Data protection conference: New requirements for Google Analytics

The Conference of Independent Federal and State Data Protection Supervisory Authorities (DSK) has recently passed a resolution on the use of Google Analytics. This contains a number of clarifications, which are not surprising given the latest developments in case law. In particular, it is important that the DSK assumes that no more data processing agreements may be concluded with Google.

The following should now apply:

  • Google Analytics may no longer be integrated via order processing (AVV) in accordance with Art. 28 GDPR. Rather, Google itself is the controller under data protection law.

  • There is joint responsibility between Google and the website operator in accordance with Art. 26 GDPR, meaning that a separate agreement with Google is required.

  • As a rule, the transfer of data to Google Analytics and thus the use of Google Analytics cannot be based on the fulfillment of a contract pursuant to Art. 6 para. 1 lit. b GDPR and also not on a balancing of interests pursuant to Art. 6 para. 1 lit. f GDPR. As a rule, consent pursuant to Art. 6 para. 1 lit. a GDPR is always required.

  • Consent must meet various requirements. In particular, prior, actively declared consent must be given, the consent banner or cookie banner must not cover the "Imprint" and "Data protection" field, the consent text must be transparent, sufficient information in accordance with Art. 13 GDPR must be provided, the website visitor must also be able to refuse consent and the website visitor must be able to withdraw consent just as easily. The use of the browser add-in provided by Google is not sufficient for revocation.

  • The use of the "anonymize_ip" function, i.e. the function to shorten the IP address, is recommended as part of the data protection-friendly default setting in accordance with Art. 25 GDPR.

Date: 16. Jun 2020