I am strongly considering discontinuing the use of the Google Analytics service. If you’re interested, the reasons are below the cut.
My rationale for using the analytics service, which I set up many years ago, is spelled out in the first paragraph of the “Online Tracking” section of the Privacy Policy. Unfortunately, the use of web analytics tools in general and Google Analytics in particular has become (and continues to be) legally fraught. That’s why some years ago I changed the analytics setup on Ate Up With Motor to function on an opt-in basis only, but that’s not an entirely satisfactory solution either, both because it created the unfortunate dual-notification-banner situation and because it means the analytics results are not necessarily an accurate or reliable reflection of how many visitors the site actually gets.
I have my doubts about it from an ethical standpoint as well. In my own online activity, I actually use a variety of overlapping methods of blocking analytics tracking, and while it’s basically impossible to completely avoid Google services (among other things, I have an Android phone, which obviously depends on Google platforms and infrastructure), I have many qualms about relying on them if I can avoid it.
The tipping point is that Google recently announced that they’re phasing out the version of the Google Analytics service I’ve been using and will be forcing users who want to continue to collect data after July 1, 2023 to migrate to the latest Google Analytics 4 setup. There are some advantages to the latter, but my appetite for going through a complex series of technical issues and data export/import for a service whose drawbacks were already starting to outweigh its benefits is, let us say, not great.
The main reason I haven’t ditched it already is that folding up the tent on the existing Google Analytics setup is also not straightforward. Turning it off is simple enough — I can easily disable it any time the urge strikes me — but if I do that, I’ll need to also completely rewrite the applicable sections of the Privacy Policy and Cookie Notice accordingly, in particular because the analytics cookies already on visitors’ devices won’t just go away. (They should no longer be functional if the tracking script is disabled, but some of them may persist for quite a while.) I would also need to decide on the disposition of the existing analytics data. If I stop using the Google Analytics service, my inclination is to simply delete all the existing data, but that too is a process, literally. (If you request deletion of the data, it may not be actually be removed completely from the servers until the next scheduled “deletion process,” which only occurs about every two months — my understanding is that this applies to the deletion of data from various Google services, not just the Google Analytics service.)
If I stop using the Google Analytics service, I likely won’t switch to another analytics service. There are several, but they present most of the same problems, and many of them are costly as well. (The biggest Google Analytics advantage is that it’s generally free unless you get far more traffic than I ever have or am likely to.) I just don’t see much advantage to it anymore.
For what it’s worth, AUWM is one of the few sites which I allow analytics access; I don’t begrudge allowing a small business owner (which is what I suppose you are) to use my data, especially not after giving me such good content to enjoy.
I suppose this is yet another thing that falls foul of California privacy law? Do they make you, the site owner/operator, responsible for managing your site’s Google analytics data? Do they consider these things to be what GDPR would call PII?
I confess I’ve been scratching my amateur head trying to figure out a solution to *that* particular dilemma, and so far my best idea has been blocking all California IP addresses, with a big notice saying “Sorry, but you’re blocked, and I would definitely not recommend a VPN to get around it.” Not, I realise, much help.
Yes, California, the EU, the UK, and various other jurisdictions consider much of the data gathered by web analytics services to be personal information. And yes, they consider website owners to be responsible for that data and how it’s handled.
The principal issue so far as California privacy law is concerned is that while it’s now possible to access or delete the portion of the analytics data that would constitute an individual visitor’s personal information, FINDING that information is not easy. The only reliable way I know to locate a specific visitor’s individual user report is if I know the Client ID, which is the alphanumeric identifier that’s actually stored in the analytics cookie on a visitor’s device (which I don’t usually have direct access to!). Moreover, visitor who accesses the site using several devices may have several sets of analytics cookies, each with a different Client ID and each (probably) treated by Google as a separate user in the analytics results. This is obviously cumbersome.
Non-U.S. law is an even stickier matter. Google offers a data processing addendum (which I’ve accepted) that’s intended to cover GDPR compliance for the Google Analytics service, and the reason I have analytics set to opt-in is to try to address the more stringent British and European requirements regarding prior user consent. However, some jurisdictions are trying to make it so that using pop-ups or banners to obtain consent is not legally acceptable (what exactly they expect people to do instead, I have no idea). Also, some European courts have recently taken the position that the use of Google Analytics to process the personal data of European data subjects is categorically unlawful, data processing addendum and Standard Contractual Clauses notwithstanding, on the grounds that Google doesn’t provide adequate safeguards for that data.
A key European complaint in this regard — which is completely outside my control — is that U.S. law gives intelligence and law enforcement agencies pretty broad latitude to monitor and surveil foreign nationals, potentially in ways that would require a search warrant or court order if they involved U.S. citizens. So, if the personal data of a European data subject is being processed on servers in the U.S., various official entities can potentially access and use that data in ways that are legal under U.S. law (and that the owner of the servers may have no legal way to refuse), but that run afoul of the GDPR. This is separate from any other concerns about data security or contractual limitations on the use or sharing of data. For these reasons, and of course for pettier economic ones, there are factions within the EU that would really prefer to force businesses that want to gather advertising or measurement data about EU residents to use analytics providers based in the European Economic Area.
Fun fact: Because the EU, the UK, California, et al, consider IP addresses and geolocation data to be personal information, using that data to block visitors from those areas still likely counts as processing their personal information! Also, since I am based in California, blocking all California IP addresses would lock me out of my own website, although at this point, that might be better for my sanity.
Why do these issues concern you so much, while so many other website owners just plod ahead?
Because I’m afraid. (Although even if I weren’t, at this point, I’m pretty happy to reduce my reliance on Google products and services.)