Google Analytics and cookie consent

Google Analytics and cookie consent

On 11 January, the French data protection authority (CNIL) published a resolution sanctioning a company for various breaches of the GDPR (Data Protection Regulation).

Among the infringements considered, and the one we are analysing, is the installation of Google Analytics cookies without the consent of users.

In the aforementioned ruling, the CNIL states that whatever the settings chosen in relation to the advertising functionalities of the tool, the data collected through Google Analytics cookies can be reused to maintain and protect the Analytics service (and this is what Google states in its policies and terms of use).

From the above statement we can deduce that the CNIL considers that Google Analytics will always be considered as a data controller because it processes data for its own purposes and that, therefore, the consent of the data subject is required both for installing the cookies related to the tool and for the transfer of his or her data to Google.

Related to this, in our country, the Spanish Data Protection Agency (AEPD) published, also on 11 January, a new Guide on the use of cookies for audience measurement tools.

In this new Guide, the AEPD has opened up the possibility that audience measurement cookies or analytical cookies may be exempt from the consent of the data subject (provided that they meet certain requirements). In this regard, it states that ‘some analytics and audience measurement services […] do not fall within the scope of application of the exemption. […] when they declare that they reuse the data for other purposes, as is the case for several audience measurement offerings available on the market’.

Therefore, we can interpret that the AEPD includes Google Analytics as one of these tools that reuse the data and that, therefore, will not allow the cookie consent exemption.

Conclusions

In summary, two ideas that we can deduce:

  1. Google will be responsiblefor processing when we use its Google Analytics tool, regardless of the settings we have chosen.
  2. Users’ consent is required both for the installation of Google Analytics cookies and for their use.

As an additional idea, related to Google and also addressed by the CNIL in its ruling: Google’s reCaptcha mechanism is not only intended to ensure authentication for the benefit of users, but also allows Google to carry out analysis operations, as Google itself states in its general terms and conditions of use. What does this mean? According to the CNIL, in order to use Google’s reCaptcha, it will be necessary to obtain the user’s prior consent.

Article written by

Adriana RanchalAdriana Ranchal

Attorney –  Privacy & IP

adriana.ranchal@metricson.com

About Metricson

With offices in Barcelona, Madrid, Valencia and Seville and a significant international presence, Metricson is a pioneering firm in legal services for innovative and technology companies. Since its inception in 2009, it has advised more than 1,400 clients from 15 different countries, including startups, investors, large corporations, universities, institutions and governments.

If you would like to contact us, please do not hesitate to write to us at contacto@metricson.com. We look forward to talking to you!

Talk with us

958 558 442

Offices

Tuset, 19 - 2º, 3ª
08006 Barcelona
931 594 620

Javier Ferrero 10,
28002 Madrid

Paseo de Ruzafa 11, 6º, 12ª
46002 Valencia
960 500 761

Av. de la República Argentina, 25
41011 Sevilla

    Responsable: Metricson S.L.P.U.
    · Finalidad: Resolver tu petición o duda.
    · Legitimación:  Interés legítimo en responder cualquier cuestión planteada por ti.
    · Destinatarios: Prestadores de servicios tecnológicos, como encargados del tratamiento, que seguirán siempre nuestras instrucciones.
    · Derechos: Puedes acceder, rectificar, suprimir o solicitar la portabilidad de tus datos personales, así como oponerte o limitar el tratamiento de los mismos dirigiéndote a privacy@metricson.com.