Italian watchdog bans use of Google Analytics

ottime notizie. vietare google e monetizzare le bellissime spiagge, e mangiare pasta autentica.

So reading the English text it is not clear what exactly is the unlawful part. Is the fact that data is flowing to US based servers (which I assume is trivially managed by changing GA server location to Europe) or the fact it is flowing to an American Headquartered company, regardless of where the data is flowing to?

Can someone comment if the Italian language text is clearer? Or ehat is in the judgement?

I've slowly started ripping Google Analytics out of my Rails projects and replacing it with https://github.com/ankane/ahoy.

It's so much better! I can just use SQL to see what's going in and not get overwhelmed with 100's of visualizations and complicated dashboards.

Google is sucking in so much data that at the end it will be outlawed everywhere.

Suppose I run a website in the us and a user in Italy connects to it. Does this mean I’m now breaking the law serving them the website? My connection logs now have pii.

What if I use a cdn that has points of presence in Italy and still pings my server with a head request and the end user ip?

Am I also now breaking Italian law by using google analytics?

There is really no reason to use Google Analytics anymore. There are many great alternatives now, mine is PanelBear.com. Other people love Fathom and Plausible. It’s great to see some unbundling happen.

I'm actually just about to get rid of Google Analytics on DocSpring.com. I set up a self-hosted instance of Plausible Analytics on Render.com yesterday. I really like it so far. I set it up on a custom subdomain so it's not blocked by any ad blockers, so it's really nice to see analytics data that's almost 100% accurate (unless visitors disable JavaScript.) Especially since DocSpring is a developer tool, so most visitors are using an ad blocker extension. Also it doesn't use any cookies, so I don't need to show a cookie banner. It really feels like a breath of fresh air.

We are based in Europe and self-host our analytics exactly for this reason. I feel this is just the beginning.

Good. US citizens should be, at least, disappointed that their government is so bad at protecting their privacy, that US law is so far behind the times.

To those companies and people who find these EU decisions baffling or inconvenient: tough. If you had had respect for your users this would not be an issue. You would already not be spying on them.

To website visitors: if you see a cookie banner, the site is asking permission to spy on you. If that concerns you, close the tab.

I don't understand.

They can host locally the data and remotely query it.

What's important is the "intelligence" the data does provide: giving critical and unfair advantage for those who have the whole data.

For instance, microsoft has an unfair advantage almost anywhere because they have access to the whole linkedin database.

As more and more country specific legal regulations are raised, I wonder who will be the ultimate gatekeepers of the general internet when certain actors behave against the "rules". The current landscape is a complex system of seeming contradictions straddling different levels of public and private, centralized and decentralized, anarchical and moderated, etc.

Will ISPs be forced to cut off traffic from certain areas? Will centralized companies like Google and Reddit be forced to comply with regulations or cut off services in certain areas? Will governments set up firewalls? Will the buck of responsibility be passed upwards to service providers like GA, or downwards to individual site administrators?

Man, wish we’d do that in the US. Not sure what else to insightfully add after all these years.

Regarding forbidden countries, it’s not forbidden in the Netherlands, yet. They will announce a verdict in a form of a report by the end of 2022 [1].

To give people an option and pink something else over Google Analytics, I have built an alternative, Simple Analytics [2].

It doesn’t use cookies or any form of tracking and you get still the useful data that 80% of the website owners need.

[1] https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/interne... (in Dutch)

[2] https://simpleanalytics.com

What is a watchdog in this case, isn't it a non-governmental organization?

in that case how can they ban anything and what does that mean?

I've been using clicky on a few of my sites and even though they _assure_ me that it's totally compliant with gdpr I don't really believe them, does anyone have a decent alternative for analytics that respects people's privacy? I just want to see when I get new vs returning visitors on a page. Cloudflare's analytics are okay but I like how granular clicky can get, but if there's no good way to do that I think I'm just gonna ditch clicky and make do with the cdn analytics. Hell, I bet the cdn already does everything I need and I just don't know how to use it right, or I'm not paying for the right tier or something.

At what point do operators just start blocking access from EU countries. It's hard to imagine its worth jumping through all the complexities here at some point.

The last time I checked, the Google Analytics' Terms of Service explicitly prohibited its use on web sites involving healthcare companies.

That gives you an indication of how invasive it is — that even Google doesn't want to handle the personal information, because it can't be made HIPAA-safe.

Naturally, the majority of healthcare web sites use Google Analytics, because nobody ever reads the Terms of Service.

I use NoScript and block Google analytics, facebook, etc. It's nice that they use a domain separate from google.com, making it easy to block.

From the article:

> A website using Google Analytics (GA) without the safeguards set out in the EU GDPR violates data protection law because it transfers users’ data to the USA, which is a country without an adequate level of data protection.

> Upon expiry of the 90-day deadline set out in its decision, the Italian SA will check that the data transfers at issue are compliant with the EU GDPR, including by way of ad-hoc inspections.

This follows similar decisions by France [1] and Austria [2].

[1] https://iapp.org/news/a/cnil-is-latest-authority-to-rule-goo...

[2] https://iapp.org/news/a/far-reaching-implications-anticipate...

I'm building my own open source analytics solution exactly for this reason.

Those decisions are good in theory, but in practice they will kill the free web.

The only people that have the work power to put equivalent alternatives in place are the big corporations, that will anyway find a loophole.

I run my small blog, and I can't spend days or even weeks to setup a subpar analytics solution. I won't even start talking about self-hosting an analytics solution which would probably double my monthly server cost for a website on which I earn 0€.

In 2030, if we continue on that trend, websites will be in two categories: belonging to huge companies, or running illegally. It's baffling that people are applauding the end of the free web.

Hindsight is 20/20 but wasn't it clear that the company selling ads shouldn't be in charge of metrics for traffic and ads? Just like the TV channels had to rely on media rating firms.

While I should be happy with narrative (I run https://wideangle.co, GA alternative), let's be honest. It not banned. Nor is it illegal.

It is illegal to use it in such a way that results in Personal Data being siphoned to the US.

Is it hard? Yes. Outright illegal? Nah.

What's really puzzling is that Google Analytics never got banned because of antitrust laws. It's the most obvious example of predatory pricing I've ever seen. How is a smaller company supposed to compete against a free product?

The US should economically retaliate.

GDPR and these other regulations in the EU exist because EU cannot stomach the fact that they got beat on tech and instead of innovating they are regulating to try and even the playing field.

I’m supporting of privacy, but it’s amazing how heavy-handed European regulation can be, and how difficult it can make understanding even basic metrics about our business and how those metrics have shifted over time. I suppose their intentions are good though.

If I understand this correctly, the issue isn't Google Analytics specifically, but "because it transfers users’ data to the USA, which is a country without an adequate level of data protection".

So this could also apply to any company that sends PII to the USA?

this is the start of the unbundling of alphabet

Google needs to do what apple is doing with PrivateRelay and putting double blind proxies in place so PII can be stripped before Google gets its hands on it.

i’d support any legislation that booted google, fb, ms, adobe, salesforce, and a whole host of other surveillance tech companies from any and all levels of government. it’s literally as important as the separation of church and state. in fact, i’d love to see a constitutional amendment explicitly separating corporate interests from governmental ones, in all facets of civic life (e.g., campaign finance).

anyone runs self hosted matomo/piwik instance for analytics?

I wonder what will happen with websites that use payments integration like PayPal or Stripe.

Meanwhile, COVID-19 certificate app for Czech Republic citizen's uses Google Analytics. We are not the same. Good job Italy!

This is consistent with decisions from the Austrian and French data protection authorities (DPAs). Note that Google is a Processor (for this product), meaning that Google itself does not violate GDPR, but only the websites that use it.

Following the Schrems II case, the "threat model" used by EU courts on these matters is "American law enforcement can serve a warrant to American companies." Long story short, any processing that Google does after collection is not considered to offer any protection, because American law enforcement can just tell them not to do that and they won't. Hence, the "Anonymize IP Address" setting in Google Analytics is not considered to have value for GA.

It might theoretically be possible to use GA compliantly by proxying data through an EU-owned service which obfuscates anything considered personal data, at minimum the IP address and various cookie values. This scenario hasn't been confirmed by anyone as compliant, but the regulators seem to always go out of their way to dance around it rather than just saying "GA is non-compliant, always, forever." Still, for the trouble to set up such a service you might as well just stand up a self-hosted first-party analytics solution.

This particular decision on GA is purely about the cross-border transfers, and doesn't seem to touch on whether using cookies for analytics requires consent. That's a separate issue (technically about a separate law).

Another decision in a long stream that will make it much harder for EU start-ups companies to catch up to American ones. With absolutely no improvements to actual EU citizen well being.

The CNIL in France is really pushing companies to not use Google Analytics, and you better listen to them here. It seems US companies should really make changes to how they host/manage data to be able to able to work in EU in the near future. (It isn’t a criticism, simply an assesment).

This kind of ridiculous laws do not understand the boundless nature of internet. If you want to protect privacy of netizens simply make a universal law instead of having different laws in different countries.

These guys are my heros

Italy is the 4th in a string of recent decisions across the EU.

(We're tracking these cases on isgoogleanalyticsillegal.com along with details for each.)

Note that it's not illegal to use GA entirely, just illegal to use in its default state which transmits PII to the US.

I'd be terrified if I was a EU company at this point. There is not logically way these same rules don't apply to using AWS, GCP, and Azure. There isn't enough other cloud hosting with nearly the same capabilities in Europe to handle that day.

Time to get off my arse and write a self hosted privacy oriented analytics tool. Whatever happened to awstats. The question is - how to monetise on it?

2008-2018: Banking reform

2018-202?: Data privacy

I wonder what the next trendy thing government officials will pretend to care about/fix in order to garner media attention. Something crypto related, maybe?

This is why we built Scale8.com !

An open-source and privacy-friendly alternative to Google Analytics & Google Tag Manager :)

GA is simply not compliant...

https://scale8.com/blog/is-ga-gdpr-compliant/

Well HN, how about a badge for links indicating whether it uses ga? We have to start somewhere don't we? Or we'll continue to see the web decline. Actually, from my PoV, it might be too late already. Maybe it's just me or people in EU being harassed with banner popups, but I hardly go to any link anymore, and so do many other people I know. It's just not worth it.

15 years ago Google Analytics was cool. But ar some point Google ditched the "Don't be evil" culture and tried to get as much out of Google Analytics for themselves, that it became unethical.

As long as they haven't died ...

I wish GDPR compliance would have been opt-in. For example, a GDPR compliant website could have sent a custom header indicating compliance, which the browser could have displayed in the address bar (a bit like HTTPS). Consumers would then have been free make the decision to not use websites which aren't GDPR compliant. Consumers who are more concerned about privacy could have set their browser to automatically block any non GDPR compliant website.

Aren‘t there like about 100 google analytics clones available that do exactly the same thing?