After several decisions by EU data protection authorities regarding the 'old' set-up of Google Analytics (situations prior to the new Standard Contractual Clauses (SCCs) and certain changes by Google; see also our previous posts and podcast), EU data protection authorities are now firm in their position that the use of Google Analytics and similar tools in such situations is not compliant with GDPR or, at the very least, are quite problematic. There are not yet any published decisions on Google Analytics under new SCCs. The Commission Nationale de l'Informatique et des Libertés (National Commission for Computing and Liberties) (CNIL) has now published guidance on the data protection-friendly use of Google Analytics (reach measurement) via a proxy solution.
Conclusion: EU data protection authorities have taken a close look at the use of website trackers. The main issues are the data transfers to the United States that cannot be justified with user consent. The CNIL solution is a first "help" by a data protection authority on how to use Google Analytics (and similar tools), however, organizations will then only be able to use a portion of the tool's functionalities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.