a person and can be used to identify an individual. A single direct identifier is typically enough to determine someone’s identity.

Here are the examples of linked information:

NIST states that linked information can be “Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people”. That means cookies and device ID fall under the definition of PII.

Linkable information

Linkable information concerns indirect identifiers or quasi-identifiers. They may not be able to identify a person on their own, but identification becomes possible when combined with another piece of information. For example, research shows that 87% of US citizens could be identified based on just their gender, ZIP code and date of birth. De-anonymization and re-identification techniques typically work when multiple sets of quasi-identifiers are connected and can be used to distinguish one person from another.

Here are some examples of PII that can be considered linkable information:

Sensitive vs. non-sensitive PII

Though more of a customary than regulatory distinction, we can also differentiate between sensitive and non-sensitive examples of PII.

Sensitive PII

Sensitive PII is information that can directly identify an individual and could result in harm to them if a data breach occurs. 

Sensitive PII is typically not publicly available. Many data privacy laws require organizations to safeguard it by encrypting it, controlling who accesses it and taking other security measures.

Examples of sensitive PII include:

• Unique identification numbers, such as driver’s license numbers, social security numbers (SSN), passport numbers and other government-issued ID numbers.
• Biometric data, such as fingerprints and retinal scans.
• Financial information, including bank account numbers and credit card numbers.
• Medical records.
• Electronic and digital account information, such as email addresses and internet account numbers.
• Employee personnel records.
• Password information.
• School identification numbers.

Non-sensitive PII

Non-sensitive PII is information that may or may not be unique to an individual person. This type of data can be transmitted without being encrypted, and disclosure of it will not cause harm to the individuals that the data concerns. 

Non-sensitive PII tends to be publicly available – for example, phone numbers can be listed in a phone book. 

Some data privacy regulations don’t require the protection of non-sensitive PII, but companies should still employ safeguards to limit the risks to individuals. 

Examples of non-sensitive PII include:

• A person’s full name.
• Mother’s maiden name.
• Social media nickname.
• Telephone number.
• IP address.
• Place of birth.
• Date of birth.
• Geographical details (ZIP code, city, state, country, etc.).
• Employment information.
• Email address or mailing address.
• Race or ethnicity.
• Religion.

How PII differs from PHI

Protected health information (PHI) includes information used in a medical context that can identify patients. PHI is a subset of PII that refers explicitly to information processed by HIPAA-covered entities. When health information is combined with a personal identifier, the data becomes PHI.

Identifiers recognized by HIPAA include:

While protecting PII is mandated only in some instances, in order to protect patient privacy, PHI is subject to strict confidentiality requirements that don’t apply to most other industries.

The HIPAA Privacy Rule ensures that PHI is shared and used only with patient permission or to coordinate patient care and services between covered entities. Organizations covered by HIPAA, such as healthcare providers, hospitals, insurers and their business associates, must follow strict rules specifying the types of PHI they can collect from individuals, disclose with others, or use for marketing purposes.

Learn more about PHI and how to protect it to comply with HIPAA: PHI and PII: How they impact HIPAA compliance and your marketing strategy.

What is non-PII?

Non-personally identifiable information (non-PII) is data that cannot be used on its own to trace, or identify a person.

Examples of non-PII include, but are not limited to:

• Aggregated statistics on the use of product/service.
• Partially or fully masked IP addresses.

However, the classification of PII and non-PII is vague. Moreover, NIST doesn’t reference cookie IDs and device IDs, so many AdTech companies, advertisers, and publishers consider them non-PII. As we’ll see, this is in contrast to the definition of personal data, which treats such digital tackers as information that could identify an individual.

What is personal data?

Personal data is a legal term that the GDPR defines as the following:

This definition applies to a person’s name and surname, as well as details that could identify that person. That’s the case when, for instance, you’re able to identify a visitor returning to your website with the help of a cookie or login information.

Under GDPR, you can view cookies as personal data because, according to:

The definition of personal data covers various pieces of information, such as:

• Transaction history
• IP addresses
• Browser history
• Posts on social media

Essentially, it’s any information relating to an individual or identifiable person, directly or indirectly.

What is non-personal data?

Following the GDPR provisions, non-personal data is data that won’t let you identify an individual. The best example is anonymous data. According to:

Other examples of non-personal data include, but are not limited to:

• Generalized data, such as age range.
• Information gathered by government bodies or municipalities, such as census data or tax receipts collected for publicly funded works.
• Aggregated statistics on the use of a product or service.
• Partially or fully masked IP addresses.

Collecting anonymous data allows companies to gain useful analytics insights into user behavior without accessing personal data – this is possible with Piwik PRO Analytics Suite. 

Learn more about anonymous data collection with Piwik PRO: Anonymous tracking: How to do useful analytics without personal data.

How PII differs from personal data

Personal data encompasses a broader range of contexts than PII. In general, all PII is considered personal data, but not all personal data is PII. For example, attributes such as religion, ethnicity, sexual orientation or medical history can be categorized as personal data but not PII.

While there is no single federal law governing the collection and use of PII, several legal documents and industry standards define its scope, such as:

• The U.S. Privacy Act, which governs how to collect, maintain, use and disseminate PII.
• The Health Insurance and Portability Act (HIPAA) governing patient privacy.
• The Children’s Online Privacy Protection Act (COPPA), designed to protect the personal information of children under the age of 13.

Furthermore, both governmental and non-governmental organizations regulate the proper use of PII, including:

• The Federal Trade Commission (FTC) and its Department of Consumer Protection.
• Local Departments of Consumer Affairs.
• The Federal Communications Commission (FCC).
• The National Institute of Standards and Technology (NIST).
• The Network Advertising Initiative (NAI), a self-regulatory organization.

Personal information (PI) and the CCPA

Personal information (PI) is used in the context of the California Consumer Privacy Act (CCPA). The CCPA establishes a very broad definition of personal information, which continues to function in the California Privacy Rights Act (CPRA).

The California law defines PI as:

“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

However, this doesn’t include information that has been made publicly available by the local, state, or federal government.

Here are the examples of personal information under CCPA:

As you can see, California classifies data like device IDs, cookies IP addresses, and even aliases and account names as personal information.

Read more: CCPA & CPRA regulations: How marketers can comply with the Californian laws.

Why should you protect PII and personal data

Access to PII allows businesses to tailor product or content recommendations to their customers’ preferences. However, the growing volume of PII accumulated by organizations is attracting the attention of cybercriminals. Failure to protect users’ data leaves organizations exposed and at risk of attacks.

Stolen data containing PII can cause extensive harm to individuals. With just a few bits of an individual’s personal information, thieves can create false accounts in the person’s name, take out loans, create a falsified passport or sell a person’s identity to a criminal. 

As organizations collect, process and store PII, they must also accept responsibility for protecting this sensitive data.  After all, data breaches can happen to organizations of all sizes and industries – from major credit reporting bureaus to small banks – and the impacts on the organization are often the same.

A data breach can severely damage users’ trust in an organization, ultimately ruining its reputation and hindering business results. Not to mention the risk of non-compliance with privacy regulations, which can additionally lead to heavy fines. 

According to IBM’s Cost of a Data Breach 2023 Report, the average cost of a data breach caused by a ransomware attack was USD 5.13 million. As ESG’s report states, the amount of sensitive data is believed to have doubled in the period between 2021 and 2024. Moreover, around half of organizations believe that this data is not sufficiently secure. 

Given the many risks associated with data breaches, protecting PII and personal data is essential. Companies must navigate a complex IT and legal landscape to prevent future attacks and maintain scalable data protection frameworks. 

Aside from preventing breaches, emphasizing data security and privacy helps boost customer loyalty and trust, and futureproofs tech investments against evolving requirements.

How to protect PII

The main source of guidance on ways to secure PII is NIST’s Guide to Protecting the Confidentiality of Personally Identifiable Information. 

First, PII protection methods resemble those mentioned by the GDPR for personal data, such as:

• Data minimization.
• Privacy impact assessment.
• Data encryption.
• Data anonymization.

Not all PII needs to be protected equally. The necessary safeguards to apply will depend on the following factors:

• How easily the PII can be tied to specific individuals.
• The number of individuals whose PII is stored in the system.
• The sensitivity of the data.
• The context of how the data will be used, stored, collected or disclosed.
• Legal obligations to protect the data.
• The location of the data and level of authorized access to it.

NIST explains further that the protection of PII requires a combination of measures, such as “operational safeguards, security controls and safeguards related to privacy.”

Here is a breakdown of the recommended measures:

Operational safeguards

The protection of PII starts at an organization’s operational level. It involves creating and establishing detailed policies and procedures for managing PII. Some safeguards involve training employees about data breach risks and best practices for handling and protecting PII.

Privacy-related safeguards

Privacy-specific safeguards help businesses follow the data minimization principle and let them use and maintain data without risking its confidentiality. Protecting PII confidentiality requires certain mechanisms, such as data anonymization and de-identifying information (encryption).

Security controls

NIST offers recommendations regarding security controls for protecting PII. They include:

• Access enforcement – such as granting access to the data based on the user’s role.
• Remote access – prohibiting or restricting access to PII and when a user has remote access and ensuring communication is encrypted.
• Separation of duties – for example, users who handle de-identified PII shouldn’t also work in positions that grant them access to the information needed to re-identify the records.
• Information system monitoring – monitoring PII for unusual or suspicious transfers or events.
• Least privilege – making sure that users have access to only the data they need.
• Audit review, analysis and reporting – conducting a regular review and analysis of records after the information system audit to spot any unusual activities affecting PII.

How to protect personal data

The GDPR sets out guidelines for protecting personal data. The most important ones include:

The principle of lawfulness

Most importantly, GDPR requires having a clear and valid reason for collecting and using personal data. The reason for processing data must be based on necessity. It could be, for instance, fulfilling a contract requirement or providing a service.

The principle of integrity and confidentiality

One of the key ways to protect data is to ensure its security, though GDPR doesn’t exactly say what this security should look like in practice. The choice of safeguards will differ between organizations. For instance, a hospital with sensitive information about its patients will take different steps than a blogger with a newsletter.

Data protection by design

Data protection by design means adopting technical and organizational measures in the initial design phases of processing operations.

Examples of these measures include:

• Pseudonymization – replacing or removing information within a data set that enables identification of a specific person, using methods such as encryption, scrambling or masking.
• Anonymization – removing personal information from a data set to make it impossible to identify a particular person.
• Monitoring of data processing.
• Adding new privacy features and improving existing ones.

Under GDPR, data pseudonymization techniques are not enough to provide full data anonymity.

Data protection by default

Data protection by default is based on the principles of data minimization and purpose limitation. 

Following the data minimization principle, data should be “adequate, relevant and limited to what is necessary”.

Purpose limitation means you specify your processing purpose, document it and inform individuals about this purpose before any processing starts. 

Organizations that act in line with those principles will collect only the minimum amount of data possible and keep it for only as long as necessary to fulfill the purpose for which it was collected.

Data protection impact assessment

GDPR recommends performing a data protection impact assessment (DPIA) when processing might pose a high risk to individuals. DPIAs help organizations lower risk by recognizing and mitigating possible threats.

Consider running a DPIA when you are:

• Using a new technology.
• Processing sensitive data on a large scale.
• Doing systematic monitoring of public areas.

read also

Learn how to protect PII, non-PII and personal data

Everything from the detailed definition of each to practical approaches to collecting and working with different types of data

Download now

PII, non-PII and personal data: Staying up to date on data privacy regulations

The broad definitions of PII and personal data are evolving to cover more and more kinds of data. The differences between the two are also becoming less distinct. The legal requirements are getting stricter on both sides of the Atlantic.

Those changes will bring new challenges. For organizations of all kinds, this means taking a closer look at the data they collect and keeping up with the changing legal landscape to stay compliant.

If you want to learn more about how Piwik PRO helps you safely collect and analyze PII and personal data, reach out to us:

Related posts:

• Is Google Analytics (3 & 4) GDPR-compliant?
• Is Google Analytics illegal in the EU?
• 10 new privacy laws around the world and how they’ll affect your analytics

The post What is PII, non-PII, and personal data? [UPDATED] appeared first on Piwik PRO.

The early days of data-driven analytics

The expansion of digital marketing in the late 1990s led to the rapid development of analytics, which enabled marketers to measure campaign effectiveness. Initially, analytics focused on basic metrics, such as page views and session durations, but with the advancement of tracking technologies, organizations recognized the value of data in shaping business strategies and driving growth. However, despite this evolution, few paid any attention to data privacy and its ethical implications.

This content is hosted by a third party (YouTube). By clicking the button below, you consent to loading the video.

“I was at university in the 1990s, when the web was just coming of age. At that time, it was still very much an academic and noncommercial place. However, I was blown away by its commercial potential.”

Brian Clifton, Digital analytics and privacy expert

The rising importance of privacy and ethics in the analytics industry

The increasing significance of privacy was initially met with skepticism by the analytics industry. However, it gained increasing attention with the general public after, among others, Edward Snowden’s revelations on government mass surveillance, the Cambridge Analytica/Facebook commercial scandal, and the enactment of GDPR.

This content is hosted by a third party (YouTube). By clicking the button below, you consent to loading the video.

GDPR – the first big change

The General Data Protection Regulation (GDPR), prepared by the European Commission, entered into force on May 25, 2018. The regulation marked a significant advancement in data privacy, establishing a new gold standard for data protection laws. One of its many provisions states that companies must have a legal basis to store and process users’ personal data.

In Europe, privacy has been treated as a fundamental right since the 1950s with the adoption of the European Convention on Human Rights. The idea behind GDPR was to update these protections for the digital age, giving individuals full control over their data. It also strengthened and unified the data collection processes within the European Union.

GDPR also introduced several key principles:

• Data protection authorities (DPAs) make binding decisions and issue administrative sanctions, including fines.
• Users can object to data processing based on the controller’s or public interests.
• DPAs and data subjects need to be notified about data breaches.

After GDPR went into effect, reactions varied widely across industries. Many organizations faced significant challenges adapting to the strict requirements imposed by the regulation. Some companies started to rebuild their data management practices to ensure compliance, while others faced hefty fines for not following the new rules.

Read our latest study, conducted six years after the introduction of GDPR, to learn how EU companies are leveraging privacy laws – Harmonizing marketing and privacy: How EU organizations are developing their compliant digital marketing strategies.

We ran a survey among 1,800 CEOs and marketing executives from 27 European countries, with the majority of respondents coming from Germany, France, Denmark, the Netherlands, and Sweden, to find out how they were balancing GDPR compliance and effective marketing.

Differences between approaches to privacy compliance in Europe and the US

The implementation of GDPR triggered a “domino effect,” with other countries/regions adopting similar privacy frameworks. These new data privacy laws significantly impact businesses locally and globally, necessitating that companies adapt to varying regulatory requirements. It also underscored fundamental discrepancies between privacy compliance in Europe and the US.

“Europe went through two World Wars and was the epicenter of the Cold War. That legacy means Europeans today have quite a different perspective on our personal privacy than perhaps other parts of the world. For Europeans, the right of privacy has become a fundamental human right.”

Brian Clifton, Digital analytics and privacy expert

The primary difference lies in the comprehensiveness and universality of the two approaches. GDPR sets a uniform standard for data privacy across all member countries, treating data protection as a fundamental right. This holistic approach contrasts with the US’s fragmented system, where data privacy is governed by state-level legislation and sector-specific regulations like HIPAA for healthcare, GLBA for financial institutions, and FISMA for federal agencies.

Also, the EU’s philosophy is deeply rooted in historical contexts emphasizing protecting personal information against misuse, reflecting a cultural commitment to individual privacy. The US has traditionally prioritized the commercial use of data, trying to incorporate a business perspective within its regulatory frameworks. The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), were the first steps towards stronger data protection in the US and came into effect on January 1, 2020.

Another significant milestone in executing privacy compliance in the US happened on July 10, 2023, when the European Commission adopted the Data Privacy Framework. This framework introduces stricter limitations on data collection by US businesses, a development that has far-reaching implications for international data transfers. It also allows these businesses to commit to privacy responsibilities, including deleting unneeded personal data, safeguarding data shared with third parties, and adhering to data minimization principles, purpose limitation, and proportionality.

However, the Data Privacy Framework has come in for its share of criticism. It is thought to inadequately protect non-US residents, as it falls short of European privacy standards due to unchanged US surveillance laws like FISA 702 and EO 12.333. This critique raises concerns about the framework’s ability to ensure equivalent protection for personal data in the US, as questioned by the European Data Protection Board (EDPB) and the European Parliament.

Read more about the EU-US data transfers in our article: Everything you need to know about the Data Privacy Framework (Privacy Shield 2.0)

As debates over EU-US data transfers continue, companies are taking a proactive approach and considering alternative data handling strategies, such as data anonymization or EU-based solutions, reassuring customers about their capacity to adapt to the evolving privacy regulations.

Privacy becomes a cornerstone of digital trust

The evolution of privacy awareness, from consumer ignorance to caution, was accelerated by various data scandals and leaks that exposed the risks. Customers are more wary because they started to understand the consequences of improper data collection and exploitation. It also led to greater scrutiny of how companies handle personal data.

92.1% of respondents from our study believe that companies must respect individuals’ online privacy. In 2023, it was 90%, and in 2022, only 71.2%. Only 2.4% of this year’s survey participants take the opposite view.

This content is hosted by a third party (YouTube). By clicking the button below, you consent to loading the video.

For most organizations, privacy compliance is a box-ticking exercise. Only a few are progressive enough to see that privacy is integral to brand integrity and consumer trust. Responsible data usage is essential in retaining consumer trust, as mishandling data can negatively impact brand reputation.

However, a balance must be struck between safeguarding consumer data rights and enabling data-driven decision making processes, which are crucial for an organization to survive.

The primary factor driving companies’ compliance is building trust with consumers (69.5%), which has increased by almost 4% compared to the previous survey. Other motivators for all countries include company values (52.0%) and legal obligations (39.7%). Only 15.6% of respondents mentioned the risk of fines – an almost 3% increase from 2023.

“In the 21st century, consumer trust has taken on a new digital form. Customers now want to have confidence that data is being harvested responsibly and that they have a level of control over its collection. Data protection and privacy is the new frontier for brands.”

Brian Clifton, Digital analytics and privacy expert

Best practices for privacy compliance

Despite GDPR and the Data Privacy Framework, there is still confusion regarding best practices for achieving compliance, with many organizations struggling to obtain explicit user consent and ensure transparent data collection practices. This discrepancy is primarily evident to data auditors navigating the complex data privacy landscape. Often, data tracking persists even in the face of user rejection, underscoring the need for enhanced transparency and accountability in data collection.

This content is hosted by a third party (YouTube). By clicking the button below, you consent to loading the video.

Here are some of the best practices for organizations that can help increase their compliance.

Knowledge of legal frameworks

Developing a deeper understanding of legal frameworks includes investing in education and training programs, engaging closely with legal counsel specialized in relevant laws, and staying updated on regulatory changes. This is the job of a Data Protection Officer (DPO). By prioritizing these steps, organizations can navigate the complexities of legal requirements effectively, ensuring compliance and safeguarding data protection and privacy in their operations.

Understanding data collection

Data teams need to understand the intricacies of data collection methods, destinations, and implications. This involves scrutinizing data flows across multiple platforms and assessing the necessity of each tool employed.

Cross-team cooperation

Analytics teams should collaborate closely with legal and compliance teams to ensure a cohesive approach to data governance. Such partnerships should prioritize transparency and risk mitigation.

Safe data storage and transfer

Companies that understand the geographical considerations of data storage and jurisdictional implications, particularly relevant in the context of European data protection laws, are gaining a competitive advantage. That’s why they should opt for European-based data hosting solutions to ensure compliance and mitigate risks associated with foreign jurisdictional control. The same goes for data transfers, especially between the EU and the US.

Implementation of privacy-compliant tools

Data teams should emphasize the importance of data minimization and consolidation, as less data equals reduced risk. By advocating for a strategic approach to tool selection and data collection, companies can avoid excessive data accumulation without a clear purpose or utility.

“From a privacy point of view, if you have sensitive data, or want to insulate your customers from becoming a product of ad tech vendors, consider working with an analytics platform that comes under EU data protection jurisdiction.”

Brian Clifton, Digital analytics and privacy expert

Supporting privacy consciousness in data analytics

Collaboration between legal, IT, and analytics teams is essential for navigating the complexities of data management and ultimately safeguarding individuals’ rights and privacy in an increasingly data-driven world. Piwik PRO is one of the privacy-conscious analytics vendors that strictly adhere to data protection regulations such as GDPR, the Data Privacy Framework, or CCPA while collecting valuable insights into user behavior.

The post 25 years of digital analytics with Brian Clifton: Considered an obstacle at first, privacy is now top of everyone’s mind appeared first on Piwik PRO.

The beginnings of digital analytics

The developing internet landscape prompted the emergence of digital analytics, initially focused on understanding server performance and website traffic. The primary method back then was log file analysis, involving examining server log files to identify unique visitors. Analytics tools of the day were developed mostly for use by IT departments, to gauge server resource usage and performance.

This content is hosted by a third party (YouTube). By clicking the button below, you consent to loading the video.

In the mid-1990s, web analytics providers like Webtrends entered the market, offering tools to help IT departments understand and optimize their websites’ online presence. The introduction of cookies by Netscape in 1994 allowed for more sophisticated tracking of user behavior, providing advertisers with valuable insights into consumer preferences and online activities. However, the emergence of clickable banner ads is what truly pushed online measurement forward. By letting users interact directly with ads, advertisers could improve engagement and measure the effectiveness of their campaigns.

However, as the internet became more of a business platform, marketers started to recognize the value of measuring website performance for strategic purposes. The expansion of ecommerce platforms showed the need for robust analytics solutions to track and improve digital performance. This shift marked the beginning of a new era of marketing-related analytics.

Google enters the web analytics market

In November 2005, Google played a pivotal role in shaping the course of digital analytics with the launch of Google Analytics (GA). Recognizing the growing demand for user-friendly analytics tools aimed at the needs of marketers, the company released a platform that reshaped the industry and democratized data analysis.

“The great attraction for me was the idea that we were right at the tipping point of an industry, moving away from IT-related tools into marketing-related tools. And Google wanted to invest in that big time.”

Brian Clifton, Digital analytics and privacy expert

Google Analytics aimed to simplify data interpretation by offering intuitive reports that didn’t require specialized IT or analyst expertise. The platform’s launch was met with an overwhelmingly positive response, highlighting the need for accessible analytics solutions in the online advertising landscape.

Google made Google Analytics a free platform so that marketers could measure their ads’ effectiveness, while also increasing the money spent on ads, primarily in Google’s ad networks.

Previously, free versions of analytics platforms offered severely limited features and poor usability. GA, in the freemium version, was a fully usable tool that revolutionized the analytics industry, strengthening the community in several ways. Being free, it democratized access to analytics tools for many users, from beginners to experts, allowing them to manage their marketing data independently of IT departments. It also included powerful features so that marketers could go beyond optimizing campaigns for clicks and instead understand visitor engagement, purchases and conversions.

The introduction of Universal Analytics

The next most significant milestone in Google’s contributions to digital analytics was the introduction of Universal Analytics (UA) in 2012, which served as the cornerstone for digital marketers and analysts.

This content is hosted by a third party (YouTube). By clicking the button below, you consent to loading the video.

Universal Analytics reshaped how businesses understand and leverage user insights. It introduced a revamped user interface that revolutionized data visualization, offering intuitive ways to navigate and interpret vast amounts of information. Also, multi-channel funnels, real-time reporting, flow visualization, and data import enhanced the analytical capabilities, while the measurement protocol allowed offline conversions to be seamlessly integrated into Google Analytics.

Over the years, UA set a new standard in data analysis tools, with its comprehensive features and user-friendly interface. It has established itself as a mature product, designed to meet businesses’ diverse needs for tracking and analyzing campaign performance, user interactions and conversions.

The first obstacle – a focus on data privacy

Over time, privacy issues have arisen as a key challenge not only in the analytics landscape but also for society more broadly. It started with the whistleblower Edward Snowden’s leaks about the National Security Agency’s surveillance of Americans’ online and phone communications in June 2013. Then the Facebook/Cambridge Analytica debacle of 2016 exposed poor data governance in the commercial sector. These events were followed by the groundbreaking regulations of the EU General Data Protection Regulation (GDPR) in May 2018.

GDPR is the gold standard for data privacy regulations that inspired legislation around the world, such as Brazil’s LGPD, California’s CPRA, Canada’s CPPA, and Germany’s TTDSG. These privacy laws concentrate on requiring users to give explicit consent before processing their data.

To know more about privacy regulations, read: 17 new privacy laws around the world and how they’ll affect your analytics

The focus on data privacy forced analytics providers to adapt their platforms to comply with strict requirements. This has evolved into a major challenge as data collection practices have been closely monitored, raising concerns about user privacy.

“After the revelations about the US government by Edward Snowden, people began to realize that their online world was part of a mass commercial surveillance economy.”

Brian Clifton, Digital analytics and privacy expert

Universal Analytics sunset

One of the defining features of Universal Analytics was its reliance on cookies to track user activity. While this method was adequate for its time, the rapid spread of mobile devices and evolving privacy regulations highlighted its limitations. It became increasingly obsolete in an era dominated by mobile apps, cross-device usage, and privacy concerns.

Moreover, Google decided it was time to compete more effectively in the enterprise market, recognizing the need for a more sophisticated analytics solution that could adapt to the progressing digital landscape.

In October 2020, Google announced the sunset of Universal Analytics, signaling the end of an era and preparing for the next generation of digital analytics tools.

The introduction of Google Analytics 4

The UA sunset led to the development of Google Analytics 4 (GA4), which caters to the demands of large organizations with extensive data teams. GA4 is positioned to adjust to their needs, aligning with the trajectory set by tools like Adobe Customer Journey Analytics.

This content is hosted by a third party (YouTube). By clicking the button below, you consent to loading the video.

The data structure of GA4 is quite different from Universal Analytics. It introduced a more flexible event-based data model, deeper integration with Google’s machine learning capabilities and ad ecosystem, and enhanced cross-device tracking via its user-graph, Signals (Google account owners). All these features ensure a better understanding of user journeys, providing businesses with a more holistic view of user engagement. Also, it helps enhance audience segmentation and targeting.

However, the shift from Universal Analytics to GA4 introduced many challenges, especially for businesses accustomed to the more structured “marketing analytics” approach of Universal Analytics.

Return to the roots of digital analytics

Twenty years ago, analytics tools were designed for use by IT departments. Google’s initial strength was revolutionizing web analytics and focusing on the needs of marketers. With GA4, the landscape has changed again.

This shift has led to confusion among marketers who were accustomed to using analytics tools in a certain way. Google’s lack of clear guidance on GA4’s purpose and navigation has contributed to the problem, leaving users unprepared for this new platform. Many users feel apprehensive and uncertain about this change.

The switch to GA4 represents a departure from the marketer-centric approach toward a more technical audience with specialized data wrangling knowledge and skills. This change reflects a full-circle movement, returning to the early days of digital analytics, where the user requires a high degree of technical and analytical skills in order to get the most out of the product (and not be frustrated).

Privacy issues

Another significant challenge with Google Analytics 4 are privacy issues, particularly regarding compliance with European regulations such as GDPR. The major concern lies in storing user data, including that of EU residents, on US-based cloud servers, subjecting it to US surveillance laws (FISA 702).

Lack of user control over data is another issue, as Google retains rights to collected information and shares it across its various products, raising concerns about data security and privacy. Additionally, data residency requirements necessitate careful consideration, and data storage within the EU is strongly recommended to ensure compliance.

The “jigsaw effect”

The analytics products of Big Tech companies like Google are constantly under a hint of suspicion. They follow the digital footprints of users, gathering vast amounts of data, with little control for the user over how that data is used. Also, their primarily business model is advertising, hence personalized ad targeting is a major concern.

Many businesses are cautious about submitting their data to platforms that are focused on monetizing it for their own purposes, i.e. delivering personalized ads. Users also worry about their privacy and the potential for re-identification – the so-called “jigsaw effect.” The more digital footprints you collect and follow from users, the more likely the path becomes unique, and hence the more likely the owner of them can be identified.

The “jigsaw effect” shows the delicate balance between data aggregation and privacy protection. By embracing alternative analytics solutions, companies can navigate the complexities of data privacy while leveraging actionable insights to drive growth and innovation.

The rise of competitors

Privacy concerns and evolving data protection regulations are fuelling the rise of competitors to Google Analytics. Unlike Big Tech companies focused on advertising revenue, alternative analytics providers may have different business models that prioritize user privacy and data security. Also, they offer viable solutions for businesses reluctant to entrust their data to tech giants.

This shift towards privacy-centric analytics solutions reflects a broader trend in which businesses prioritize trust and reputation as a business asset, recognizing the importance of ethical data practices in maintaining customer loyalty and confidence.

“When you consider the complexity of the tools, ad ecosystem, and data protection regulations now, organizations of all sizes need help. From choosing the right toolbox for the job, the setup of the tools, or verifying data compliance – Google cannot offer that. That is where I see the opportunities for alternative products.”

Brian Clifton, Digital analytics and privacy expert

Navigating the complexities of digital analytics

Balancing data-driven insights with privacy and ethical considerations remains crucial in today’s analytics landscape. While Google Analytics continues to dominate the market, competitors like Piwik PRO Analytics Suite offer viable alternatives that focus on user privacy and data protection, ensuring compliance with regulations while delivering actionable insights.

The post 25 years of digital analytics with Brian Clifton: From examining log files to privacy-focused analytics appeared first on Piwik PRO.

Over the years, the UK Government saw a need for new rules regulating some previously overlooked areas. The central aims were to:

• Promote the country’s research and innovation;
• Reduce operational costs for UK businesses;
• Enhance the development of AI technologies and provide the necessary safeguards for this process.

Having that in mind, the UK Government has proposed a second version of the UK Data Protection and Digital Information Bill, which is currently still in draft form. If the new law passes, it will amend the UK GDPR (as well as the DPA and the PECR), creating an updated privacy framework for companies working with data from UK residents.

In this article, we’ll present the key changes introduced by the UK’s new Bill, compare it with the previous regulation, and explain what it means for businesses.

What is the UK Data Protection and Information Bill

The first Data Protection and Digital Information Bill, now called “the No. 1 Bill,” was introduced on July 18, 2022, and paused in September 2022. On March 8, 2023, the UK Government introduced a new version of the Bill, known as “the No. 2 Bill”, for review by the UK Parliament.

The Bill is now due to have its report stage and third reading, but the dates are yet to be announced. While amendments can still be made during these stages, passage of the Bill is predicted to happen in 2024.

The second version of the UK Data Protection and Information Bill would cover:

• Organizations that process personal data as part of their operations in the UK, including organizations located there but not limited to them;
• Outside organizations that process the personal data of UK residents to offer them services or monitor their behavior.

It means that the Bill will apply to any business that processes data of UK residents, no matter its location.

Comparison between the previous Bill and its new version

The new law changes many definitions from the previous regulation. Most of the amendments clarify the meaning of specific terms or give more context to each specification.

The Bill updates the definitions of personal data, purpose limitation, and legitimate interests. It also applies new rules to data transfers, processing data related to scientific research, or the role of the information commissioner’s office (ICO) and data protection officer (DPO). In addition, it clarifies which organizations the new law will apply to.

Furthermore, the updated Bill gives organizations more flexibility regarding compliance by introducing a simple, clear, and business-friendly framework that will be easy to implement. It is less strict than EU GDPR rules, making it easier for organizations to comply.

Also, the reform is expected to unlock £4.7 billion in savings for the UK economy over the next ten years. In comparison, in 2021, data-driven trade generated an estimated £259 billion. At the same time, the law is raising concerns among privacy watchdogs, who claim it prioritizes the needs of business over the rights of individuals.

Below, we describe the most important differences between the different versions of the UK law and explain their impact on your business.

Personal data

Personal data used to be defined as any information relating to an identified or identifiable person. The updated version has amended this definition to help determine if the information relates to an “identifiable” individual.

It limits the assessment in two ways. First, it leaves the identification to the controller, processor, or any third party who will likely receive the information. Second, identification needs to be performed only by “reasonable means.”

These rules are much less restrictive than GDPR, especially regarding the definition of personal data. This amendment will most certainly be welcomed by businesses, but organizations focused on privacy compliance may not be in favor of this change.

Legitimate interest 

The term “lawful bases” refers to the grounds that make the processing of personal data legitimate. Lawful bases are commonly used to restrict processing personal information. One of them is legitimate interest.

Data that can be processed based on legitimate interest may include:

• Processing necessary for direct marketing communication of advertising materials directed to particular individuals;
• Processing necessary for internal administration;
• Processing necessary for the network and information system security of the network.

When applying legitimate interest, you must perform a three-part test and document the outcome. This test is usually called a legitimate interest assessment (LIA).

The assesment consists of: 

• The purpose test, in which you identify your purpose and decide whether it counts as a legitimate interest;
• The necessity test, in which you consider whether the processing is actually necessary for your identified purpose;
• The balancing test, in which you consider the interests and fundamental rights of the individual and whether these overrule your identified legitimate interests.

To decide the outcome, you need to weigh all the identified factors and decide if your interests should be prioritized over any risk to individuals. You should be as objective as possible. You can also prove the benefits that can justify any risks you have identified. 

The updated UK Bill will include a new “recognized legitimate interests” legal basis for specific important public interests, such as democratic engagement, national security, public security and defense, processing data necessary to the public interest, safeguarding vulnerable individuals, and detecting, apprehending, or investigating crime.

Controllers will most probably add additional purposes over time as Parliament passes the UK Data Protection and Digital Information Bill.

Cookies

Consent for using cookies and similar technologies is required in all circumstances unless their use is strictly necessary. Common examples include cookies:  

• Used to remember products a user wishes to buy;
• Essential to comply with the UK GDPR;
• Ensuring that the content of a page loads quickly and effectively;
• Used for analytics purposes;
• Used to recognise a user when they return to a website.

Under PECR, consent is required unless you meet the so-called “soft opt-in” exemption requirements. Currently, this is only available for commercial purposes or non-profits. However, it’s important to note that a charity cannot use it when collecting donations.

In the new Bill, the soft opt-in exemption will be extended to non-commercial organizations, covering consent:

• Given to further charitable, political, or other non-commercial objectives;
• Where contact details have been obtained while expressing interest;
• Where the recipient is given a clear and simple instruction to object.

As for cookies, a new list of exemptions to the requirement to obtain consent includes:

• Installing necessary security updates;
• Ensuring user preferences are followed;
• Collecting information for statistical purposes about how the website is used to make improvements.

This change will be crucial to many businesses who use analytics cookies in particular – as they have dealt either with the data loss or have been taking a risk-based approach to the possibility of enforcement action.

It remains unclear how the many exceptions to the requirement for explicit consent will be implemented.

Direct marketing

The previous Bill allowed non-commercial organizations to rely on soft opt-in for direct marketing purposes if they had obtained contact data from a person expressing interest.

The updated Bill introduces new obligations for providers of electronic communication networks. Specifically, they must notify the Information Commission (IC) of “any reasonable grounds” for suspecting a breach of the direct marketing rules. If organizations fail to comply, it could result in penalties.

What “reasonable grounds” means will be detailed in IC guidance. For now, the explanatory notes accompanying the Bill confirm that providers will not be required to intercept or examine communications.

While this provision will only apply to electronic communication service providers, it will likely increase awareness of non-compliant direct marketing communications. It could result in more enforcement action being taken in cases of direct marketing breaches.

International data transfers

The principles regarding international transfers of personal data under the Bill are the same as those under UK GDPR: data can only be transferred outside the country if the recipient is located in an adequate third country, the transfer is subject to appropriate safeguards, or the transfer is made in reliance of a derogation.

These amendments provide more flexibility for the UK government when considering UK adequacy decisions.

The EU may, however, raise concerns about the UK’s own adequate status, especially if onward transfers are subject to different protections than those provided in GDPR. The EU Commission must monitor if the country continues to provide an equivalent level of data protection, and if the issues cannot be resolved, it can amend, suspend, or repeal the decisions. Also, the EU Court of Justice will decide if the UK has provided adequate data protection to EU data subjects.

The EU and the UK have signed an adequacy decision facilitating data transfers. That’s why the EU Commission is monitoring compliance with these rules. If the UK starts applying loose data transfer standards, it may not be possible to maintain this decision.

Experts opinion

Sarah Pearce

Partner at the law firm Hunton Andrews Kurth

“The proposals around international data transfers are encouraging but somewhat unclear. If it means the UK would no longer require an analysis of the third country to which personal data is being transferred, it is potentially worrying from an adequacy decision perspective. It isn’t clear to me at this stage that this is what they are suggesting, we need more detail.”

This significant change will allow transfer risk assessments to consider proportionality and may provide organizations with options for a light touch review, such as where there is minimal or non-sensitive personal data.

Any mechanism used before the Bill takes effect, such as standard contractual clauses, will remain valid as appropriate safeguards. Therefore, the UK International Data Transfer Agreement and the UK International Data Transfer Addendum will continue to operate as mechanisms for transferring UK data.

Processing data for scientific research

The Bill clarifies the meaning of scientific research and its purposes. It includes processing data for any research that can reasonably be described as scientific. It applies to publicly or privately funded research and research carried out commercially or non-commercially. 

Automated decision-making and profiling

The UK GDPR defines automated decision-making as the process of deciding by automated means without any human involvement, based on factual data, as well as on digitally created profiles or inferred data. It includes decisions such as granting an online loan or assessing a skill test for recruitment that uses pre-programmed algorithms.

Automated decision-making often, but not always, involves profiling. Under the UK GDPR, profiling refers to any automated processing of personal data that involves evaluating certain aspects of personal life. Companies use profiling to learn about people’s preferences, predict their behavior, and make data-driven decisions.

In the updated Bill, the definition of an automated decision means involving no human intervention. Also, a right to human intervention will only be possible in the case of significant decisions, not ones that have legal effects concerning data subjects or affecting them.

Furthermore, profiling alone is not considered automated decision-making. When determining whether there was meaningful human involvement, it is necessary to consider the extent to which a decision was based on profiling.

For the new UK Bill to be applicable, there must be no human involvement in tailoring marketing to someone’s needs. Also, any legal or similarly significant effect on the individual is forbidden if profiling or automated decision-making is used.

The role of ICO and DPO

The new Bill changes the name of the ICO to the Information Commission (IC) and recreates its role as a corporate body. Changes are also proposed in practical areas, such as its governance structure, duties, and enforcement powers. 

It establishes the IC’s principal objectives, which are:

• Securing an appropriate level of personal data protection regarding the interests of data subjects, controllers, and matters of general public interest
• Promoting public trust and confidence in personal data processing

There will be valid concerns regarding the risk to the IC’s independence. The Secretary of State will be required to publish their reasoning for approving or not approving a statutory code or guidance produced by the IC to try and counteract this.

Experts opinion

Julia Lopez

Minister for Data and Digital Infrastructure

“The Secretary of State will have greater powers when it comes to some of the statutory codes that the ICO adheres to, but those powers will be brought to this House for its consent. The whole idea is to make the ICO much more democratically accountable (…) and I don’t believe that the concerns around ICO’s independence were justified or legitimate.”

Also, instead of a data protection officer (DPO), the new Bill stipulates that organizations should appoint a senior responsible individual (SRI) who is a part of the organization’s senior management. SRI would be responsible for data protection matters within an organization, with mandatory tasks including dealing with data breaches and complaints related to data processing.

New concepts included in the second version of the Bill

In addition to some changes in the existing definition from the previous Bill, the second version also introduces a few new concepts – the most important ones are detailed below. 

Digital identity

Digital verification services (DVS) are defined as services provided to any extent via the Internet at the request of an individual, such as:

• Establishing or verifying data about the individual from information provided otherwise than by the individual;
• Confirming to another person that the data about the individual has been established or verified from the information provided.

At this stage, individuals would apply to use the digital verification services, including creating a reusable digital identity that could then be shared in whole or in part with organizations requiring such information.

Smart data

The Bill proposes introducing smart data schemes in consumer markets. Generally, a scheme would allow a customer to require a data holder, such as a business or trader or its owner, to provide certain customer data to the customer or a third party. An existing example of such a scheme is open banking.

The Bill would give the Secretary of State and the HM Treasury powers to create more schemes like this, which are intended to create a wider open data economy that the UK government believes should benefit consumers and businesses.

At this stage, it needs to be clarified how these provisions will be applied, including, for example, which industry or industries they would focus on.

Experts opinion

Julian David

TechUK CEO

“The changes announced today will give companies greater legal confidence to conduct research, deliver basic business services and develop new technologies such as AI, while retaining levels of data protection in line with the highest global standards, including data adequacy with the EU.”

What does the new UK Data Protection and Digital Information Bill mean for your business

The reforms to the Bill are intended to simplify data protection legislation for businesses. Although the Government states that the Bill is a new data protection system, it still holds on to the fundamental obligations, structure and principles of the UK GDPR.

Businesses already compliant with the UK GDPR will not be required to make any changes because of the Bill. Instead, it will clarify the existing framework and attempt to tackle some issues that can arise based on five years of experience with GDPR in practice.

However, organizations operating globally and with operations in the EU may need to update their data protection frameworks to take advantage of the changes proposed in the Bill. For example, they need to determine whether UK data can be separated from EU data to ensure that the changes proposed by the Bill do not apply to their entire data collection setup. This segregation may be difficult for companies that have treated UK and EU data similarly under one data protection governance framework for decades.

The new UK Data Protection and Digital Information Bill is more business-friendly than focused on supporting customers’ privacy rights. Its main goal is to decrease the amount of paperwork UK companies deal with regarding compliance with privacy regulations, which will save billions of pounds for the country’s economy. Also, it aims to support international trade by giving businesses more flexibility regarding compliance with the privacy framework. The law also wants to simplify rules regarding data used in scientific research, especially by increasing trust in AI technology, which would lead to new developments in the UK.

Experts opinion

Michelle Donelan

The UK Secretary of State for Science, Innovation and Technology

“This new Bill ensures that a vitally important data protection regime is tailored to the UK’s own needs and our customs. Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain.”

What’s next?

Currently, the Bill is with the UK Parliament in draft form. The third reading is still ahead and the final version may see more changes. Therefore, the timeline for implementing this version of the Bill, or any other amended version, is yet to be determined.

The legislation pushes the responsibility of data privacy onto organizations themselves. Still, most UK companies will welcome the changes, as the new regulation lowers friction and compliance costs. It will take some time to evaluate the true impact of the new Bill. However, it would be good for businesses to proactively share and appropriately protect sensitive information.

Critics of the legislation believe the Bill undermines fundamental rights to data privacy. They claim that it restricts data subjects’ rights, limits their right to review automated decisions, and turns the ICO into a government-controlled agency. There’s also a possibility that the new Bill will impact the UK and EU data adequacy agreement, as the EU may revoke this agreement if they feel the revised legislation fails to implement adequate safeguards.

Piwik PRO Analytics Suite allows you to collect data following the UK Data Protection and Digital Information Bill, GDPR, CCPA, and many other privacy laws. Read our blog for updates on this legislation and other privacy news. If you’re interested in learning more about privacy-compliant analytics, contact us.

The post What is the new UK Data Protection and Digital Information Bill and how it will impact your marketing and analytics appeared first on Piwik PRO.

Google Analytics, GDPR and the EU-US data transfer frameworks

The key compliance issue with Google Analytics is that it stores user data, including personal information about EU residents, on US-based cloud servers. Google LLC is also a US-owned company, meaning the data it collects becomes subject to US surveillance laws.

American citizens are protected by the Fourth Amendment, which gives them the right to be secure from unreasonable searches and seizures. However, individuals from other locations, including Europe, don’t get the same treatment. The US government authorizes its agencies to conduct mass surveillance on non-Americans through laws like the Foreign Intelligence Surveillance Act of 1978 (FISA 702) and Executive Order 12.333.

Anytime EU residents’ personal data leaves Europe and gets transferred to the US, there’s a chance US security agencies might investigate it. This creates a conflict between American law and the privacy rights provided to Europeans by legislations such as GDPR and the Charter of Fundamental Rights of the European Union (CFR).

Because of that, data transfers between the EU and the US must be governed by a special agreement attesting that information about Europeans is as safe in the US as it would be within the EU.

However, the history of the two previous deals – Safe Harbor and Privacy Shield – shows that the frameworks alone are not enough to protect Europeans’ data from US surveillance.

To give you a better context, let’s discuss the history of the two invalidated frameworks in more detail.

Safe Harbor Privacy Principles: What they were and why they failed

The International Safe Harbor Privacy Principles (Safe Harbor) from 2000 were the first legal framework regulating data transfers between the EU and the US.

With Safe Harbor, US companies could operate on the basis of self-certification. The list of firms relying on the agreement was over 5,000 names long and included technology giants such as Facebook and Google.

In 2015, Max Schrems, founder of privacy watchdog organization NOYB, complained to the Irish Data Protection Commission (DPC) about Facebook’s data-sharing practices. He accused the tech giant of gathering personal information from EU citizens and sending it to the US, making it available to the NSA. The case was then brought before the CJEU. The jury found that Safe Harbor didn’t adequately protect personal data from interference by the US government. The ruling known as Schrems I led to the invalidation of the agreement on October 6, 2015.

Everything you need to know about the Data Privacy Framework (Privacy Shield 2.0)

The strike-down of the Privacy Shield and its consequences for businesses using Google Analytics

Privacy Shield was meant to fix issues with Safe Harbor. It came into effect on July 12, 2016, a few months after the invalidation of Safe Harbor.

With the new deal, the European Commission strengthened the requirements of the self-certification program, but the framework had issues.

Max Schrems once again brought the complaint before the CJEU. He argued that data transfers from the EU to the US performed by the likes of Facebook still violate Europeans’ privacy rights under the new deal. In July 2020, the Court invalidated the Privacy Shield framework in the ruling known as Schrems II.

According to the General Data Protection Regulation (GDPR), contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries. This includes model contract clauses – so-called standard contractual clauses (SCCs) – that have been “pre-approved” by the European Commission.

On 4 June 2021, the Commission issued modernized standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).

These modernized SCCs replace the three sets of SCCs adopted under the previous Data Protection Directive 95/46.

The invalidation of Privacy Shield and the status of EU-US data transfers

The aftermath of the Privacy Shield for Google Analytics users

In the absence of an adequacy decision regulating this data flow, sending user information to the US with tools such as Google Analytics became risky, especially since Google continued to rely on the same set of SCCs it used before the deal’s strike-down. Companies that used Google’s platform could face severe fines and damage to their reputation.

Right after the invalidation of the framework, the privacy watchdog organization NOYB, led by Schrems, filed 101 complaints against companies that collect visitor data through Google Analytics and Facebook Connect. This triggered a chain reaction in Europe:

• On January 12, 2022, the Austrian DSB released its ruling in the case of an unnamed German web publisher. The regulator stated that using Google Analytics to collect data on EU residents is unlawful under GDPR.
• In April 2022, CNIL ordered three French websites to stop using Google Analytics. In the following months, the Italian, Danish, Norwegian, and Swedish DPAs released similar statements concerning companies from their regions.
• In 2020, the European Data Protection Board (EDPB) formed a task force to help European authorities adopt a consensual approach to complaints. As a result, all verdicts by EU authorities have followed the same guidelines, speaking against the use of Google Analytics in Europe.
• The Dutch data protection authority, the AP, author of a manual on how to use Google Analytics in a privacy-compliant way, has declared that the usage of Google Analytics “may not be permitted.” Liechtenstein’s Datenschutzstelle has released a similar opinion to the one issued by the AP.
• The Austrian DPA has issued a second decision, which declares that GA’s IP anonymization is an insufficient protection measure for data transfers from the EU to the US.
• Following their earlier decision, France’s CNIL has issued revised guidance on the use of Google Analytics. Their FAQ suggested that EU-based organizations couldn’t use the tool without applying additional safeguards. The French authority has also stated that their view on Google Analytics has been a coordinated position of all European DPAs.

Meanwhile, the European Commission and US President Joe Biden’s office were developing a new framework to re-legalize data transfers between Europe and the United States.

EU-US Data Privacy Framework: Does it make Google Analytics GDPR-compliant?

On July 10, 2023, the European Commission adopted a new EU-US Data Privacy Framework, also known as Privacy Shield 2.0. The new agreement addresses some concerns raised by Schrems II, restricting how US spy agencies can gather intelligence and introducing new conditions for collecting individuals’ data.

US companies can enter the program by self-certifying and committing to comply with a specific set of privacy obligations. Google LLC has already joined the Data Privacy Framework Program.

This means that for now, organizations that follow the rules of GDPR can again use Google Analytics to collect data about EU residents. However, they need to be aware that the deal might not put an end to the EU-US data problem, considering that privacy watchdogs point out striking similarities between the new and the previous agreements.

The issues with the EU-US Data Privacy Framework

The European Data Protection Board (EDPB) and the European Parliament (EP) criticize the deal for not going far enough in addressing the underlying issue of bulk data collection by US law enforcement. The EP has even called on the European Commission to renegotiate or challenge the deal before the CJEU:

“[The European Parliament] calls on the Commission to act in the interest of EU businesses and citizens by ensuring that the proposed framework provides a solid, sufficient and future-oriented legal basis for EU-US data transfers; expects any adequacy decision, if adopted, to be challenged before the CJEU; highlights the Commission’s responsibility for failure to protect EU citizens rights in the scenario where the adequacy decision is again invalidated by the CJEU.“

The privacy watchdog organization NOYB has also called out the critical issues with the framework, including:

Lack of substantial changes to FISA 702 and EO 12.333

According to NOYB, the main issue around the deal stems from the fact that the US hasn’t softened its surveillance laws despite the CJEU’s opinion that they’re not “proportionate” and still allow US intelligence to monitor EU residents’ data. As the deal is already in force and European regulators have little leverage over the US government, Schrems doubts such reform will ever occur.

“We had ‘Harbors,’ ‘Umbrellas,’ ‘Shields,’ and ‘Frameworks’ – but no substantial change in US surveillance law. The press statements today are almost a literal copy of the ones from the past 23 years. Just announcing that something is ‘new,’ ‘robust,’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work – and we simply don’t have them.” sums up Schrems.

Unsatisfying complaint options for EU residents

NOYB also criticizes the extent of the redress options available to EU residents and the secrecy of the decision process, citing the following problems:

• The institutions of DPRC and Civil Liberties Protection Officer are only partially independent from the US government and share many similarities with the concept of Ombudsperson introduced by the Privacy Shield. It’s especially important because the Ombudsperson mechanism was one of the reasons why the CJEU invalidated the previous framework. In the verdict, we can read that the Privacy Shield Ombudsperson is not a tribunal within the meaning of Article 47 of the Charter. US law does not afford EU citizens a level of protection essentially equivalent to that guaranteed by the fundamental right enshrined in that article.
• Individuals won’t have any direct interaction with the Court that will revise their complaints. Instead, the procedure will be initiated on their behalf by their local DPA and is supervised by an appointed special advocate.
• The justification behind each decision will be classified and unavailable to the complainant, which directly opposes the standards afforded by the EU juridical system.

Considering the heated debate around the new framework, we might expect new complaints to pop up within the next few months. NOYB has already announced its next steps:

“We have various options for a challenge already in the drawer […]. We currently expect this to be back in the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it,” says Schrems.

French parliament member Philippe Latombe has also shared his plans to challenge the EU-US data transfer agreement before the CJEU:

“The text resulting from these negotiations violates the Union’s Charter of Fundamental Rights, due to insufficient guarantees of respect for private and family life with regard to bulk collection of personal data, and the General Data Protection Regulation”, explains Latombe.

Google Analytics and GDPR compliance: Other unresolved issues

Transatlantic transfers of personal data were the most pressing issue with Google Analytics regarding GDPR, but they’re not the only ones. Norway’s DPA, Datatilsynet, points it out in the statement released right after the introduction of the new framework:

“What until now had been a major problem with Google Analytics seems to have been solved. That said, we do not rule out that there may be other privacy challenges with the tool. Anyone who chooses to use an analysis tool on their website is also responsible for ensuring that the use of the tool complies with privacy rules. The transfer of personal data to countries outside the EEA is just one element that must be checked.”

Organizations that want to collect data through Google Analytics still need to carefully assess how it will impact their compliance. Below, we list a few factors to keep in mind.

Google uses visitor data for its own purposes

Google uses data from Google Analytics to improve its services. As you can read in Google’s Privacy Policy & Terms:

“Google uses the information shared by sites and apps to deliver our services, maintain and improve them, develop new services, measure the effectiveness of advertising, protect against fraud and abuse, and personalize content and ads you see on Google and on our partners’ sites and apps.”

If you have Google Analytics code on your website and enable data sharing, advertisers in Google Ads know your visitors’ preferences based on the content they consume. That, in turn, allows Google to target those users with advertising.

For any organization that requires full data privacy, this is alarming. The most privacy-friendly option is to disable data sharing. The downside is losing access to many functionalities, including personalized retargeting of Google Ads products and demographic data reports.

Google Analytics doesn’t offer a reliable consent framework

As we mentioned earlier, Google Analytics collects unique user identifiers by default. Using such identifiable data requires the user’s consent. That takes us to the last topic – managing visitor consent and data requests with Google Analytics.

IAB’s transparency and consent framework

Google initially tried to assign the task of collecting visitors’ consent to publishers and Google Analytics users. They had to implement a third-party consent management platform or devise their own way of satisfying the demands of EU law.

An agreement between Google and IAB Europe has signaled a shift in this approach.
That said, the integration is very limited in the types of consent it allows you to obtain. It covers only data collection purposes related to the advertising features of Google Analytics.

Moreover, the IAB’s consent framework is considered unlawful in some European countries.

In November 2021, the Belgian data protection authority ruled that the framework violates GDPR. IAB Consent Framework saves users’ preferences in the form of a unique Transparency and Consent (TC) String, which can be linked to an individual.

According to Belgium’s DPA, the IAB failed to establish a valid legal basis for processing such data. It also doesn’t provide users with the information necessary to understand how IAB uses the collected information.

In March 2022, IAB Europe appealed the decision before Belgium’s Market Court. We’re still waiting for the final verdict on the case.

Read more about the decision of Belgium’s DPA here:

• The BE DPA to restore order to the online advertising industry: IAB Europe held responsible for a mechanism that infringes the GDPR
• Belgian Market Court Refers IAB Europe Ruling on TCF to The European Court of Justice: IAB Europe Statement

Google Consent Mode

The second option proposed by Google is Consent Mode. Consent Mode is Google’s response to data losses resulting from the consent requirements imposed by GDPR and other data privacy laws.

Consent Mode interacts with your third-party or custom-made consent management platform (CMP). It’s an API that determines how Google’s tags and scripts behave on websites according to the user’s consent preferences. There are two new tag settings that allow advertisers to manage cookies for analytics and advertising purposes: analytics_storage and ad_storage.

Consent Mode v2

In November 2023, Google launched Consent Mode v2, an updated version of the API intended to better respect users’ privacy and their consent choices. 

Consent Mode v2 introduces two new parameters: ad_user_data, which is used to determine whether the user gives consent for Google’s advertising purposes, and ad_personalization, which controls whether data can be used for personalized advertising. When these two new parameters are not “granted”, it will not be possible to build specific audiences and run personalized advertising on Google Ads in the EEA region.

At the moment, GA4 works well even if Consent Mode is not used. However, if GA4 data is used to feed ad audiences through the GA4 and Google Ads integration, relevant consent signals are needed. Changes to Consent Mode concern Ads and audiences, such as audience building and remarketing.
 
Google Consent Mode v2 runs through a consent management platform (CMP), meaning it receives the signals from whether a user has given consent or not via the banner. To use Consent Mode v2, you need to get a Google-certified CMP. To ensure the quality of your audiences and measurement in Google Ads, you need to implement consent mode v2 before March 2024.

Basic and Advanced Consent Mode

There are two ways to implement Consent Mode:

• Basic Consent Mode blocks tags from firing altogether when relevant consent is not granted. As a result, no information is collected for analytics or ads purposes. This option still enables some conversion modeling in Google Ads.
• Advanced Consent Mode involves sending cookieless pings to Google even if consent is not granted. This allows for behavioral modeling and enables full advertising capabilities. At the same time, it does collect user data even in the absence of consent.

Although the cookieless pings in Advanced Consent Mode are meant to be “anonymous”, they still raise privacy concerns. First, the platform continues to collect user data without the user’s permission. The hit sent to Google still contains the user’s IP address and potentially other unique identifiers, such as device information, user_id or transaction_id. As gathering this information is not strictly necessary and involves collecting personal data, you can do it only with visitors’ consent. 

According to Brian Clifton, Ph.D., privacy and data analytics expert: “If a visitor explicitly states they don’t want to be tracked or have their data processed – beyond the category of what is ‘strictly necessary’ for the functioning of the site or app – and you as the data processor ignore that request, you have just deliberately broken the rules of GDPR and the ePrivacy Directive. In fact, most likely any privacy law regardless of jurisdiction.“

In the end, compliance risks are significantly smaller when using Basic Consent Mode. Consult your legal team to review what regulations you fall under and what specific data is collected before deciding which implementation you use.

• What is privacy-friendly analytics?
• Key limitations of Google Analytics

Google Analytics and GDPR – frequently asked questions

Does Google Analytics collect personal data?

It does. In its processing terms, Google Analytics forbids users from collecting all types of personal data other than:

Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers

On top of that, GA anonymizes certain pieces of data about visitors, including IP addresses. However, it still uses identifiers that qualify as personal data. According to Austria’s DBS:

The “anonymization function of the IP address” is not effective, since the data – as explained in more detail above – is processed by the second respondent for at least a certain period of time. Even assuming that the IP address was only processed in servers in the EEA within the period of time, it should be noted that the second respondent can nevertheless be obliged by US intelligence services to hand over the IP address under the relevant law of the USA

This means that data collected with Google Analytics is subject to GDPR.

Does Google Analytics 4 share the same GDPR compliance issues as Universal Analytics?

The short answer is: yes. Despite changes in privacy settings, Google Analytics 4 still collects personal data (unique user identifiers) and processes it outside the EU. Finally, Google Analytics 4 is still a product developed and maintained by Google – a US entity subject to US data surveillance laws such as FISA and the EO 12.333.

Can I use data encryption and pseudonymization to make Google Analytics more privacy-friendly?

According to some data protection authorities, including Datatilsynet and CNIL, additional privacy measures might solve some privacy issues with GA. A lawful implementation of the platform involves:

• Making sure Google Analytics fires scripts only after the user’s consent.
• Setting up analytics server-side and deploying it on EU-based and -owned servers.
• Getting rid of all personal identifiers (such as user identifiers, IPs, user-agent, cross-side identifiers, referrer URL, full page URL including data in UTM tags and custom dimensions that may hold personal data) before sending data to the US.

This setup is pricey and difficult to maintain. On top of that, it limits your analytics capabilities drastically. Among other things, you won’t be able to:

• Measure the performance of marketing channels – you won’t know which sites, channels or campaigns bring sales and which don’t. You’ll lose a foundation on which budget optimization can be performed.
• Track the customer journey and funnels on the site – for example, where the customer drops off before making the purchase. So there’s no data on how to optimize the onsite conversions.
• Geolocation – you won’t know where your visitors/conversions are coming from (the information is derived from the IP address).

If this configuration is impossible or unfeasible in your case, consider replacing Google Analytics with software satisfying EU privacy standards.

Can I use server-side tracking to make Google Analytics more privacy-friendly?

Using a proxy server gives you better control over the pieces of data you send to Google. Among other things, it allows you to delete user unique identifiers before they reach US data centers and become subject to surveillance laws.

That said, maintaining this configuration involves serious costs. On top of that, without unique user identifiers, GA won’t be able to connect events into sessions. This makes it impossible to analyze the customer journey, funnels or attribute conversions.

Considering these offsets, it might be more effective to do analytics with a privacy-friendly platform that doesn’t require such sacrifices.

Read more: Server-side analytics tracking with first-party collector: What you need to know

What GDPR compliance settings are available in Google Analytics?

The list of Google Analytics settings designed to help you comply with GDPR involves:

• Data deletion mechanism – In Google Analytics, you may delete information about visitors if they request it. That said, this functionality works only for whole categories of data. The list includes all page titles, event labels, event categories, event actions, custom dimensions or user IDs you’ve collected in a given time range. To delete data based on a cookie or user ID, you must employ the Google Analytics User Deletion API, which requires some coding skills.
• Data retention settings – Google has introduced new data retention settings. This allows you to control how long user data is stored before being automatically deleted. In Google Analytics 4, you can choose between 2 and 14 months of data retention.
• New privacy policy – Google has also included new GDPR terms in the standard contract, where it defines itself as the “data processor” for Analytics and Analytics 360.
• Updated data processing terms – Google has significantly changed its data processing terms. These terms also act as a data processing agreement. The new document lists your responsibilities, such as informing and obtaining valid consent from European residents.
• Privacy settings – These include cookies, data sharing, privacy controls, data deletion on account termination and IP anonymization.
• No data sharing with third parties by default – Some features of Google Analytics 4 that require sharing data with the Google ecosystem are now turned off by default. This includes, for example, signals – session data from sites and apps concerning logged-in users used for personalized advertising and remarketing.
• Google consent mode – Google Analytics now has a special consent mode that allows you to employ AI-based conversion modeling whenever visitors decline consent to tracking.

Google Analytics and GDPR: How to prepare for any scenario

Companies concerned that the new complaints will lead to Schrems III or those unsatisfied with Google Analytics’ approach to user privacy should consider more future-proof options for collecting data under GDPR.

Since verdicts such as Schrems II work retroactively and don’t include any grace period, it makes sense to prepare for any scenario before the potential ruling hits the headlines.

Here are some of the possible choices:

• Transfer limitations/exclusions and data anonymization. Big tech software relies heavily on user identification and data transfers. Limiting the transfers or stripping the data of personal information helps overcome this issue, but it comes at a price. For example, when Google Analytics is configured to meet GDPR standards (for example, according to France’s CNIL guidelines), it loses most of its capabilities.
• Updating the technology stack with EU alternatives. Schrems II opened the market for EU companies offering business and marketing software with local EU hosting. These alternatives allow organizations to become completely independent of the transatlantic data transfer ordeal.
• The less privacy-focused option is to choose an analytics platform with fewer privacy features and mitigate compliance risk by applying additional security measures. However, these solutions will still send the data to servers based in the US or owned by US companies, to which US surveillance laws apply.

If you’d like to learn more about Google Analytics alternatives, check out our detailed product comparisons:

• Google Analytics alternatives – free and paid.
• Compare 7 free web analytics platforms (product analytics included).
• Piwik PRO vs. Google Analytics & Google Analytics 360.

To get more information on how Piwik PRO Analytics Suite helps you follow GDPR, reach out to us. We’ll be happy to answer your questions.

The post Is Google Analytics (3 & 4) GDPR-compliant? [Updated] appeared first on Piwik PRO.