Recent regulatory uncertainty regarding the transfer of UE/USA personal data on the one hand, as well as the particular case of Google Analytics on the other hand, have been influencing the activities of legal, digital, and marketing departments within French and European companies. This article aims to give an overview of the different possible reactions and to lay out a proposal based on server-side measurement technology.
Since February 2022, the CNIL (French Data Protection Authority) has given formal notice to three website managers using Google Analytics to comply with GDPR and, if necessary, to stop using this tool under the current conditions. These website managers have been accused of not sufficiently securing personal data entrusted to a solution provider under American law. Google LLC, which is subject to the Cloud Act, is indeed obliged to provide the US government with the personal data that would be required by virtue of FISA 702.
Since then, how has the market responded and what solutions have emerged?
In spite of the legal risk that Google Analytics users are facing, the market has not fully given up on the tool yet. In the short term, the priority has been to:
- Audit one’s data collection and verify the implementation of all existing security mechanisms;
- Collect the additional guarantees that would make it possible to answer the objections of the formal notice. This implies listing the additional safeguards protecting against the exposure of personal data under FISA 702;
- Analyze the alternative analytics tools and document migration plans to be able to activate them quickly.
In the longer term, the most stable solution must be a regulatory one that goes well beyond Google Analytics, seeing as any US-based controller or processor of personal data is potentially affected (just think of Microsoft, Salesforce, and Apple…). The US government along with the European Commission have announced an agreement in principle upon a new legal framework. However, the latter shouldn’t be finalized, at best, until the end of 2022, and the authorities have made clear that there wouldn’t be a moratorium until then.
Carefully monitoring the solutions that minimize or secure personal data is essential. With GA4, Google has announced a few breakthroughs such as the deletion of IP addresses and the reduction of other collected information. The CNIL has not yet commented on these announcements, and one cannot tell whether they will be deemed sufficient.
As a company with an online presence, being able to fully guarantee Privacy is indispensable. This implies maintaining control over the data that is sent to all platforms, whatever they are. This control is described by the CNIL which mentions the principle of “proxification” in its article explaining why the Universal Analytics version of Google Analytics doesn’t provide sufficient protection. This system aims to eradicate the link between collected data and the browser, which inevitably impacts advertising use cases. However, purely analytical use cases (users or sessions count, journey analysis) remain largely feasible, since the encrypted identifiers (which cannot be decrypted by the solution provider) remain virtually stable for each user. It is therefore necessary to analyze the adequate level of security that suits your particular context.
With this in mind, fifty-five has been developing since February 2022 a technical proposal based on server-side. Acting as a “buffer” server between users’ browsers and final measuring tools, server-side Tracking provides website managers with control over collected data, in order, for example:
- To be able to hide user IP;
- To encrypt, with keys that are unknown to the solution editor, Cookie identifiers as well as other identifiers that are specific to the website (transaction identifiers, CRM account number…);
- To minimize the data which, once crossed with these identifiers, would make it possible to isolate a person, such as a browser version numbers.
The choice of cloud provider hosting this “buffer” server will depend on several factors:
- Technical teams’ familiarity with underlying technologies;
- Coverage level provided by the editors with regards to FISA;
- Technical measures allowing for total and exclusive control of encryption keys.
We have carried out reference implementations that can easily be activated by the main providers (GCP, AWS, Azure, and OVH). The latter are all US-based, but the location of data processing is contractually guaranteed. We will specify the technical approach as well as the characteristics of each cloud for this kind of project in one of our next Tea House articles.
Focus: server-side and encryption for the sake of compliance
Regarding the specific case of Google Analytics 4, the best short-term approach remains the activation of relevant Google Analytics’ native privacy features (see here). In our opinion, however, adding a server-side infrastructure is vital to full control of personal data transfer in the long run. In addition, such infrastructure is beneficial in terms of security and user experience (see our webinar on the matter with CommandersAct). Server-side effects on advertising efficiency must be factored in so as to map out a seamless transition toward a world without third-party cookies.
Although the CNIL’s recent decisions strongly interfere with first-party analytical data tracking via American tools, we believe that there are ways to make it viable. Make no mistake – the most exposed facet of marketing is that of third-party data, seeing as these universal, unduly sensitive trackers are bound to be left behind and give way to cohorts or “topics” combined with modeling. While it will allow the advertising industry to better prepare for it, the fact that the end of third-party cookies on Chrome has been pushed back to 2024 has the disadvantage of prolonging these transatlantic exchanges of personal advertising, as well as the legal risk that comes with it. The current situation is but a transition towards a kind of digital marketing that takes better care of data privacy.