[idoh]

It is completely not true that you can "offload" responsibility as described. If you run a website, then you are a "controller" and are responsible for ensuring that processors are also abiding by the GDPR, for example by securing Data Protection Agreements and vetting the processors.

There is definitely risk associated with running third party analytics and not having opt-in associated with that. It is very much not established whether GA's solution is good enough. Having said that, while there is a risk, at this point it seems to be a small risk of getting into GDPR trouble unless you are a very large operation.

That's what I tell my clients. YMMV.

[aqui_c]

What I meant by 'offloading' the responsibility is that building a GDPR compliant system can be cumbersome. For example, imagine you run a Wordpress blog (I am a bit outdated here, this may have changed in recent releases), there is no path for me to get all the information you have about me (for instance, all the comments done with my e-mail). If you keep server logs with IP addresses, building a system that gives me that information is also cumbersome. However, if you outsource those needs (for instance, to GA), and they do have GDPR compliant systems in place, then you have offloaded the responsibility of keeping these services in-place. Being GDPR-compliant is an added value for SOME solutions, it is up to the user to check whether GA is compliant or not.

Regarding the risk, I think the debate should go over what are you doing with your client's users data, giving it away to Google? Is it truly necessary? It is not only about risking a fine, is about being aware of what privacy means and what is it important.

[idoh]

Well, I don’t know what to say other than you are totally wrong. It is not up to the user to check whether GA is compliant or not. The party accepting the personal data has responsibility to make sure that it is used responsibly by their processors.