Services like Google Analytics may only be used, if the website owner obtains valid consent from their visitors, Berlin Data Protection Authority clarifies.
The German DPA warns of high fines for violations and points to several pending lawsuits.
No consent – no Google Analytics
In a press release on November 14, 2019, the Head of the Berlin DPA Maja Smoltczyk stated:
The integration of Google Analytics requires a consent which meets the requirements of the General Data Protection Regulation.Maja Smoltczyk – Head of the Berlin DPA
Therefore, if website operators and owners want to use third-party analytics services like Google Analytics – which collect and process visitors’ personal data for commercial purposes – valid consent is needed.
Valid consent is required for using Google Analytics
Website owners should check their cookie consent solution immediately for third-party services and other tracking technologies which harvest visitors’ personal data.
Anyone who uses services, like Google Analytics and Facebook Pixel, must either obtain a valid consent from their visitors or remove the service altogether, Maja Smoltczyk continues.
Consent is only valid if the user of the specific data processing clearly and actively consents.Maja Smoltczyk – Head of the Berlin DPA
This was clarified by the European Court of Justice on October 1st, 2019 in the case against Planet49.
Cookie pop-up banners with pre-ticked checkboxes for cookies and no options to decline cookies is not considered consent (see also recital 32 of the GDPR), the Court rules.
Cookie pop-up banners need to meet requirements in the GDPR
To obtain a valid consent on a website, you need a proper cookie consent solution.
However, most cookie pop-up banner on websites do not meet the standards of the GPDR, Maja Smoltczyk states:
A so-called cookie banner, which assumes that pure surfing on the website or the like should mean consent, is inadequate. The same applies to preactivated boxes in declarations of consent.Maja Smoltczyk – Head of the Berlin DPA
German Data Protection Authorities on the move
In the spring of 2019, the German Data Protection Supervisory Authorities (DSK) published the “Guidance for providers of telemedia” and worked out in detail under which conditions tracking of website visitors is permitted.
Despite the guidelines, the Berlin Data Protection Commissioner continues to receive numerous complaints about websites that disregard the guidance.
Audience analysis with no consent
On the other hand, the Berlin DPA says that it can be regarded lawful (legal) to carry out an audience analysis which collects the number of visitors per page, device and language settings (even if done by a third-party processor), if the processor does not use the data for his own purposes (commercially).
Services like Piwik Pro offer solutions in which you ‘own you own data’.
How to use Google Analytics with valid consent?
Google Analytics is a fantastic free tool to measure website traffic. But Google Analytics collects and processes your visitors’ personal data for commercial purposes.
Therefore, valid consent for using Google Analytics is required by the GDPR.
To collect valid consent, you need a cookie consent solution (banner) which:
- Informs your visitors of cookies (who owns them; their purpose; lifespan)
- Provides your visitors with the option to decline cookies (and tracking)
- Holds back cookies before consent is obtained
- Does not assume consent with pre-ticked boxes
- Collects and stores consents for 5 years (in case of inspection by DPA).
With a valid consent in hand, you can use Google Analytics as much as you like and thereby benefit from the vast amount of data it offers for retargeting and visitor profiling.
Get in touch with Cookie Information if you desire a solution which allow you to legally use Google Analytics.
Cookie Information’s cookie consent solution is used by more than 1000 companies; collects more than 8 billion consents a year, and is up to date with the ePrivacy Directive and GDPR.