Google Analytics illegal to use – according to Norwegian Data Inspectorate
The eye catching headline form the following article is actually very misleading (I used Google translate). In fact, this is a classic example of poor/misleading journalism on this subject…
As I wrote in my last article on this subject: Google Analytics and the new EU privacy law #3, if you use Google Analytics to collect personal identifiable information (PII) without the explicit consent of each visitor, then yes you are breaking the privacy laws in each of the 27 EU member countries. That is the same with any tracking tool/methodology. It also breaks the Terms of Service of GA.
A gray area is whether an IP address can be considered PII is open to interpretation. I personally consider it to be, but in criminal law an IP address by itself is not sufficient to identify an individual. I am not aware of any EU country where that is contrary. Of course, if in doubt, use the Google Analytics _anonymizeIP() function. This removes the last octet from the IP address prior to sending to Google’s data collection servers.
BTW, has anyone compared the before/after impact on the reports of turning _anonymizeIP on? My suspicion is that outside of large geographical, single cultural markets (e.g. outside US/Canada/Australia), using _anonymizeIP has little impact, so anonymizeIP() should be used on your website by default… [ Update: see my large study of anonymizeIP: Using Google Analytics Anonymize IP – An Impact Study ]
So the fear for web users and data protection regulators is really not what website owners can do with Google Analytics reports to identify an individual visitor – assuming you only wish to do business with professional, ethical organisations (anyone can abuse tracking tools to break privacy laws). Rather, the concern is how Google may triangulate originally anonymous data points to identify individuals within the Google network – which as we know, effectively IS the web.
That is very much a legitimate concern, but one that is not being addressed by articles written with a superficial knowledge of the issues involved. It is also not going to be solved by declaring a single tool, out of a plethora of tools, illegal to use. That said, may be it is Bjørn Erik Thon (see screenshot) who has not understood the issues fully…
Thanks to Eivind Savio of Halogen.no for bringing this to my attention.
I would be interested in any feedback form people that have had contact with the Norwegian Data Protection Authority.