Google logo on podium showing Google Analytics may not be best option if organizations collect personal data

The Case Against Google Analytics for Organizations Collecting Personal Data

Almost 30 million website owners choose Google Analytics to gather data about their visitors. Despite its popularity, a lack of data control and limitations of the free version mean that it’s better in theory than in practice. Even if you trust Google’s data privacy policies, Google Analytics still may not be the best option.

The reasons for the popularity of Google Analytics are clear:

  • When your website traffic is less than 10M hits a month, it’s free
  • Marketers and analysts consider its interface to be the standard
  • It integrates well with Google Search Console and Google Ads

Look closer, however, and the downsides of the Google Analytics model start to add up. This is especially true in sectors such as government, healthcare or finance, where personal and sensitive data are common. As we’ll see, Google’s business model often makes compliant handling of such data impractical.

The hidden costs of free Google Analytics

The biggest cost lies in how the data Google Analytics collects is used and shared. From Google Analytics, the data ends up all over the world for use in Google’s advertising products. This is clearly stated in the policies for Google Analytics. This also won’t change anytime soon. The basic version of Google Analytics is free precisely because the data from it can be used for lucrative services such as Google Ads.

Google Partner Sites Policy
Source: https://policies.google.com/technologies/partner-sites

The fact that Google Analytics data goes into behavior-based ad audiences poses several problems to analytics users. On the one hand, the latest Google Analytics processing terms forbid users from collecting personally identifiable information (PII), except for:

Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers

To simplify, in most places, this significantly restricts the kind of data analytics users can collect and process. Excluding most forms of PII makes Google Analytics less effective for most and often useless in sectors such as finance, healthcare and government.

On the other hand, using those exempted identifiers in some jurisdictions implies the same legal obligations as for PII, e.g. names and addresses. In the European Union, for example, the General Data Protection Regulation (GDPR) labels identifiers such as cookies and IP addresses as “personal data.” Personal data is the EU’s equivalent of PII, but with a much broader definition.

Whatever the legal name of such data, Google Analytics makes it difficult to deal with. Many users of the platform won’t be able to find the delicate balance between useful analytics data and compliant data collection practices. This is especially the case in countries and sectors with strict data privacy and security rules.

Another hidden cost is how little data the Google Analytics free makes available. It doesn’t give any access to raw data. The data that is available to view on the platform is heavily sampled. Data sampling is acceptable for large datasets. But the smaller the dataset for any given report, the higher the chance of serious accuracy issues.

The costs of the free version of Google Analytics can be summed up in three main categories:

  • Loss of data control
  • Difficulty of balancing compliance and data completeness
  • Data issues – lack of raw data and data sampling

Beyond those basic issues with the free version, there are additional problems for organizations, both public and private, to consider. Unfortunately, many of these problems also affect the paid version, Google Analytics 360.

The People v. Google Analytics

According to research from the European Agency for Fundamental Rights (FRA), 41% of Europeans do not want to share any personal data with private companies. Pew Research figures reveal that 75% of Americans say it is “very important” to them that they are in control of who can get information about them. Advertisers and businesses top the FRA’s ranking of entities with which people don’t want to share information without consent.

Third-party consent mechanisms are available for Google Analytics, but they often don’t go far enough to satisfy demands for zero tracking without consent. Many basic identifiers are still collected without consent whether the average internet user realizes this or not. Just by using Google Analytics, organizations may be acting against the wishes of those they serve.

Business v. Google Analytics

Not only do internet users have reason to be dissatisfied with Google Analytics, so do businesses using it to collect data.

Making Google Analytics compliant with internal and external data regulations is just the start. If a business manages to adjust Google Analytics to be fully compliant with GDPR, then no part of the analytics platform will work without consent. Around 30% of visitors give consent. This means that businesses will have to make do with 70% less data. Some browsers and ad blockers prevent Google Analytics from collecting data. Visitors using those programs will also be absent from reports.

The collected data won’t be exclusive to the business collecting it. Google Analytics sends that data out for use in the Google family of products, most notably Google Ads.

Any business creating audiences for ad campaigns will indirectly draw from data collected by competitors with Google Analytics. This is bothersome from a data privacy point of view, but also from the perspective of using data for a competitive advantage. It’s as if each company’s exclusive customer research data were sent to competitors.

From a more practical point of view, if a business wants to get data from more than 10 million hits per month or access raw data, it needs to pay for Google Analytics 360. Worse, the paid version of Google Analytics removes some limitations of the platform, but it still shares data with other Google products.

The State v. Google Analytics

Google Analytics puts public sector analytics users in an even more awkward situation.

Imagine a local government is trying to collect data about how citizens search on their site for information about unemployment benefits. If they used Google Analytics to gather this data, the users who visited their site could later be targeted with ads from, for example, short-term loan providers.

It’s worth explaining how this could happen. The amount of data that ends up in Google Ads audiences is enormous. A person visiting a single government page would be a drop in that ocean of data. Google Ads wouldn’t target that person directly either. But the person may see that short-term loan ad in a round-about way through look-alike audiences or conversion optimization algorithms.

Nothing illegal has happened. But it doesn’t look good. Visiting a government website led, albeit indirectly, to targeted ads from loan providers. Those loan providers have bad reputations and aggressive loan terms. To Google’s credit, it tries hard to prevent the worst abuses related to targeted ads.

But there are gray zones. Google Analytics feeds data to many of those gray zones. You can probably imagine even darker gray zones concerning public and private healthcare institutions.

So where businesses are putting their competitive advantage on the line by implicitly sharing data, governments are risking the trust of their citizens.

Sharing of personal data across borders could also be a legitimate complaint of citizens tracked by their own government using Google Analytics. For governments, just as for businesses, upgrading to Google Analytics 360 doesn’t resolve these core problems.

Alternatives to Google Analytics

Luckily for those with a non-zero analytics budget, there are many other paid platforms that offer more flexibility and control over data. Here are the factors to consider when looking at alternatives.

Data security and privacy regulations

New data privacy regulations appear on a regular basis. GDPR in Europe, CCPA in California and LGPD in Brazil are just a sample of what’s to come. For each legal jurisdiction, you need to make sure your analytics setup has the features necessary to comply with local laws.

Sector regulations

Many sectors will also need to check for compliance with another set of regulations. For example, the American healthcare sector must abide by HIPAA and European banks must follow the European Banking Authority (EBA) standards.

Data residency

Where you store data and backups matters more and more. Just being secure somewhere in the cloud isn’t good enough. If an analytics provider offers their service in the cloud, make sure you know exactly where the data centers are located.

The recent European Court of Justice ruling on Privacy Shield shows just how important data residency can be. Google Analytics, among many other services, relied on Privacy Shield as a legal basis for transferring data of EU residents to the United States. That legal framework now looks to be on life support, if not already obsolete.

Part of the problem is that many services are unclear about where data will be stored in the first place. Don’t fall into the trap of vague cloud promises. Those bits and bytes need to live somewhere. It should be in a place that gives you flexibility while guaranteeing compliance and maximum control.

Private cloud and on-premises hosting options are even better. Deployment becomes a more involved process, but that effort pays off later in the form of added control, security and privacy.

Data control and ownership

The ideal situation for security and privacy purposes would be 100% ownership of analytics data. This way, you can strictly enforce one set of privacy and security practices.

Anytime that is impractical, it pays to have data processing agreements in place. Just make sure those agreements have all the stipulations necessary for your organization to stay secure and compliant.

For example, under GDPR organizations need to handle data subject requests, including data erasure. To do this, they need to know where the data is and who to ask about changes.

Respecting user privacy

User expectations vary by location. Compliance with regulations is a must, but users often expect even more. You need to avoid “dark” user interface patterns that might lead users to agreeing to more data collection than they actually want.

For the EU and the relatively strict GDPR, this would mean a concise consent question with clear language and no pre-ticked boxes. Users that don’t consent expect to be forgotten immediately, meaning that at most anonymous data can be collected.

With respect to choosing an analytics provider, this usually means making sure that any data processors outside your organization respect user privacy. Check all the fine print to guarantee that none of your users’ data will be repurposed in a way they wouldn’t expect.

Data protection by design and by default

Maybe even more important than reading the fine print is trusting in the foundations of an analytics platform. Google Analytics has been developed to maximize data collection and improve ad targeting outside the platform. With those design foundations, it’s hard to see Google Analytics ever meeting the spirit of regulations such as GDPR.

This sounds vague, but design intentions count. That is the thought behind data protection by design and by default. Some experts also use the term privacy by design. Whatever the exact name, here are some of the things you should look for in an analytics platform that follows good design principles:

  • Data minimization – Collect only the data you need for the stated purposes and delete it when you no longer need it
  • Privacy by default – Assume that users don’t consent to user collection, only collect personal data after explicit consent for a limited set of data purposes (a good example of this in web analytics is called zero-cookie load, where no tracking cookies load before specific consent)
  • Pseudonymization – Scramble personal data in a way that can be reconstructed only with a key and only when needed
  • Anonymized and anonymous data – Scramble data so that it can never be used to identify individuals or only collect data that can’t be used to identify individuals

It’s hard to know how software was designed. But the chances are that if some of the above features and keywords are mentioned often, then the analytics platform you’re looking at was probably designed with data privacy and security in mind.

Full functionality – positive sum

Analytics and data privacy and security don’t conflict as much as some suggest. It can be a win-win situation. Said another way, it’s not a zero-sum game. Full functionality and a positive sum are possible.

To get there, we need to balance the needs of internet users with the needs of the organizations who collect data about them. With that balance comes trust. Organizations trust they’ll get enough data and trust the data they get. Users trust data processors enough not to use aggressive ad blockers and other disruptive technologies.

Almost 30M websites choose to use the free Google Analytics to gather visitor data, but there may be hidden costs when #personaldata is involved. #privacy #respectdata Click to Tweet

Google Analytics hasn’t found that balance. Since it’s extremely popular, this has led to a poor experience for both users and organizations collecting data. Those needing to collect personal data in government, finance and healthcare have it the worst.

To improve the situation, we need to turn to alternative analytics platforms.