The European Union has been after Google for abuse of its monopoly power in mobile search engines and applications. Now, a growing number of countries in the union are going after the use of Google Analytics for violations against the General Data Protection Regulation.
Italy is the third and latest country to prohibit the service which lets webmasters track and analyze their site traffic. The government stated in its decision that rafts of information, including IP addresses, are collected via cookies and transmitted to the United States and could potentially be seen by third parties and the government there, violating the GDPR as users aren't ensured due process for redress. Italy's competition authority has cited domestic web services provider Caffeina Media, giving the firm 90 days to transfer its account away from Google Analytics.
In a blog post, Google Analytics competitor Simple Analytics notes two other member states taking similar action. France's national commission on the freedom of liberation or CNIL announced a ban for the same reason back in February while Austria's Data Protection Authority put down its block in January (via noyb).
Google's appeals and defenses in response to these rulings are generally being dismissed. The company would not be able to satisfactorily demonstrate that it could anonymize user data from Europe before transmitting it to the U.S. Encryption in this process also doesn't matter if Google holds onto the keys.
Google is set to shut down the Universal Analytics platform — which leaned heavily on trackers to collect detailed information about site visitors — most Google Analytics clients are currently on by October 2023. Google Analytics 4, which loosens up on using trackers, but still looks to get a lot of the same data with other methods, is available now, but likely won't earn favors from the E.U. Google has also struggled to develop new, privacy-minded web trackers over the last several years.
A lot of the justifications for banning Google Analytics are coming from something called the 'Schrems II' decision from the Court of Justice of the European Union from 2020. This invalidated earlier principles in a framework dubbed Privacy Shield which protected safeguarded data transfers to the United States. You can see the full verdict here.