On February 10, 2022, the CNIL delivered its verdict following complaints from an association (NOYB) against a website operator. The latter was transferring collected data to the United States through its use of Google Analytics.
What does this decision mean for the future of Google Analytics? How can you continue to analyze your website’s performance? What impact could this have on marketing automation?
Google Analytics and the CNIL
Following the filing of numerous complaints by the NOYB association, a privacy protection organization, the CNIL made an initial decision regarding the use of Google Analytics. After a detailed analysis of the conditions under which the collected data had been transferred, the CNIL determined that these transfers are illegal.
Why such a decision?
The current functioning of Google Analytics first requires hosting the IP addresses of internet users who visit your site outside the EU before anonymizing them. An IP address is considered personal data, and its transfer to the United States is a violation of the GDPR. The use of Google Analytics in its current state has therefore been declared illegal.
As a result, the CNIL asked the sites targeted by the complaints to become compliant within one month.
What to do now?
If you feel that this measure does not concern you, think again! With this decision, the CNIL has – finally! – clarified a legal gray area, and this will inevitably have consequences on our current practices. Some are imagining a wave of inspections, particularly involving tools that lead to data transfers to the United States, such as storage solutions or Cloud SaaS.
The options available to us:
- The CNIL recommends the use of analytics tools that allow you to use anonymous statistical data. This would notably mean no longer having to request users’ consent to track their behavior on your website.
- The use of tools that do not involve data transfers outside the EU. Many audience measurement tools are approved by the CNIL and can be used fully legally. Find the list of approved solutions on their website, along with links to configuration guides. At Webmecanik, we are currently testing Matomo, an open-source solution (heart heart)!
- The evolution of the Google Analytics tracking tool could also be a solution. The American giant announced in March 2022 the discontinuation of “Universal Analytics” to make way for a new data analysis platform, based on a different technology: Google Analytics 4. This solution would no longer require storing internet users’ IP addresses for anonymization and could therefore be compatible with CNIL regulations.
Is there a risk for my marketing automation tool?
Your marketing automation software is part of the audience measurement tools family. To comply with the CNIL and the GDPR, two key rules must be respected: where data is stored and the consent of your website visitors.
Data storage
Except under specific conditions, transfers of personal data outside the EU are very strictly regulated by the CNIL. Some countries, such as the United States, are not recognized as “adequate,” and specific transfer tools are required.
To avoid taking any risks, choose tools that host your data in GDPR-compliant countries such as EU countries. See the CNIL’s world map of data protection. This is the case at Webmecanik: our servers are located in France for the majority of our clients and in other countries for specific needs.
Consent
Consent also applies to the processing of your data. Under the GDPR, it ensures that individuals have full control over their personal data. The CNIL explains perfectly how to collect people’s consent.
For your marketing automation software to comply with this pillar of the GDPR, you need to implement specific configurations such as a cookie manager or a consent form on your website.
To help you with this process, discover our practical guide to GDPR compliance :
In summary
Topics around data and privacy are more relevant than ever. In this era of data economy, our role as marketers is to be vigilant about how we use our contacts’ data.
Current legislation should not be seen as an obstacle, but as opportunities to gain the trust of our visitors by being as transparent as possible and by encouraging users to hold their own data.
Our advice: be proactive and take an interest right now in protecting your data at every level of your business.
