On 11 January, the French data protection authority (CNIL) published a resolution sanctioning a company for various breaches of the GDPR (Data Protection Regulation).
Among the infringements considered, and the one we are analysing, is the installation of Google Analytics cookies without the consent of users.
In the aforementioned ruling, the CNIL states that whatever the settings chosen in relation to the advertising functionalities of the tool, the data collected through Google Analytics cookies can be reused to maintain and protect the Analytics service (and this is what Google states in its policies and terms of use).
From the above statement we can deduce that the CNIL considers that Google Analytics will always be considered as a data controller because it processes data for its own purposes and that, therefore, the consent of the data subject is required both for installing the cookies related to the tool and for the transfer of his or her data to Google.
Related to this, in our country, the Spanish Data Protection Agency (AEPD) published, also on 11 January, a new Guide on the use of cookies for audience measurement tools.
In this new Guide, the AEPD has opened up the possibility that audience measurement cookies or analytical cookies may be exempt from the consent of the data subject (provided that they meet certain requirements). In this regard, it states that ‘some analytics and audience measurement services […] do not fall within the scope of application of the exemption. […] when they declare that they reuse the data for other purposes, as is the case for several audience measurement offerings available on the market’.
Therefore, we can interpret that the AEPD includes Google Analytics as one of these tools that reuse the data and that, therefore, will not allow the cookie consent exemption.
Conclusions
In summary, two ideas that we can deduce:
- Google will be responsiblefor processing when we use its Google Analytics tool, regardless of the settings we have chosen.
- Users’ consent is required both for the installation of Google Analytics cookies and for their use.
As an additional idea, related to Google and also addressed by the CNIL in its ruling: Google’s reCaptcha mechanism is not only intended to ensure authentication for the benefit of users, but also allows Google to carry out analysis operations, as Google itself states in its general terms and conditions of use. What does this mean? According to the CNIL, in order to use Google’s reCaptcha, it will be necessary to obtain the user’s prior consent.
Article written by
Adriana Ranchal
Attorney – Privacy & IP
About Metricson
With offices in Barcelona, Madrid, Valencia and Seville and a significant international presence, Metricson is a pioneering firm in legal services for innovative and technology companies. Since its inception in 2009, it has advised more than 1,400 clients from 15 different countries, including startups, investors, large corporations, universities, institutions and governments.
If you would like to contact us, please do not hesitate to write to us at contacto@metricson.com. We look forward to talking to you!