Google Analytics has been in the privacy news recently. In April, the Austrian data protection authority ruled that Google Analytics use was in violation of the EU’s GDPR. Then last week, the CNIL (France’s data privacy regulator body) issued updated guidance that the use of Google Analytics violates GDPR because it illegally transfers data from the EU to the United States.
For marketers that rely on Google Analytics for mission-critical information, this news can be disheartening. The balance between creating tailored experiences that are ultimately more enjoyable and respecting user privacy can be precarious, like Erich Brenn spinning plates to balance them atop wavering poles. As both technology and regulations rapidly evolve, Osano seeks to be an enabler to help you respect user privacy, comply with global regulations, and get the most out of your digital assets.
In light of the latest changes in the privacy landscape, we’re updating Osano to provide you with what we believe are the best options available. Read on to learn about our new Google Analytics toggle and some of the complex nuances behind the simple new addition to Osano Consent Management Platform (CMP).
UPDATE: Italy has also been added to the block list based on recent guidance.
Implications of the CNIL ruling
For organizations that have website visitors in France and Austria, this ruling now requires some difficult choices. On the one hand, continuing to use Google Analytics opens up liability to fines and penalties. On the other hand, there aren’t many options available beyond disabling your use of Google Analytics altogether and completely losing that data for all of your users.
At Osano, we think both of these options are tough pills to swallow, so we’ve built a feature to help our customers navigate these compliance waters.
Introducing the block list toggle for CMP
Osano CMP works by blocking or allowing tags (cookies, scripts, and iframes) based on their classification along with the consent choices of each web visitor. If a visitor consents to analytic tags but does not consent to marketing, then Osano will allow analytics cookies and block all marketing cookies.
With the latest guidance from CNIL, Osano has now created an override block list that will always block particular tags in particular regions. These same tags follow standard classification and consent rules in other regions. Today, the toggle only blocks Google Analytics in France and Austria. However, the CNIL ruling has implications that are broader than Google Analytics alone. Language in the ruling talks generally about “audience measurement tools.” Other legislative bodies may also create similar restrictions in the future, so it is possible additional tools and regions could be added to the block list in the future.
How we approached this problem
We continually take the pulse of the legislative privacy landscape and adapt to rapid changes. The Google Analytics scenario in Europe is one we’ve been monitoring from the start. When the original guidance came from Austria, our legal team looked at the situation and arrived at the general recommendation that continuing to use Google Analytics would not violate GDPR for organizations as long as they enabled Google Analytics’s IP anonymization feature.
The latest guidance from CNIL in France goes a step further to say that it is not possible to configure the Google Analytics tool so as not to transfer personal data outside the European Union.
With this updated information, we began to look for a way to help our users comply with GDPR in France and Austria. Google Analytics doesn’t have a feature that lets you disable data transfers for a subset of users by region, so this leaves most folks in a place where their only course of action is to disable Google Analytics altogether.
A core feature of Osano CMP is to serve different content to users based on their geolocation so they get an experience tailored to comply with the specific regulations in their region. Because this is already a built-in part of the way Osano CMP works, we were able to create the block list to selectively block Google Analytics only in France and Austria.
Should you enable the toggle for your account?
|ProTip: To qualify for Osano's "No Fines, No Penalties" pledge, you must enable the block list toggle.|
Our strong recommendation is for all accounts to enable the block list. However, we understand that this may not be feasible for some customers. We wanted to be sure to describe the tradeoffs so that you can make an informed decision.
- Enabled: Google Analytics will be blocked for France and Austria. You will be compliant with GDPR, but you will not receive any tracking information for these regions.
- Disabled: Google Analytics will continue to be blocked/unblocked based on your tag categorization and how individual web visitors consent. You will not be compliant with GDPR and run the risk of being penalized. As such, you will not qualify for Osano’s “No Fines, No Penalties” pledge.
Log into your Osano account and navigate to the Consent Management tab to get started with the block list toggle. You’ll see the toggle as an option within each configuration.
Starting today, all newly generated configurations will have the toggle enabled by default, and it can be manually disabled.
On your existing configurations, the toggle will be disabled. In order to take advantage of the block list (and qualify for the “No Fines, No Penalties” pledge), you’ll need to manually enable it on your existing configurations and republish your configuration for it to take effect. If you have a large number of configurations to manually update, reach out to our support team for assistance.
For more information see the user documentation, or reach out to our support team with any questions by using the in-app chat.
- Image attribution: Plate spinning by Henrik Bothe CC BY-SA 4.0
-  https://techcrunch.com/2022/02/10/cnil-google-analytics-gdpr-breach/
-  https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/questions-reponses-sur-les-mises...
-  English translation: https://www-cnil-fr.translate.goog/fr/cookies-et-autres-traceurs...
Business, Business+, Enterprise