In early February, France’s information watchdog (formally known as commission Nationale de l’informatique et des libertés, or CNIL) concluded that Google Analytics’ data collection and transfer policies violate the European Union’s General Data Protection Regulation (GDPR) law.
The official decision echoes the Schrems II decision in 2020 by the Court of Justice of the European Union (CJEU). In the Schrems II case, Austrian activist and lawyer Max Schrems argued that Google had inadequate protections in place for data transferred out of the EU.
Let’s look at the factors driving the global conversation and how they will impact marketing in 2022.
The CNIL decision, Schrems II, and a handful of other legal initiatives that are currently exploring litigation all centrally focus on the GDPR — Europe’s sweeping data protection and privacy legislation. The law, adopted in 2016 and enforceable since 2018, covers data protection and privacy within the EU and the European Economic Area (EEA).
Considered among the world’s strongest data protection laws, GDPR protects consumer data, restricting what kinds of data companies can access and what they can do with it.
Before 2020, the technical framework for data transfer to the U.S., known as Privacy Shield, served as a safeguard between the EU and the U.S. But, in 2020, Schrems and his legal team pointed out that, even with Privacy Shield, U.S. federal surveillance practices theoretically allow the government access to protected data. Schrems argued this access violates GDPR policy, and the CJEU agreed.
This February, the CNIL issued its own press release, taking a similar position as the CJEU. While EU standards on surveillance are clear and restrictive, once the data is transferred to the U.S. via Google Analytics, it is technically accessible to U.S. intelligence services. Therefore, the organization concluded that Google Analytics poses “a risk for French website users who use this service and whose data is exported.”
In its statement, the CNIL ordered an unnamed website operator to comply with the GDPR within 30 days, “if necessary by ceasing to use the Google Analytics functionality.”
Privacy continues to dominate news cycles and is becoming a top priority for consumers across the globe. As decisions like the CNIL’s and Schrems II shape privacy, they also impact marketing strategies, especially those that have relied heavily on Google Analytics and third-party data.
The good news is that first-party and zero-party data are stepping in to fill the gap. As cookies disappear, fully customized experiences will become part and parcel of the consumer-brand relationship. This kicks critical user-level data back to brands and helps drive better experiences for users. These factors will drive decision-making for content production, advertising initiatives, and performance marketing.
As of this writing, there is not yet a solution to replace the original Privacy Shield. Until there is an approved replacement, the CNIL and CJEU maintain that Google Analytics is illegal in the region, and it’s something advertisers and international businesses must keep in mind. As we look to a future where third-party data collection is no longer an acceptable practice, brands should solidify their first-party and zero-party data strategies, lean into their user experiences, and re-shape business goals in light of changing privacy expectations.
Need help sorting through the latest developments in privacy laws? We can help. Explore our Marketing Pulse Dashboard for the latest trends in marketing, and visit the blog to learn more about data privacy and other timely topics.
Featured image by Anthony Beck on Pexels.