Is the use of Google Analytics with server-side tracking permitted in the EU?

From the perspective of the GDPR, the US data transfer is always problematic when personal data is transmitted. So why not simply interpose a service that only forwards anonymised data to Google & Co. And that would circumvent the ban on using Google Analytics.

But it is not that simple. Because:

Can server side tracking services really achieve complete anonymisation of data?
What must be taken into account legally and technically?
What are the disadvantages and costs of this approach?

We want to shed light on this in the following.

The basic idea of server side tracking

With server-side tagging, the data is not sent directly to Google, but first is sent to the user’s own server or that of a third-party provider. There, the data is processed before it is sent on to the Google server.

IP anonymisation is not enough!

Anonymisation of data is achieved when it is impossible to identify the data subject or otherwise draw conclusions about a specific person. According to GDPR Art. 4 No. 1, personal data menas:

„… means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;“

Clearly, this means that IP anonymisation alone is not enough. The Austrian data supervisory authority affirms this in the proceedings against the netdoktor.at platform. It was found that Google collects so many other data points by means of Google Analytics that it is possible to draw conclusions about the individual person from the unique combination. Google could presumably establish a link based on the timestamp and the link from the Google search alone, but at least with additional information from the so-called user agent string such as browser and operating system version.

In addition, online identifiers are often automatically transferred via the referrer link from social media, affiliate and other advertising platforms or may be included as URL parameters, e.g. after a login to the website. However, even such unintentional personal information is not allowed to be passed on.

Checklist for anonymisation to avoid the “export ban” of personal data to non-EU countries:

Anonymisation of the IP address.

Removal or anonymisation of mobile identifiers such as IDFA, UDID, Android ID or Google Advertising ID, Windows Advertising ID or other Windows IDs, IMEI or IMSI, MSISDN.

Shortening of all referrers to the pure referrer domain without URL parameters and the like. (i.e. also removal of UTM parameters).

Change timestamps for all entries and calls of external social media links to prevent linking to US marketing platforms.

Checking of all internal URLs in order to avoid the transfer of user IDs when calling up pages, especially in closed areas after login or in the check-out process.Change timestamps for all entries and calls of external social media links to prevent linking to US marketing platforms.

Checking the event tracking parameters for logins etc. in order to avoid the transfer of user IDs.

Limiting the technical device information to general device types and pure browser names without granular browser and OS versions (no forwarding of the complete user agent).

Since Google does not make public which data in combination can be used to draw conclusions about the person, a definitive statement is impossible and the use is always associated with a considerable legal risk. An identifiability of the tracked user on the basis of identifiers contained in website URLs or referrer links can practically never be excluded!

It should also be noted that the anonymisation process prior to transfer to third parties already constitutes processing of personal data within the meaning of the GDPR. A legal basis must exist for this, such as consent or overriding legitimate interest. In the case of a basis on an overriding legitimate interest, all requirements must be met within the framework of a balancing of interests, even if the processing takes place on the company’s own servers. This includes, among other things, that anonymisation takes place as early as possible before the actual data storage. In the case of cloud hosting, storage may only take place within the EU by a European provider without a US parent company.

Checklist for data processing according to overriding legitimate interest:

The processor does not pursue its own purposes.n of the IP address.

The data obtained is not linked across different websites.

The duration of the observation or visitor recognition is limited to a maximum of one day.

The right of objection of Art. 21 (2) GDPR is guaranteed by an opt-out function.

No mouse tracking or replayable session recording takes place.

IP anonymisation takes place before storage as well as before processing such as geo-resolution.

Explicit do-not-track settings in the browser are observed.

Pay attention to the cookie consent obligation!

If cookies or JavaScript fingerprinting are used in the context of server-side tracking, the obligation to give consent according to the e-privacy Directive must be observed. This applies irrespective of a personal reference or the downstream anonymisation.

It is inadmissible, as some of the services offer, to declare the use of the associated cookie as absolutely necessary just because server-side tracking is also used to pursue necessary purposes such as fraud prevention or the like. Rather, granular consent or refusal must be possible for different purposes for each individual purpose.

The European Data Protection Board’s guidelines on consent require “that the data subject’s consent must be given for ‘one or more specified’ purposes and that a data subject must have a choice in relation to each of those purposes.”

Users must be able to opt out of the use of server-side tracking cookies and be informed of all related purposes in advance. If even one of the purposes is refused, the tracking cookie is not allowed to be set.

Without remarketing, of course!

When evaluating server-side tracking services, the associated costs should not be ignored. These arise from the costs for the licence of the service, possibly the separate cloud hosting or the own operation as well as the sometimes very high implementation effort for the tagging.

In addition, it should be checked whether it is a solid and reputable provider and what support services are offered.

If anonymisation takes place as described, campaign tracking and thus also a conversion upload is not possible. Remarketing is excluded anyway, as this always involves individual online identifiers. In addition, many dimensions and measurement values (key figures) are not possible in Google Analytics, for example: Unique and new users, age, gender, device model, ad, campaign, keyword, operating system version, screen resolution, lifetime values, user retention.

Conclusion: Server Side Tracking in practice not GDPR-compliant

It sounds tempting: full data control and unhesitating further use of US tools thanks to anonymised data forwarding. But actually anonymous tracking is hardly possible. In addition, it is very time-consuming and costly to set up. In the end, there is no legal certainty, but only a concealment of the use of US tools. It is doubtful whether this is worth the cost and effort. It is more sustainable to switch to a European provider who carries out the processing in accordance with the current guidelines of the supervisory authorities and does not operate in dubious grey areas.