← All posts

Is Google Analytics illegal? Several European Data Protection Authorities say so

• Written by Marko Saric
Is Google Analytics illegal?

Is Google Analytics illegal? Yes, say the Austrian, French, Italian, Danish, Finnish, Norwegian, Swedish and other European Data Protection Authorities. Here’s why.

  1. Google Analytics is illegal say European DPAs
    1. Austria: “The use of Google Analytics violates GDPR”
    2. France: “The EU-US data transfer to Google Analytics is illegal”
    3. Italy: “Unlawfulness of data transfers to the USA”
    4. Denmark: “Sites must stop using Google Analytics”
    5. Finland: “GA and Google Tag Manager are in violation of privacy regulations”
    6. Norway: “Google Analytics 4 does not correct the problems we have identified”
    7. Sweden: “Companies must stop using Google Analytics”
  2. Discuss Google Analytics and these specific rulings with your lawyer
  3. Plausible Analytics is a genuine European Google Analytics alternative
  4. Privacy-first web analytics
  5. Powered by European-owned cloud infrastructure
  6. We choose the subscription business model rather than surveillance capitalism

Google Analytics is illegal say European DPAs

Max Schrems and the Noyb team have filed 101 complaints throughout Europe concerning sites using Google Analytics and Facebook Connect.

Austrian DPA was the first to decide that Google Analytics is illegal in January 2022. Similar decisions have since dropped in other EU member states including France, Italy, Denmark, Finland, Norway and Sweden.

Google Analytics is illegal because the CLOUD Act allows US authorities to demand personal data from Google, Facebook, Amazon and other US providers, even when they’re operating (or hosting that data) in another jurisdiction such as the EU.

Most websites use Google Analytics, Facebook Connect and/or other US-owned cloud services. There were similar recent cases concerning the use of Stripe and the use of Cookiebot / Akamai.

Here’s the full overview of the different rulings by the European Data Protection Authorities.

Austria: “The use of Google Analytics violates GDPR”

In January 2022, the Austrian Data Protection Authority decided that the use of Google Analytics violates the GDPR as it is “subject to surveillance by U.S. intelligence services and can be ordered to disclose data of European citizens to them”.

This was the first DPA decision regarding EEA-US data transfers and it’s an exciting development for European privacy-first providers such as Plausible Analytics. According to the Noyb team, this decision is relevant for almost all European websites.

You can read a more detailed legal analysis here.

France: “The EU-US data transfer to Google Analytics is illegal”

Update February 10th 2022: The French Data Protection Authority CNIL has now ruled the same as the Austrian DPA. The EU-US data transfer to Google Analytics is illegal. CNIL has ordered the French websites to comply with the GDPR. More details here.

Italy: “Unlawfulness of data transfers to the USA”

Update June 23rd 2022: Italian Data Protection Authority Garante has now agreed with Austrian and French DPAs: “The Italian SA wishes to draw the attention of all the Italian website operators, both public and private, to the unlawfulness of the data transfers to the USA as resulting from the use of GA”. Garante has ordered Italian websites to comply with the GDPR. Details here.

Denmark: “Sites must stop using Google Analytics”

Update September 21st 2022: Danish Data Protection Authority Datatilsynet has now ruled Google Analytics as illegal as well recommending: “If it is not possible to implement effective supplementary measures, you must stop using the tool and, if necessary, find another tool that can provide web analytics and allows for compliance with data protection law, for example by not transferring personal data about visitors to “unsafe” third countries”. Details here.

Finland: “GA and Google Tag Manager are in violation of privacy regulations”

Update January 17th 2023: Finnish Deputy Data Protection Ombudsman has also ruled that using Google Analytics and Google Tag Manager is in violation of privacy regulations. Details here.

Norway: “Google Analytics 4 does not correct the problems we have identified”

Update March 6th 2023: Norwegian Data Protection Authority Datatilsynet has now also ruled that Google Analytics is in violation of privacy regulations. They’re now recommending Norwegian websites “to explore alternatives to Google Analytics”. And they also added that “as far as we can see, Google Analytics 4 will not necessarily correct the problems we have just identified”. Details here.

Sweden: “Companies must stop using Google Analytics”

Update July 3rd 2023: Swedish Authority for Privacy Protection (IMY) has issued the first major fine (€1 million) for using Google Analytics declaring “companies must stop using Google Analytics”. Details here.

Discuss Google Analytics and these specific rulings with your lawyer

Before these rulings, we’ve listed many reasons why you should remove Google Analytics from your site. These rulings are just the cherry on top. We don’t want to spread fear, uncertainty and doubt as a marketing technique. If you’re targeting Europeans, you should consider how these rulings affect you and the US-owned services that you’re using.

We encourage you to discuss Google Analytics and these specific rulings with your lawyer to help you decide whether Google Analytics (Universal Analytics and Google Analytics 4) still allows you to fulfill the legal requirements that apply to you.

Plausible Analytics is incorporated, built and hosted in the EU with all visitor data exclusively processed on servers and cloud infrastructure owned and operated by European providers. If Google Analytics no longer allows you to fulfill the legal requirements that apply to you, do check us out.

Here’s an independent legal assessment on GDPR-compliant web analytics and a legal comparison between Google Analytics and Plausible written by an experienced data protection expert and lawyer.

Plausible Analytics is a genuine European Google Analytics alternative

If you are looking for a genuine EU alternative to Google Analytics, do give Plausible a chance. We’re an independent and bootstrapped project incorporated in Estonia. Our team is based in Estonia, Germany and Belgium. All visitor data we collect is hosted in Germany on servers owned by a German company (Hetzner). We use a Slovenian-owned provider for our global CDN (Bunny).

These rulings make Plausible an even more interesting Google Analytics alternative to an even more significant number of sites. Thousands of sites, startups and some of the world’s leading brands have already switched from Google Analytics and other services. Plausible is built for scale and can serve sites with hundreds of millions of monthly visitors.

We’re a profitable and sustainable open source project with more than 12,000 paying subscribers. More than 200,000 different websites use Plausible and we’re counting four billion pageviews per month. We’ve put together a list of people tweeting about using Plausible if that helps you.

We also feature a Google Analytics import so you can import you historical stats from Google’s Universal Analytics to Plausible.

Privacy-first web analytics

We’re a privacy-first web analytics service and we minimize any data collection in general. We don’t use cookies, browser cache nor local storage. We don’t generate any persistent identifiers and there’s no cross-site nor cross-device tracking with Plausible.

Our priority has always been to never collect nor store any personal data in the first place, so these types of rulings affect us less than Google Analytics and other services that are part of surveillance capitalism. Still, since the EU-US Privacy Shield was invalidated, we started putting more resources into using EU owned and operated service providers.

We’ve always stored all the site data we collect in the EU. In the past, we used DigitalOcean for the servers and Netlify for the CDN and DDoS protection. Despite us hosting the data in the EU, these were both US-owned operators. We’ve since changed to exclusively use servers and cloud infrastructure owned and operated by European providers instead.

Powered by European-owned cloud infrastructure

In 2021, we moved to Hetzner, so all of the data we collect is hosted in Germany on a German-owned server. In early 2022, we made the switch to Bunny (a Slovenian-owned provider) for the global CDN, DNS and DDoS protection:

  • All of the data that Plausible tracks and collects is kept fully secured, encrypted and hosted on renewable energy powered server in Falkenstein, Germany. Hetzner, a European company, owns the server. This ensures that all of the website data is being covered by the European Union’s strict laws on data privacy. Your website data never leaves the EU.

  • For the CDN and DNS, we use Bunny, another European-owned provider from Slovenia. Using a global CDN means having a fast loading script no matter where your visitors are based. We’re proud to have one of the most lightweight JavaScript snippets in the analytics industry. Clocking in at less than 1KB (45 times smaller than Google Analytics), our script will not add any bloat to your website or cause any performance issues.

You don’t have to worry about Schrems II and that it invalidates the EU-US Privacy Shield when using Plausible. Your website and visitor data is exclusively processed with servers and cloud infrastructure owned and operated by European companies.

As always with Plausible, we’re transparent and open source. Don’t like the European Union and the European-owned cloud providers we use for our infrastructure? You can self-host our analytics with any cloud provider and in any country you wish. Even in the USA.

You can read more about what makes Plausible a privacy-first web analytics tool and a more technical overview in our data policy.

We choose the subscription business model rather than surveillance capitalism

Plausible Analytics is not free unlike Google Analytics. Plausible is not collecting and analyzing vast amounts of personal information from web users and using these behavioral insights to sell advertisements. With Plausible, you 100% own and control all of your website data. This data is not being shared with or sold to any third-parties.

We choose the subscription business model rather than the business model of surveillance capitalism. To keep the project development going, stay in business, continue putting effort into building a better product and cover our costs, we need to charge a fee.

Feel free to explore Plausible using our trial. We have a free 30-day trial with no credit card required. It should give you enough time to test the features you’re interested in. This will give you a better idea of how it all works and whether Plausible is the right solution for your needs.

We don’t do any paid ads, retargeting and other privacy-intrusive marketing. We rely on people like you who enjoy what we do to help us spread the word and de-Google more sites. Thank you for being so supportive!

From 🇪🇺 with ❤️

Your Plausible team

Written by Marko Saric

Hi! We are Uku and Marko. We're building a lightweight, non-intrusive alternative to Google Analytics. You can read about our journey and what we've learnt along the way on this blog.