On September 21st, 2022, the Danish Data Protection Authority (DPA) issued a press release stating that the continued use of Google Analytics without additional measures is not compliant with the GDPR. Since Personal Data (as defined by the GDPR) can in theory be transferred to Google servers physically located in the U.S, supplemental measures must be adopted by companies who use Google Analytics. This issue applies regardless of whether the old version (Universal Analytics/ UA) or the new version (Google Analytics 4) is used.
Currently, Google does not have any built-in features in either of these two versions that will fully prevent the transfer of Personal Data. Google has over the past year added multiple features to increase data controls in Google Analytics 4 to align with the GDPR requirements, including an IP anonymization feature. In the press release, the DPA stated that these features alone do not prevent the transfer of Personal Data to the U.S. and that a continued use of the tool requires additional measures outside Google Analytics.
As Google’s largest partner, Acceleration is in daily contact with Google’s senior management about the current situation. Google’s stance is that the press release from the Danish DPA is not a ruling but is considered to be guidelines. While it is not for Acceleration to provide legal consultancy, we encourage all advertisers, as a first step, to assess their company risk profile (which may differ from company to company and industry to industry) and consider whether to take immediate action – or hold on and wait.