[aqui_c]

What I meant by 'offloading' the responsibility is that building a GDPR compliant system can be cumbersome. For example, imagine you run a Wordpress blog (I am a bit outdated here, this may have changed in recent releases), there is no path for me to get all the information you have about me (for instance, all the comments done with my e-mail). If you keep server logs with IP addresses, building a system that gives me that information is also cumbersome. However, if you outsource those needs (for instance, to GA), and they do have GDPR compliant systems in place, then you have offloaded the responsibility of keeping these services in-place. Being GDPR-compliant is an added value for SOME solutions, it is up to the user to check whether GA is compliant or not.

Regarding the risk, I think the debate should go over what are you doing with your client's users data, giving it away to Google? Is it truly necessary? It is not only about risking a fine, is about being aware of what privacy means and what is it important.

[idoh]

Well, I don’t know what to say other than you are totally wrong. It is not up to the user to check whether GA is compliant or not. The party accepting the personal data has responsibility to make sure that it is used responsibly by their processors.