An opinion on CNIL's opinion on Google Analytics

On July 20th, 2022, CNIL - French Data Protection Authority - published an opinion on Google Analytics and data transfers. According to CNIL, using Google Analytics can be compliant if you use a proxy that does pseudonymization of personal data before the data is sent to US servers. The proxy should do the following in order for the transfer to become compliant:

• No transfer of the IP address to the servers of the analytics tool.?
• Replacement of the user identifier by the proxy server.?
• Removal of external referrer information from the site.
• Removal of any parameters contained in the collected URLs.?
• Reprocessing of information that can be used to generate a fingerprint.
• No collection of cross-site or lasting identifiers.
• Delete any other data that could lead to re-identification.

From a privacy-compliance and technical perspective, all these measures make sense. From a business perspective, none of these measures make sense. To put it simply, Google Analytics would work just as a basic visitor counter. The website owners would have no data to work with, no information about the visitors, would have access only to basic information about the efficiency of the Google Ads / Google Search campaigns. No re-targeting or re-marketing campaigns.

Of course CNIL adds that:

The implementation of the measures described below can be costly and complex and may not always meet the operational needs of professionals. To avoid these difficulties, it is also possible for professionals to use a solution that does not transfer personal data outside of the European Union.

They should have started their opinion with this simple fact: there is no solution to use Google Analytics at its full potential in France or in EU, after Schrems II. Other solutions - either server-side or cloud-based - can be used, but they would never be so efficient as Google Analytics is.

However, there are good news. The current retargeting/remarketing model is dying, after Apple introduced its App Tracking Transparency model, and Google will follow with its Privacy Sandbox model, still in development. Less and less people are willing to share their personal data with advertisers, moreover, they want to be in some control of their personal data.

The best solution for marketers is to develop strong, efficient and relevant loyalty programs. Using the latest CRM technologies, with personal data stored on own servers or in dedicated tenants in the cloud, companies can reap the benefits of value-first targeted communication on their own customers or leads. Data subjects would be in control of their personal data, they would be fully informed about the personal data categories, metadata, about how their personal data is used, stored and destroyed, to whom is shared with and why.

Privacy-by-design at its best.

But this means listening to your customers, to your visitors and to your leads. Understand their needs and follow-up on every communication. Understand what content is relevant for them, when can you sell, what can you sell, when you can upsell and cross-sell. People share their data willingly to trustworthy companies, that demonstrate transparency and integrity.

We can help. Contact us.

//self-advertising moment:

At Tudor Galos Consulting , we have developed a model for privacy-compliance that is focused around our customers' needs, making sure that the company is compliant AND profitable, not just compliant.