By Anders Pilgaard Andersen, senior vice president, general counsel, Adform
Recent decisions by multiple EU data protection authorities signal the use of Google Analytics violates the EU General Data Protection Regulation (GDPR). These decisions sound a warning not only to the many companies using Google Analytics but, more broadly, to any company using US-based ad tech and mar tech platforms, since most companies collect and transfer the same types of protected data.
If this sounds like your company, here’s what you should know – and what you should be thinking about as you consider how to respond.
A flurry of GDPR rulings against Google Analytics
The most recent cascade of decisions and statements send a signal that European enforcement authorities may no longer tolerate US access to data of European citizens.
In early January, the European Data Protection Board (EDPB) publicly reprimanded the European Parliament for breaching the GDPR through its use of Google Analytics. A week later, the Austrian Data Protection Authority published a decision stating the use of Google Analytics violates the EU General Data Protection Regulation (GDPR).
The Austrian decision was soon followed by similar decisions or press statements by the Dutch, Danish and French data protection authorities.
These decisions generally state the existing setup – where data about European citizens is collected, transferred to and stored in the US – is in breach of Article 44 of the GDPR. More specifically, authorities ruled the transfer of personal data to the US failed to be protected from the US government’s ability to look into the data under US surveillance laws.
In the past, the EU and US managed to resolve such issues through the now-invalidated Privacy Shield. But that perspective has clearly changed due to so many similar rulings over a short period of time.
Moreover, the rapid echoing of this position-change across Europe, as well as a short one-month compliance window in a French case, make it clear that authorities see this as an urgent issue and will expect companies to respond quickly.
A turning point for advertisers using US-based ad tech and mar tech
The rulings against Google Analytics represent a potential bombshell for the advertising industry, given the widespread use of US-based ad tech and mar tech platforms. Any such platform which, similar to Google Analytics, processes cookie data of European data subjects is likely affected here.
Further, the French DPA said this extends to “other tools used by sites that result in the transfer of data of European internet users to the United States.” The Danish DPA noted that more cases will be issued across the EU.
Advertisers and publishers need to act now
IAB Europe continues working to make the Transparency and Consent Framework (TCF) the first GDPR-backed certification seal or code of conduct under Articles 41-42 of the GDPR for the ad tech industry. Such seal or code of conduct for the TCF as a framework would bring clarity to all stakeholders in the online advertising industry, from advertisers and technology providers to publishers and end users alike.
But can companies using US-based ad tech and mar tech afford to wait for further clarity or guidance from IAB Europe or from EU authorities? Or, at a minimum, what should advertisers and publishers do now?
The first step is to gather leading stakeholders from marketing, legal and compliance, IT operations and IT security to begin answering the following questions:
- What data do you collect? Where is it stored? Who can access it? Ensure a full understanding of your own – and your vendors’ – flow of data.
- How do your contractual obligations impact your compliance requirements?
- How can you do more from a technical and security perspective – e.g., Can data be anonymized before shared?
- Based on the above answers, do you feel confident you can continue working with US-based vendors, or should you consider alternatives?
Highly regulated industries with high attention to compliance (e.g., financial companies, telcos, etc.) are likely already in the process of determining how to reaccess their advertising vendors based on these decisions. But really, any company operating in Europe who collects data on its customers should immediately pause to begin a reevaluation exercise, like the one outlined above, to determine if it is compliant with these new decisions regarding services from US-based platforms.