Here is the only solution to be compliant!

In two articles of the CNIL published on its official website, the Commission Nationale de l’Informatique et des Libertés ruled: the use of Google Analytics can be compliant with the GDPR only by using a (complex) proxy method. What is it ? How does it work ?

Why is Google Analytics considered by the CNIL not to comply with the GDPR?

There are several reasons cited by the CNIL, here are the two main ones:

  1. Hosting of data collected outside the EU : The Main Google Analytics GDPR compliance issue As soon as hosting of data on American servers to which the intelligence services and authorities of the United States may have access, upon simple request, to any company based in the national territory.
  2. Incomplete pseudonymisation and anonymisation measures : the second problem derives from the non-total anonymization of the data collected through Google Analytics, even if the software offers an anonymization function of the IP address, not all transfers are affected. The CNIL also had no evidence that anonymization, when configured, had occurred prior to the transfer of the data to the United States.

Possession: the only possible “solution” to make Google Analytics GDPR compliant according to CNIL?

Yes. The CNIL confirmed this in a question and answer session, At the moment it is not possible to configure Google Analytics so that the data is not hosted on servers located outside the United States.

Furthermore, even in the absence of data transfer, the mere fact that it is a non-European web analytics solution implies that third country authorities could request access to the data, even if the latter would be hosted on servers located in the Union. European.

Proxy is therefore the only solution offered by the CNIL to be able to use Google Analytics in compliance with the GDPR..

Proxyification: what is it and how does it work?

Explanation of the functioning of the delegation by the CNIL

The delegation It consists of use a proxy server to avoid any direct contact between the user’s device and the servers of the Google Analytics web analysis tool.

Concretely, the proxyfication, if well configured, will act as a data pseudonymisation phase before export to Google’s servers.

For the configuration to be fully compliant, all information transmitted to the Google Analytics servers must in no case allow the re-identification of a personregardless of the information cross-checking performed.

The delegate must follow specific measures to comply with the GDPR according to the CNIL

Here are the different measures presented by the CNIL as necessary for the delegation to be considered compliant with the GDPR:

  • the absence of IP address transfer to the measuring instrument servers. If a position is transmitted to the servers of the measuring instrument, this must be managed by the proxy server and the level of accuracy must ensure that this information does not allow re-identification of the person (for example using a geographic network that guarantees a minimum number of Internet users per cell);
  • replacement of the user identifier by the proxy server. To ensure effective pseudonymization, the algorithm performing the substitution should ensure a sufficient level of collision (i.e. a sufficient probability that two different identifiers will give an identical result after hashing) and include a variable time component (add a hash to the data value that evolves over time so that the result of the hash is not always the same for the same identifier);
  • the deletion of information from the reference site (or ” refer “) external to the site;
  • the deletion of any parameter contained in the URLs collected (for example the UTMs, but also the URL parameters that allow the internal routing of the site);
  • the reprocessing of information that may participate in the generation of a fingerprint (or Fingerprint)how ” user agent », To remove the rarer configurations that can lead to re-identification;
  • the absence of any collection of identifiers between sites (transverse site) or deterministic (CRM, unique ID);
  • cancellation of any other data that may involve re-identification.

What other alternatives?

If this delegation cannot be foreseen in your infrastructure, the only viable alternative to comply with the GDPR will be that change your web analytics solution to a tool with GDPR compliant setting options.

Currently there are several alternatives to Google Analytics which can also be, in some cases, exempted from the collection of consent to collect simple and anonymous traffic data.

Here is a selection of the two relevant solutions:

To go further, we strongly advise you to read the two articles published by the CNIL on the subject:

Leave a Comment