Like most data professionals in the EU, I have been looking at alternatives to Google Analytics that have “better” privacy compliance. The background to this is of course the Schrems II rulings that started appearing earlier in 2022 – see refresher article on the summary of Schrems II implications if needed. Also, recently the Danish privacy authority made an excellent summary and FAQ explaining (in English) their decision against the legal status of Google Analytics in the EU.
In this post I am defining an alternative to Google Analytics as being an EU based analytics company. That is the simplest way of removing the data transfer issue and therefore passing the Schrems II test. Of course there can be many other reasons you may wish to seek an alternative to Google Analytics.
Note that although the current Schrems II focus is on US tech because that is where most of it comes from, the issue applies equally to tech from other countries outside the EU.
Also, see this related comment from @NOYB on the recent Presidential Executive Order.
The first thing you notice, is that within the EU there are not many alternatives to Google Analytics. There are numerous smaller players available, however at the enterprise level (*see my footnote for what this means to me), I know of only three competitors:
- Matomo – one of the oldest alternatives to Google Analytics. Open source software released in 2007 as Piwik. Based in New Zealand – a country classed by the EU as having an adequate level of data protection and hence passing the Schrems II test.
- SnowPlow – a UK company for data warehousing only. That is, data collection and storage only – it does not offer any user interface to the collected data. Although no longer part of the EU, the UK is also a country having an adequate level of data protection and hence also passing the Schrems II test.
- Piwik PRO – established in 2016, this Polish company has developed its own propriety analytics suite – including Tag Manager, Analytics and Consent Manager. Analytics has a look and feel very close to Universal Analytics.
So far I have been particularly impressed with Piwik PRO. In fact so much so, that I have been conducting deep-dive assessments of them. This is post #1 of a series where I summarise my experience.
DISCLOSURE: I have a working relationship with Piwik PRO. That is, the digital advisory agency I work for is migrating a GA4 client to them. That said, this post is not being compensated for, or requested by Piwik Pro. All posts are my own independent thoughts.
Feature #1 – Private Clouds
The key issue that Schrems II raises, is that data stored in a cloud account provided by a US entity (e.g. Google Cloud, Amazon, Microsoft Azure etc.) is subject to FISA 702. That is, US intelligence agencies can request the data of EU citizens from these providers – something they cannot even do to their own US citizens.
To combat that issue, a lot has been made of the use of private clouds. These are a sub-set of the cloud in general and in summary are:
- A single tenant area – only used by one cloud customer.
- No transfer across regions – the data stays within the EU
- Everything is encrypted using the customer’s own keys.
These are all good for data governance, but point 3 is odd in the context of using a third party party provider such as Amazon AWS, Google Cloud, Microsoft Azure etc. That is, even if the data is securely encrypted at rest, the encryption keys must be exchanged with the cloud provider in order to decrypt and use the data. Hence, encrypting data hosted on a US cloud provider who is under FISA 702 jurisdiction, does not pass the Schrems II test.
Piwik PRO Private Cloud
Although a Piwik PRO Private Cloud account can be setup with Microsoft Azure, Amazon AWS et al., a key difference for EU based businesses, is it can be set up to run on a EU Cloud such as Elastx (Swedish org) and Orange (French org). Hence Piwik PRO passes the Schrems II test.
Another way to completely avoid data transfers is to simply run all your analytics storage and processing on your own in-house servers, referred to as on-premise. in fact, this is how I started my analytics career with Urchin/Webtrends software running on my own Apache web servers in the late 90s…!
These days data volumes are much larger, to the point that managing data requires resources often IT teams are reluctant to provide when compared to the scaleability of cloud networks. However banks, health related organisations and government agencies have this requirement (colleges and universities also often have the “volunteer” resources to manage software). If that is your situation then Piwik PRO also has an on-premise solution.
Comparison With GA4
It’s a safe bet that Google encrypts Google Analytics data at rest – though oddly I have not been able to find a definitive document/answer. However, any encryption keys are Google’s own keys and as Google is under US jurisdiction, it means your data comes under FISA 702 i.e. it fails the Schrems II test.
Note, if you export your GA4 data to BigQuery you can set this up to be managed via your own keys and Google has data centres within the EU. However as mentioned earlier, your encryption keys must be exchanged with the cloud provider in order to decrypt and use the data. So the problem still remains.
Summary of Alternatives – Feature #1
My motivator for looking at Google Analytics alternatives has come from GDPR and the Schrems II rulings that have stemmed from it. That means data transfer is only valid if the country receiving data on EU citizens has an adequate level of data protection. There are simply not many alternative cloud based tools that can meet that criteria – I chose one, Piwik PRO, for a deep dive assessment.
Piwik PRO has a feature/solution for data storage and processing in a private cloud AND one that can run on an EU cloud service provider. This passes the Schrems II test. In addition, Piwik PRO also has an on-premise solution.
Ao if you are in the mood for switching away from Google Analytics, or your legal department is forcing the issue, Piwik PRO is worth looking at in my opinion.
*How I Define Enterprise Analytics
For my own purposes I use the word “enterprise” analytics to mean paid products aimed at organisations with >10M hits per month – and potentially a lot more. Apart from the ability to collect vast quantities of data, an enterprise tool for me needs to meet a few criteria:
- Have an SLA and provide 1:1 support – either via a partner or direct from the provider.
- Have export functions such as an api and data warehousing capabilities e.g. BigQuery.
- Go beyond database limitations of e.g. MySQL (MySQL is a great product, but it struggles with very large data sets).
- Integrate with other tools e.g. Google Ads, Search Console, Data Studio et al.
- Can be deployed via a Tag Management Solution.
- Be an established provider with existing enterprise users i.e. I take into account the wisdom of the crowd.
Peer review of this post: https://www.linkedin.com/feed/update/urn:li:activity:6988489383486046209/
Also see my post on an important update on AWS private cloud services using external key management (EKM): https://www.linkedin.com/feed/update/urn:li:activity:7003643467906056192/
Google’s EKM: https://cloud.google.com/security-key-management