[lmkg]

> just illegal to use in its default state which transmits PII to the US

As I mentioned in a sibling comment, this is technically true but complying with GDPR takes more than unchecking a few boxes. I've never seen any GA set-up that would remotely approach compliance. At minimum, you need to mask IP's before they reach Google, which means standing up a non-Google server to proxy all the hits. That is more complexity than 99+% of GA installations.

[closewith]

That’s a very common implementation of serverside GTM/GA in the EU. If you advertise, you’ll still be sending GCLIDs, though.

[Nextgrid]

If only ad clicks send back tracking parameters (and nothing else) it might actually fall into legitimate interest.

[closewith]

The current issue isn't the lawful basis for the processing, as compliant companies already only use Google Analytics once they have consent. The issue is that without an adequacy decision from the EU to allow data transfers to the US, and with the global reach of US authorities thanks to the CLOUD Act, there's no way to keep personal data safe from US law enforcement.

[naet]

My current understanding of google analytics and GDPR compliance is that you can use it in a GDPR compliant manner without that much trouble. On the older UA there is a simple flag that enables IP anonymization and on the new GA4 there is purportedly no need for it as they don't collect or store the IP at all.

For many clients I have set up a cookie compliance tool like Onetrust, which blocks loading of GA and other scripts with one of the consent popups. With this combined configuration (and having verified nothing sneaks through before someone gives consent) most company legal / compliance teams I have worked with have deemed this to be a fully compliant setup. Of course, this might not be actually compliant, but the company legal team has done some research and arrived at this as the most advantageous position currently available.

I think using a compliance based tool like Onetrust also gives a sense of legal security in that if our configuration is properly set up they are advertising that we then get compliance as part of their service, and so responsibility of a violation could potentially be passed to them in a legal setting.

ref: https://support.google.com/analytics/answer/2763052?hl=en

[jeroenhd]

I'm not so sure your take on IP address anonymization. The source states:

    The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.

The Google documentation says:

    The IP-anonymization feature in Universal Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to Google Analytics.

IANAL but I'm pretty sure the IP anonymization setting is no longer an acceptable way of getting GDPR compliance. It may have been acceptable under Austrian or French ruling before, I don't know about those, but from 90 days from now you'll have to explicitly require consent for _at least_ all Italian users.

As a side note, OneTrust has the worst of the worst cookie banners, to the point that I no longer even open websites that have that crap installed. It's also illegal by making it harder to reject tracking than to opt-in, there just haven't been any specific lawsuits about this party yet.

[snowwrestler]

That Google documentation is for the IP anonymization feature of Universal Analytics, which is being sunset in about a year.

Google announced earlier this year that Google Analytics 4, its successor, does not log or store IP address at all.

I don’t know whether UA or GA4 service was the subject of the Italy case, but I would not be surprised if it was UA. Most sites have not switched over to GA4 yet.

[autoexec]

> Google announced earlier this year that Google Analytics 4, its successor, does not log or store IP address at all.

So if I go to a website and it has me load code from Google's servers it's still got to send my IP address to them. I'm not sure why we'd take them at their word that they won't keep that data around (I'd like to see that independently verified). but it'll be sent to the server logs if nothing else. What does not storing the IP address even mean? Do they hash it and store that instead? Do they do a quick lookup and just flag your dossier logging the connection and when it happened before dropping the IP info?

If people care about their privacy I think it's probably best not to send information to Google in the first place. There are alternatives to google analytics after all.

[closewith]

In a privacy-conscious implementation of GTM/GA, those scripts can be loaded from a first-party server controlled by the company, and Google will never see the user's IP address.

There is no real alternative to Google Analytics for most companies because of the Google Ads integration. If you advertise with Google, you need to send them conversion data, which means the GCLID. Without Google Ads, switching would be simple. Most enterprises already pay for other analytics tools.

[autoexec]

> In a privacy-conscious implementation of GTM/GA, those scripts can be loaded from a first-party server controlled by the company,

Thanks! I didn't know that was an option. I haven't noticed sites doing it yet at least, but I hope it catches on even for sites targeting US visitors! It'd be especially nice for government websites using GA.

[denton-scratch]

> Google Analytics 4, its successor, does not log or store IP address at all.

The fact that it receives the IP address at all renders it illegal in Italy, and probably anywhere GDPR is in force. And IP address truncation doesn't get you anywhere; it's Google that does the truncating, so the whole address is actually sent to Goo, by which time it has departed from GDPR jurisdiction.

[majewsky]

> For many clients I have set up a cookie compliance tool like Onetrust

Every time I've seen a cookie popup from Onetrust, it was obviously illegal because "Reject all" was not the easiest option. It's fine if "Accept all" is as easy as "Reject all", but nothing is allowed to be easier than "Reject all". Have they fixed that yet?

[erikgaal]

This is actually a setting within OneTrust which has a terrible default. We (had to) use OneTrust on eurovision.tv, but configured it ourselves to have three equally styled options.

[hedora]

I'd love to see this result in a company-ending lawsuit against OneTrust.