Blog about software development


Will the GDPR kill Google analytics?

30 May 2018 - by 'Maurits van der Schee'

My common sense says that visits to any website should only be recorded by the operator/owner of the website (and for operational purposes only). This may change when agreed otherwise with the visitor (opt-in). My understanding of the "cookie law" is that such opt-in is required and that Google analytics without opt-in has thus already been forbidden (in the Netherlands) several years ago.

My reasoning is that A) your site functions fine without Google analytics and B) you are giving (employees of) another company (Google in this case) access to personal information of your visitors. C) it is clear an analytics service costs money to operate and since you are not paying for it, you should question how they make money. I understand that just A and B create a thin line and that you could argue by that logic that the entire spectrum of public cloud services (from renting software to infrastructure) requires opt-in.

On one extreme of this spectrum you have rented servers, where you can prevent the operator to gain access and the operator has to break laws to hack into the data of your rented server. Still I feel one is obliged to take serious measures to prevent such access, such as SSL, public key based login and full disk encryption. This way you can be relatively sure that even the operator of the rented server cannot access your data. On the other side you have software-as-a-service (such as Google analytics) where you let a third party store personal information of people that you have no agreement with.

My moral compass also says that sharing a visitor's personal information (such as IP addresses or social media identifiers) with a third party without the visitor's consent should not be allowed. This is not limited to Google analytics, but also applies to Google's +1 and Facebook's like button that also do requests to third party servers. These social buttons also share IP addresses and allow for (and make use of) cookie and user agent string based tracking. IMHO, when you are using Google analytics on your website you are buying an analytics service with money gained from stealing personal information from your visitors. I feel that that is unethical.

Whether or not the new GDPR law deals with any of this is not clear to me, but for sure the discussion has intensified and it seems some companies start to comply. Probably because this law now applies to all sites with European visitors, including American sites. One of such sites is eu.USAtoday.com on which "ublock origin" with privacy protective settings is not blocking anything. Note that an "ad blocker" is a strange name for software that protects your privacy to a level that is mandatory by law. It almost sounds as if you are stealing someone's source of income. While in fact it is not you, but the sites that are stealing (and selling) your personal information.

Let's hope the GDPR makes the web a better place.