Some time ago Google gave EU admins the option to select a local regional (EU) server. This means the data is not send to the US. But! It’s still nog fully legal as the Google HQ (and thus the US government( can still access all the data.
> just illegal to use in its default state which transmits PII to the US
As I mentioned in a sibling comment, this is technically true but complying with GDPR takes more than unchecking a few boxes. I've never seen any GA set-up that would remotely approach compliance. At minimum, you need to mask IP's before they reach Google, which means standing up a non-Google server to proxy all the hits. That is more complexity than 99+% of GA installations.
I understand that this is primarily an advertisement for Posthog, but if you're going to keep posting it you might want to keep it up to date. There are only 4 countries on your map and one of them is:
> The Dutch Data Protection Authority warns that the use of Google Analytics 'may soon no longer be allowed', after a ruling by the Austrian privacy regulator. A definitive conclusion is said to come at the beginning of 2022.
At least you removed "the only open source product analytics platform" and the Google fonts since the last time a Posthog employee posted it https://news.ycombinator.com/item?id=29994183
NOYB is the primary source tracking these cases and generally was also responsible for filing the complaints that led to them. All the details are available from NOYB's GDPRhub wiki, https://gdprhub.eu. GDPRhub attempts to provide information on all the European DPAs including how to file complaints. At the least it provides contact info for all the DPAs and English translations of DPA decisions.
As stated in 13 Jan 2022 announcement on noyb.eu, these decisions are generally the result of the "Max Schrems II" decision. After that decision, Schrems filed 101 complaints to DPAs, and now the chickens are coming home to roost.
Note that the "legality" of Google Fonts, under the default configuration, is also in question. Arguably use of Google Fonts is even more widespread than use of Google Analytics.
Another decision in a long stream that will make it much harder for EU start-ups companies to catch up to American ones. With absolutely no improvements to actual EU citizen well being.
Isn't this an opportunity for EU startups? By choosing to enforce the law on US companies that EU companies are already generally very compliant with, surely the EU has levelled the playing field for EU companies?
Setting up something like Matomo instead of GA doesn't looks to me like a huge penalizing factor for a startup.
If anything, EU startups could benefit from better control over the tools they use. One interesting halo effect of Google seeing that much data is also that US startup from ex-googlers get a head start on many insights.
take data of your USA customers and sell it to the highest bidder without their consent or even knowledge as you please. don't complain that I have the right to know you do that and disagree to you doing that.
If I understand this correctly, the issue isn't Google Analytics specifically, but "because it transfers users’ data to the USA, which is a country without an adequate level of data protection".
So this could also apply to any company that sends PII to the USA?
What's really puzzling is that Google Analytics never got banned because of antitrust laws. It's the most obvious example of predatory pricing I've ever seen. How is a smaller company supposed to compete against a free product?
There is really no reason to use Google Analytics anymore. There are many great alternatives now, mine is PanelBear.com. Other people love Fathom and Plausible. It’s great to see some unbundling happen.
This is consistent with decisions from the Austrian and French data protection authorities (DPAs). Note that Google is a Processor (for this product), meaning that Google itself does not violate GDPR, but only the websites that use it.
Following the Schrems II case, the "threat model" used by EU courts on these matters is "American law enforcement can serve a warrant to American companies." Long story short, any processing that Google does after collection is not considered to offer any protection, because American law enforcement can just tell them not to do that and they won't. Hence, the "Anonymize IP Address" setting in Google Analytics is not considered to have value for GA.
It might theoretically be possible to use GA compliantly by proxying data through an EU-owned service which obfuscates anything considered personal data, at minimum the IP address and various cookie values. This scenario hasn't been confirmed by anyone as compliant, but the regulators seem to always go out of their way to dance around it rather than just saying "GA is non-compliant, always, forever." Still, for the trouble to set up such a service you might as well just stand up a self-hosted first-party analytics solution.
This particular decision on GA is purely about the cross-border transfers, and doesn't seem to touch on whether using cookies for analytics requires consent. That's a separate issue (technically about a separate law).
The CNIL in France is really pushing companies to not use Google Analytics, and you better listen to them here. It seems US companies should really make changes to how they host/manage data to be able to able to work in EU in the near future. (It isn’t a criticism, simply an assesment).
There's nothing US companies can do to make themselfes legal to use here. The legal framework in the US allows dragnet spying on every non-american and american companies are forced to participate in that effort.
So reading the English text it is not clear what exactly is the unlawful part. Is the fact that data is flowing to US based servers (which I assume is trivially managed by changing GA server location to Europe) or the fact it is flowing to an American Headquartered company, regardless of where the data is flowing to?
Can someone comment if the Italian language text is clearer? Or ehat is in the judgement?
There’s a bunch of steps, but jumping to the extreme, a foreign gov having access to the data is the awful part.
Data flowing to the US violates that, assuming Google US cannot refuse US gov requests, the headquarter having access to the data is also not accepted.
Well HN, how about a badge for links indicating whether it uses ga? We have to start somewhere don't we? Or we'll continue to see the web decline. Actually, from my PoV, it might be too late already. Maybe it's just me or people in EU being harassed with banner popups, but I hardly go to any link anymore, and so do many other people I know. It's just not worth it.
> how about a badge for links indicating whether it uses ga?
Sounds like a browser plugin would be best for this, then all links across the web could show it. Or you could just block it in uBO and not think about it again.
I'm an American, but I occasionally use an EU VPN. I don't understand how EU residents can tolerate the number of cookie/privacy/GDPR/whatever popups every site has, even on the sites of EU companies.
I use Ahoy too, but I don't have very good visibility into the data. I should spend more time building queries and creating charts. I should probably set up blazer as well: https://github.com/ankane/blazer
It would be really nice if Ahoy came with a web UI that covered all the basics.
I'd be terrified if I was a EU company at this point. There is not logically way these same rules don't apply to using AWS, GCP, and Azure. There isn't enough other cloud hosting with nearly the same capabilities in Europe to handle that day.
Suppose I run a website in the us and a user in Italy connects to it. Does this mean I’m now breaking the law serving them the website? My connection logs now have pii.
What if I use a cdn that has points of presence in Italy and still pings my server with a head request and the end user ip?
Am I also now breaking Italian law by using google analytics?
As more and more country specific legal regulations are raised, I wonder who will be the ultimate gatekeepers of the general internet when certain actors behave against the "rules". The current landscape is a complex system of seeming contradictions straddling different levels of public and private, centralized and decentralized, anarchical and moderated, etc.
Will ISPs be forced to cut off traffic from certain areas? Will centralized companies like Google and Reddit be forced to comply with regulations or cut off services in certain areas? Will governments set up firewalls? Will the buck of responsibility be passed upwards to service providers like GA, or downwards to individual site administrators?
I'm actually just about to get rid of Google Analytics on DocSpring.com. I set up a self-hosted instance of Plausible Analytics on Render.com yesterday. I really like it so far. I set it up on a custom subdomain so it's not blocked by any ad blockers, so it's really nice to see analytics data that's almost 100% accurate (unless visitors disable JavaScript.) Especially since DocSpring is a developer tool, so most visitors are using an ad blocker extension. Also it doesn't use any cookies, so I don't need to show a cookie banner. It really feels like a breath of fresh air.
Hindsight is 20/20 but wasn't it clear that the company selling ads shouldn't be in charge of metrics for traffic and ads? Just like the TV channels had to rely on media rating firms.
[+] [-] corywatilo|3 years ago|reply
(We're tracking these cases on isgoogleanalyticsillegal.com along with details for each.)
Note that it's not illegal to use GA entirely, just illegal to use in its default state which transmits PII to the US.
[+] [-] stingraycharles|3 years ago|reply
[+] [-] digitalengineer|3 years ago|reply
[+] [-] minsc_and_boo|3 years ago|reply
https://support.google.com/analytics/answer/6366371?hl=en#zi...
[+] [-] lmkg|3 years ago|reply
As I mentioned in a sibling comment, this is technically true but complying with GDPR takes more than unchecking a few boxes. I've never seen any GA set-up that would remotely approach compliance. At minimum, you need to mask IP's before they reach Google, which means standing up a non-Google server to proxy all the hits. That is more complexity than 99+% of GA installations.
[+] [-] stickfigure|3 years ago|reply
[+] [-] remram|3 years ago|reply
> The Dutch Data Protection Authority warns that the use of Google Analytics 'may soon no longer be allowed', after a ruling by the Austrian privacy regulator. A definitive conclusion is said to come at the beginning of 2022.
At least you removed "the only open source product analytics platform" and the Google fonts since the last time a Posthog employee posted it https://news.ycombinator.com/item?id=29994183
[+] [-] 1vuio0pswjnm7|3 years ago|reply
https://gdprhub.eu/index.php?title=DSB_(Austria_-_2021-0.586...
https://www.cnil.fr/en/use-google-analytics-and-data-transfe...
https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/d...
https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-...
NOYB is the primary source tracking these cases and generally was also responsible for filing the complaints that led to them. All the details are available from NOYB's GDPRhub wiki, https://gdprhub.eu. GDPRhub attempts to provide information on all the European DPAs including how to file complaints. At the least it provides contact info for all the DPAs and English translations of DPA decisions.
As stated in 13 Jan 2022 announcement on noyb.eu, these decisions are generally the result of the "Max Schrems II" decision. After that decision, Schrems filed 101 complaints to DPAs, and now the chickens are coming home to roost.
Note that the "legality" of Google Fonts, under the default configuration, is also in question. Arguably use of Google Fonts is even more widespread than use of Google Analytics.
[+] [-] ricardobayes|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] mro_name|3 years ago|reply
[+] [-] tin7in|3 years ago|reply
[+] [-] cm2012|3 years ago|reply
[+] [-] nathanaldensr|3 years ago|reply
[+] [-] jimnotgym|3 years ago|reply
[+] [-] makeitdouble|3 years ago|reply
If anything, EU startups could benefit from better control over the tools they use. One interesting halo effect of Google seeing that much data is also that US startup from ex-googlers get a head start on many insights.
[+] [-] realusername|3 years ago|reply
[+] [-] baq|3 years ago|reply
[+] [-] openplatypus|3 years ago|reply
It is illegal to use it in such a way that results in Personal Data being siphoned to the US.
Is it hard? Yes. Outright illegal? Nah.
[+] [-] calibas|3 years ago|reply
So this could also apply to any company that sends PII to the USA?
[+] [-] nwellnhof|3 years ago|reply
[+] [-] encoderer|3 years ago|reply
[+] [-] lmkg|3 years ago|reply
Following the Schrems II case, the "threat model" used by EU courts on these matters is "American law enforcement can serve a warrant to American companies." Long story short, any processing that Google does after collection is not considered to offer any protection, because American law enforcement can just tell them not to do that and they won't. Hence, the "Anonymize IP Address" setting in Google Analytics is not considered to have value for GA.
It might theoretically be possible to use GA compliantly by proxying data through an EU-owned service which obfuscates anything considered personal data, at minimum the IP address and various cookie values. This scenario hasn't been confirmed by anyone as compliant, but the regulators seem to always go out of their way to dance around it rather than just saying "GA is non-compliant, always, forever." Still, for the trouble to set up such a service you might as well just stand up a self-hosted first-party analytics solution.
This particular decision on GA is purely about the cross-border transfers, and doesn't seem to touch on whether using cookies for analytics requires consent. That's a separate issue (technically about a separate law).
[+] [-] louhike|3 years ago|reply
[+] [-] f1refly|3 years ago|reply
[+] [-] sfifs|3 years ago|reply
Can someone comment if the Italian language text is clearer? Or ehat is in the judgement?
[+] [-] makeitdouble|3 years ago|reply
Data flowing to the US violates that, assuming Google US cannot refuse US gov requests, the headquarter having access to the data is also not accepted.
[+] [-] tannhaeuser|3 years ago|reply
[+] [-] aembleton|3 years ago|reply
Sounds like a browser plugin would be best for this, then all links across the web could show it. Or you could just block it in uBO and not think about it again.
[+] [-] butterNaN|3 years ago|reply
[+] [-] ronsor|3 years ago|reply
[+] [-] bradgessler|3 years ago|reply
It's so much better! I can just use SQL to see what's going in and not get overwhelmed with 100's of visualizations and complicated dashboards.
[+] [-] nathan_f77|3 years ago|reply
[+] [-] AdriaanvRossum|3 years ago|reply
To give people an option and pink something else over Google Analytics, I have built an alternative, Simple Analytics [2].
It doesn’t use cookies or any form of tracking and you get still the useful data that 80% of the website owners need.
[1] https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/interne... (in Dutch)
[2] https://simpleanalytics.com
[+] [-] tick_tock_tick|3 years ago|reply
[+] [-] zugi|3 years ago|reply
[+] [-] hbfdhfdhadfhnfa|3 years ago|reply
[+] [-] dclusin|3 years ago|reply
What if I use a cdn that has points of presence in Italy and still pings my server with a head request and the end user ip?
Am I also now breaking Italian law by using google analytics?
[+] [-] naet|3 years ago|reply
Will ISPs be forced to cut off traffic from certain areas? Will centralized companies like Google and Reddit be forced to comply with regulations or cut off services in certain areas? Will governments set up firewalls? Will the buck of responsibility be passed upwards to service providers like GA, or downwards to individual site administrators?
[+] [-] nathan_f77|3 years ago|reply
[+] [-] cardosof|3 years ago|reply
[+] [-] youngtaff|3 years ago|reply
[+] [-] badkitty99|3 years ago|reply
[deleted]