“Google Analytics is used by 6,213,223 companies”. According to enlyft.

This results in 14,069,416 live websites that use Google Analytics, according to webtechsurvey.

And “nearly 82.2% of all websites rely on Google Analytics or similar tools.” – w3techs.

Still given all those companies and websites, Google Analytics is no longer the answer. Especially within the European Union. The future of the analytics is invisible. Analytics that don’t hurt the privacy of our visitors. Cluttered banners that say we value your privacy is the best way to drive away our users.

The world becomes more privacy-conscious every day. To tell your visitors that you value their personal data and in the same step shove them a banner with six checkboxes in their face, does no longer work.

The Problem with Analytics Today

Yes, we need to analyze website traffic, find out where our visitors come from, where the leave our website, perhaps the Churn Rate is huge on a specific site because the mobile layout is horrible. If we know this through concrete data then we can fix this issue before it hurts our sales. But we can’t rely on analytics that have huge legal compliance hurdles in the European Union.

A study by Pew Research Center concluded that “Majorities think their personal data is less secure now, that data collection poses more risks than benefits, and believe it is not possible to go through daily life without being tracked”

Even worse in 2023 when Pew Research Center conducted a survey among 5,101 U.S. adults 81% are concerned about how companies use the data, they collect about them. 67% have little to no understanding about what companies do with the data they collect about them.

Talk about “we value your privacy.” As a business we must inform our users what we track and why we do that. If we don’t do that, we become untrustworthy. This isn't ideal.

If we examine the studies of the Pew Research Center we can draw as conclusion that Americans – and also, we as a society in general – want to know if our data is collected and when, why it is collected. This is also important if we as a business analyze our visitors, their sessions, when they access our site, what sites the browse, how long they stay on our site etc. And while Google Analytics does that, it is invasive. Too much data is collected from visitors that fall under the rules of the General Data Protection Regulation (GDPR) in the European Union in some cases also the California Consumer Privacy Act (CCPA).

Legal Challenges to Google Analytics

The focus here is on the European Union whose countries all fall under the GDPR. This is also means that if you are a U.S. based company and you have visitors from let’s say Austria you must adhere to the rules of the GDPR.

And here Google Analytics falls short. The precedential case was the Schrems II ruling in the European Union in July 2022. The Court of Justice of the European Union (CJEU) declared the European Commission’s Privacy Shield Decision invalid […] thereby making transfers of personal data on the basis of the Privacy Shield Decision illegal.

For those who don’t know: The Privacy Shield framework provided the possibility of lawful transfer of personal data from the EU to the United States. On the basis of this framework EU business were able to legally transfer personal data to US-based companies.

After the Schrems II ruling this was over. The problem is that Data controllers that transfer data must ensure that the data subject is granted a level of protection essentially equivalent to that guaranteed by the General Data Protection Regulation.

This is no longer the case.

If we take the focus back to Google Analytics, data such as Operating System and Browser does not fall under the rules of GDPR, IP Addresses do. And those are collected by Google Analytics. Yes, it is possible to “anonymize” them by hashing the last three octets but it is not considered strong enough as there’s a 1 in 255 chance of re-identification. There are some ways around this, sending the IPs over a proxy server or purging IPs before they are sent to Google Analytics. But who wants to waste his afternoon struggling with technical minutia?

The landmark decision in Austria

In January 2022 the Austrian Data Protection Authority (DSB) conclude that the use of Google Analytics violates GDPR. It is “subject to surveillance by the U.S. intelligence services and can be ordered to disclose data of European citizens to them”

Only one month after the ruling of the DSB the French Data Protection Authority (CNIL) ruled the same as the Austrians. The EU-US data transfer to Google Analytics is illegal. The CNIL ordered also the French websites to comply with the GDPR.

This was just the start, little by little did other Data Protection Authorities (DPA) mark Google Analytics as unlawful. Such as the Italian DPA Garante who agreed with Austria and France that the data transfer to the USA is illegal.

As well as Denmark, Finland, Norway and Sweden who all agreed with the landmark decision in Austria that Google Analytics is in violation of privacy regulations. Sweden in particular issued the first major fine (1€ million) for using Google Analytics declaring “companies must stop using Google Analytics”.

The question remains when other DPAs in the European Union will also agree with the court rulings of Austria, French, Italy, etc.

Beyond Compliance: The Ethical Case Against Google Analytics

Beyond those legal headaches and rulings that Google Analytics is illegal, the question one can ask is how ethical is it to track data? This will not result in a philosophical rabbit hole (promised!). But as people get more conscious about with whom they want to share their data, this question becomes crucial. Google Analytics aggregates vast amount of user data, much of which is not essential for understanding basic metrics. This also results in cluttered, complex dashboards with submenus for menus.

Probably the most contentious practice is browser fingerprinting. A method that combines various characteristics to create a unique permanent identifier for each visitor. This means that this very visitor can be effectively tracked without his explicit consent. Google actually has a US Patent to uniquely identify a visitor on the web.

On top of that Google Analytics uses IP tracking to approximate his geographic location. Combing these data points its inevitable to gain a lot of personal data that falls under the GDPR.

In an era of growing privacy awareness, consumers are becoming increasingly skeptical of invasive tracking practices. Scandals involving data misuse like the infamous Cambridge Analytica have heightened public sensitivity. (Meta settled the Cambridge Analytica scandal for $725m in 2022. You can read the article here.)

The use of intrusive tracking tools can destroy trust, leading to reputational damage. The question is, is it worth it? Just to collect dozens of data points, struggling with complex dashboards and living with constant fear that the next Data Protection Authority issues the next court ruling.

From Spying to Privacy: Why it’s time to replace Google Analytics

In the beginning of the article, I have said that one should probably ditch Google Analytics and switch to invisible analytics. What do I mean by that? It is a new approach to web analytics without intrusive tracking. Without cluttered banners. Without collecting personally identifiable data.

In short: track data without compromising user privacy.

This can be achieved by using the Privacy Isolation Framework from iodiasix. Using this framework, the data you track from your users never leave the European Union. The data stays within the territory of the EU. The priority when designing this framework was to never collect nor store any personal data in the first place. We don’t use cookies, browser cache, session or local storage. Your visitors can’t be tracked cross-site. And there is no such thing as persistent identifier that will always lead back to an individual.

All this, so you don’t have to worry about the Schrems II ruling that invalidates the EU-US Privacy Shield when using iodiasix. Neither about the court rulings of DPAs from Austria, Denmark, French and so on.

The moment a visitor arrives on your site you no longer need intrusive banners. Your visitors can immediately start browsing on your beautiful site. Still, you get all the data you need to make informed decisions. Where does your traffic come from, what browser did they use, where did the leave your site and so much more.

European Google Analytics alternative

We are incorporated in Austria, the country that was the first to decide that using Google Analytics is illegal. The data you track from your visitors is saved on servers in Germany owned by Hetzner, a German company. This means, your website data is being covered by the European Union’s strict laws and never leaves the EU.

Feel free to explore iodiasix’ Privacy Isolation Framework using our trial. We have a free 30-day trial with no credit card required and absolutely no obligation to anything. This should give you enough time to judge us. If you click the link you will be redirected immediately to our platform, where you can register your account.

You just need your name and email address. Try it out for 30 days, there is absolutely no obligation to continue if you don't want to. Don't worry, you'll be notified one week before the trial ends and then if want to continue using iodiasix you will be asked for your payment information.