Note d'experts

GDPR Report: How to Use Google Analytics Following CNIL Announcements?

Olivier Chubilleau
Olivier Chubilleau
Mis à jour : 26 nov. 202512 min read

Foreword

This report aims to provide the Data Marketing and Privacy community with our perspective on using Google Analytics in light of GDPR, the French Data Protection Act (Loi Informatique et Libertés), and various CNIL announcements, particularly those from February 10 and June 7, 2022.

EdgeAngel is not a legal expert firm. We therefore invite readers to maintain the necessary critical distance regarding our interpretations and to open discussions with us if analyses and conclusions differ: [email protected] 👋

Regulatory Framework and CNIL's Role Reminder

The European General Data Protection Regulation (GDPR)

"This new European regulation follows on from the French Data Protection Act of 1978 and strengthens citizens' control over the use of data concerning them. It harmonizes rules across Europe by providing a single legal framework for professionals. It enables them to develop their digital activities within the EU based on user trust." (Source: CNIL; more details on GDPR)

Who is concerned?

Any organization whose activity is in the European Union and that processes personal data (Art. 3 of GDPR).

What is personal data?

"Personal data" contains "any information relating to an identified or identifiable natural person". Personal data is data that allows direct or indirect identification of a user (Art. 4 of GDPR; more details)... under penalty of sanctions ranging from formal notice to potentially significant fines, not to mention the reputational damage to the brand.

Article 82 of the French Data Protection Act

This is a French law article that complements GDPR.

This article states that users must be informed about the purpose of data collection and offered an opt-out mechanism. Unlike GDPR, this text encompasses all data associated with the browser and electronic device: this article does not only concern personal data. It clearly specifies that user consent is required to collect this data.

This law also provides an exemption framework. For this, data collection must:

  • have "the exclusive purpose of enabling or facilitating communication by electronic means"
  • or be "strictly necessary for the provision of an online communication service at the express request of the user"

CNIL relies on this article to indicate that its scope of intervention is not limited to GDPR and the use of personal data, but extends to all trackers and tools that can interact with user navigation (writing and reading cookies or storage) and that do not fall within the exemption framework (subject to interpretation).

CNIL's Role

CNIL is an organization responsible for enforcing GDPR and the French Data Protection Act. It has all the necessary authority to issue formal notices or sanction organizations that do not comply with the rules through complaints or other active measures. CNIL writes directives and provides recommendations. It justifies formal notices with regard to GDPR or legal texts (particularly the Data Protection Act) but is not mandated to adapt and write new rules. Furthermore, its interpretation of regulations and laws can be challenged before competent authorities such as the Council of State or the Court of Justice of the European Union (CJEU).

Analysis and Implications

  • If no personal data is processed within the meaning of GDPR: by definition, the regulation does not apply. The definition of "personal data" is key in configuring the audience measurement tool.
  • All trackers are subject to Article 82 of the French Data Protection Act. This raises the question of what constitutes this "exclusive purpose of enabling or facilitating communication by electronic means" and what would allow exemption from it.

Consent Exemption for Audience Measurement Tools

Context

CNIL communicates about specifications to be met to allow audience measurement tools to be exempt from consent. Note: to claim consent exemption, it is not necessary to use a tool listed by CNIL.

Update June 2023: CNIL's evaluation program that only lists examined analytics solutions is now complete. We can assume that CNIL will never make a decision regarding GA4. Source.

What legal logic?

Given that CNIL is not supposed to adapt the law but rather interpret and enforce it, we can reasonably think that this exemption framework allows:

  • (1) to configure the tool so as not to process personal data and thus fall outside GDPR directives;
  • (2) to make the audience measurement solution compliant with the exemption criterion of the French Data Protection Act (Art. 82) of an "exclusive purpose of enabling or facilitating communication by electronic means".

This is indeed what CNIL says on the page specifying the elements of the specifications:

"In order to limit themselves to what is strictly necessary for the provision of the service and thus be exempt from consent in accordance with Article 82 of the French Data Protection Act, these trackers must...".

Opposition to collection for a tool exempt from consent?

  • In a guide still visible on GitHub, CNIL recommended providing an opt-out mechanism (cookie opposition).
  • Publishers whose file has been validated by CNIL offer this configuration during specific setup to activate the exemption.

However, we do not find a legal framework that would justify this point: GDPR is not applicable because no personal data is processed (1) and Art. 82 (2) does not indicate the need to provide an opposition mechanism when within the exemption framework. CNIL seems to have removed this element from the specifications since then, which strongly suggests that there is no legal framework on this point. If this analysis is legally correct, site managers should not be required to comply with it to claim consent exemption.

Data transfer abroad for tools exempt from consent

CNIL's specifications allow (1) not to collect personal data within the meaning of GDPR and (2) to fall within the exemption framework of Article 82 of the French Data Protection Act.

If complied with, there should be no legal barrier to sending data abroad, as GDPR does not apply.

This is indeed an approach validated by CNIL itself with the highlighting of a proxyfication solution for Google Analytics aimed at removing all personal data but not blocking data transfer to Google's server located in the United States.

The mention "Also be attentive to possible data transfers outside the European Union that could be carried out by your solution provider" on the page dedicated to consent exemption seems vague to us and therefore appears to have no legal basis.

Should my measurement tool be exempt from consent?

Tools that can benefit from consent exemption are so from the moment a specific configuration limiting data collection has been implemented.

Limiting data collection is not necessarily the most suitable solution if it limits its activation. The site manager will have to make a decision on this issue and in particular move as much as possible towards tools with hybrid configuration: with consent when collecting useful data (within the GDPR framework) and without consent when limiting collection to essentials (Art. 82 of the French Data Protection Act).

CNIL Announcements Regarding Google Analytics Usage

Context and Facts Reminder

CNIL announced on February 10, 2022, that it issued a formal notice to a French website manager using Google Analytics (likely in its Universal Analytics version) indicating that in the current configuration:

  • the tool is subject to GDPR because it collects personal data (particularly the visitor's IP address and the Google Analytics Client ID identifier, stored in the "_ga" cookie);
  • Google does not provide sufficient legal, organizational, and technical guarantees regarding the transfer of personal data to the United States (Art. 44, 45, and 46 of GDPR). Indeed, CNIL recalls that the agreement between the European Union and the United States on data transfer (Privacy Shield) was invalidated in 2020 by the Court of Justice of the European Union;
  • no element, according to CNIL, allows activation of exemption clauses on data transfer (Art. 49).

CNIL then clarified on June 7, 2022, that regardless of the configuration performed, if Google Analytics (possibly in its Universal Analytics version) is used with personal data, this use of Google Analytics can be considered illegal.

What personal data is concerned?

At a minimum, the personal data concerned are the Google Analytics visitor identifier (GA Client ID, stored in a cookie) and the visitor's IP address.

Depending on the tool's configuration, other identifiers may be added to this data, such as a user or customer identifier in the site manager's database, or online order identifiers. Parameters transmitted in the URL and related to traffic source can also be considered personal data if they carry overly precise information (for example: the Google Gclid click identifier used in the association of Google Analytics and Google Ads products).

Note: the Google Analytics client identifier (which is stored in the 1st-party "_ga" cookie) becomes personal data when sent to other Google services (for example the Google Ads platform) and this allows Google to reconcile this identifier with an IP address. Therefore, attention must be paid to the linking between different Google tools which can change the personal nature of data!

Implications

CNIL's announcements go beyond simply using or not using Google Analytics and question the use of all solutions published by companies with capital or organizational ties to a parent company outside the European Union, particularly the United States. Other solutions such as Google Ads or those published by Meta (Facebook) are also in NOYB's crosshairs.

What are the resolution pathways for using Google Analytics currently?

Pathway 1 - Modification of the framework related to data transfers to the United States

Can Google evolve its analytics tools to provide sufficient guarantees for data transfers according to CNIL?

Google has made changes to its analytics tools since CNIL's first communications in 2022:

  • Google Analytics Universal Analytics will stop collecting data from July 1, 2023, giving way to the new version of Google Analytics: Google Analytics 4 (GA4).
  • The processing of European visitor IP addresses is evolving on GA4: since June 13, 2022, no European IP is sent to an American server and the site manager has the option to disable device data for certain countries.
  • In standard GA4 reports, Google has introduced a threshold concept in reports: certain data does not appear in reports if it does not meet a certain level of aggregation and could allow specific identification of a user.

💡 EdgeAngel's Opinion

This involves complex geopolitical issues. It seems difficult for the European Union to be strict with Google and consequently with all other American companies that publish audience measurement and advertising tools. For its part, Google is investing significantly to adapt its tools to the regulatory framework (cf. end of GA UA and GA4 evolutions) and it's hard to imagine Google withdrawing from the European market. We estimate that this should be resolved at this level, even though in the meantime the responsibility lies with site managers who use these solutions.

The EU-US agreement on personal data transfer is taking shape: "The European Commission finds that the United States ensures a level of personal data protection equivalent to that of the European Union. Personal data transfers from the EU to certain American organizations can now be carried out freely, without specific framework." (Source: https://www.cnil.fr/fr/transferts-de-donnees-vers-les-etats-unis-la-commission-europeenne-adopte-une-nouvelle-decision) - Google is indeed part of the list of organizations authorized by the new agreement (Data Privacy Framework). ➜ We are clearly moving towards this resolution pathway.

Pathway 2 - Exit the GDPR framework, for example with a proxyfication method

A solution highlighted by CNIL in the June 7, 2022 communication consists of removing Google Analytics from the GDPR framework and therefore from the issue of data transfer to the United States by using a proxy server.

How?

  • By sending data to a proxy server (for example with Google Tag Manager Server-side) allowing to "regain control over data", particularly with specific configuration to anonymize the visitor's IP address as well as all personal data before sending them to Google's servers.
  • CNIL recommends removing other information such as the referrer (source of origin) and parameters contained in the URL allowing identification of traffic sources.
  • Also by disabling all functionalities or associations with other Google products for advertising purposes (Google Signals, Google Analytics and Google Ads association, etc).

Limitations

  • The configurations indicated and recommended by CNIL can denature the Google Analytics tool and make data activation impossible (i.e., its use for marketing optimization purposes)
  • Implementing this type of "proxyfication" solution requires advanced expertise and also involves costs and maintenance.

Questions

It is surprising that CNIL considers the referrer or UTMs as personal data or as questioning the exemption of Art. 82 of the French Data Protection Act, given that this type of data is authorized for other tools that benefit from consent exemption. From our understanding, the same rules should be applied for all tools in this specific case: what is the legal basis here for authorizing Matomo Analytics, and not Google Analytics, to collect information about traffic source in a specific configuration aimed at not processing personal data and activating the Art. 82 exemption?

Other pathway: challenging CNIL's interpretation

CNIL's judgment has not been challenged so far. Given that we are dealing with a very technical subject subject to interpretation, it cannot be ruled out that CNIL's judgment may be the subject of an organized defense from advertisers and other stakeholders: is the interpretation of Articles 44, 45, 46, and 49 valid?

Should user consent be obtained for these different scenarios?

Resolution pathway 1 (modification of the framework related to data transfers to the United States) 👉 Yes, explicit consent is necessary. Google Analytics will continue to process personal data (particularly for activation) and must be considered as subject to consent.

Resolution pathway 2 (exit the GDPR framework, for example with a proxyfication method) 👉 No, consent would not be necessary. If you have a specific configuration, for example based on proxyfication to exit GDPR, you will have to comply 100% with the specifications for consent exemption at the same time.

What about Google Consent Mode in all this?

  • Google Consent Mode is a feature available on Google Analytics and Google Ads allowing the implementation of minimal data collection as long as the visitor has not given positive consent to these tools.
  • To date, with this feature Google Analytics 4 is not part of the list of solutions with a file validated by CNIL regarding consent exemption. This does not necessarily mean that it cannot meet the various criteria for claiming consent exemption.
  • Used with Google Analytics 4, this minimal data collection mode could allow it, particularly with the fact that there is no GA Client ID stored in a cookie, that no European IP address is transferred to the United States with GA4, that minimum aggregation thresholds are applied in GA4 reports, that imports and exports of non-aggregated data are not available by default, etc.

Summary and EdgeAngel Convictions

To date (summer 2022), it is too early to make a definitive statement on the Google Analytics issue, particularly with the arrival of GA4, the scheduled end of GA UA, and the new European Union - United States agreements.

  • Hastily disconnecting Google Analytics could be costly for certain players who are particularly dependent on Google Ads / DV 360: cost of migration to another tool, team training, and use of less efficient tools for activation.
  • For other players less "Google dependent", migration to a tool that presents more guarantees in CNIL's eyes could be a valid option to prevent potential legal risks and reputational damage.

Each player, with the support of their legal and analytics partners, must build their own data collection strategy based on their risk assessment.

Alongside this, the Analytics community (agencies, experts, freelancers), legislators and regulators, the Data Protection Officer (DPO), and Google still have work to do to clarify gray areas and work towards implementing tracking systems that respect personal data and are effective for site managers.