Can I use Google Analytics on my UK Website?

14th June 2022 Commercial Litigation

Many businesses, in the UK and elsewhere, use Google Analytics on their website to get a clear idea of how people are moving around their websites, where those people come from, what pages are popular, and which are not. This is distinct from the use of Google DoubleClick or other similar technologies which relate to advertising and solely looks at users on the home website. However, this data is quite intrusive and provides the website with information such as the type of computer in use and the operating system. At its worst it has been used to present pricing which is higher for users of Apple Mac’s as they are deemed to be likely to spend more.

Google asserts that this is a secure and anonymous service. Indeed, they have an anonymous tracking function which does not send personal data to Google’s servers. Google are also a bit underhand about all this and their contracts are carefully designed to make clear that they are not responsible for what is done with their tools and that no personal data should ever be sent to them. However, every person is given a client ID which is a unique number, even if it is anonymous tracking. Coupled with the other metadata concerning the use of a website this would actually be enough to allow someone to be identified so it is not particularly anonymous. Therefore, the use of Google Analytics does involve the transfer of personal data to Google. This is a transfer to the United States, which is where Google has its servers, and so this is an uncontrolled transfer to the USA which is not permitted by the GDPR without signing appropriate Standard Contractual Clauses (which Google has), carrying out an appropriate impact assessment (which website owners are supposed do but frequently do not), and having an appropriate justification (which EU data protection authorities generally do not accept exists). This was the clear view of both the Austrian and French data protection authorities in complaints brought before them. Other European data protection authorities have indicated that they would be likely to take a similar approach were this issue to be brought before them. Google is updating its analytics tools to reduce the amount of data transferred and websites are seeking to take steps to minimise or anonymise analytics transfers. However, the main data protection authorities in the EU are not at all happy about analytic data going to the US at the current time. However, for EU companies there is a light at the end of the tunnel in the form of a new EU-US transfer agreement which will pave the way for easier data transfers to and from America.

The UK in principle has the same issues with Google Analytics as the EU. The relevant law is the same. Adding to the woes of UK companies is that the EU-US data transfer agreement is not applicable to the UK as one of the consequences of Brexit. At the current time there is no clear path to a UK-US agreement save for noises from the UK government that this would be desirable. Whether this is matched by US interest is unclear. The UK has also announced a new Data Reform Bill to ease some of the GDPR for the UK. This may well include easing data transfers to the US. It is also notable that the UK data protection authority, the ICO has been very quiet on the Google Analytics situation and has not said anything about whether or not it considers its use to be a breach of the GDPR or not.

So what is a UK business to do? First, it is a requirement of the Privacy and Electronic Communications Regulations (PECR) that permission is sought for the placement of tracking cookies on a user’s computer before this happens. Businesses using Google Analytics must implement this properly. Second, businesses using Google Analytics should carry out an impact assessment on the transfer of personal data to the US which inherent in the use of that tool and should justify the use of Analytics and seek to minimise the negative effects. Relying on the lack of interest of the ICO may seem smart but it should be remembered that individuals can seek redress through the courts for misuse of their data on their own account, so the fact that the ICO is not interested is not a genuine shield for companies. Therefore, companies might also consider the use of EU or UK based GDOPR-complaint analytics tools which they can operate without any concern as to the future of Google Analytics in the UK. However, this will require work and cost to migrate websites from one system to the other and work in transferring data if long-term trend data is not to be lost.

We're Social

David Smith is a Partner located in Londonin our Commercial Litigation department

View other posts by David Smith

Let us contact you

*
*
*
*
*
*
View our Privacy Policy

Areas of Interest