How France’s CNIL Data Privacy Ruling Effects US Digital Marketers
France’s data protection authority just ruled in the latest action on data privacy in Europe. Learn what this latest decision means for digital marketers in the US and worldwide.
On the heels of the Austrian Data Protection Authority (DPA) ruling that Google Analytics use violates the European Union’s General Data Protection Regulation (GDPR), France’s Commission Nationale Informatique & Libertés (CNIL), has reached a similar decision.
France’s latest ruling on data privacy in Europe
France’s CNIL rulings stem from complaints filed by the advocacy group noyb throughout EU member states following the “Schrems II” decision that invalidated the EU-US Privacy Shield in July 2020. The CNIL decision states that data collection and transfers to the United States using Google Analytics does violate Article 44 of the GDPR.
Google Analytics provides statistics on website traffic. After receiving complaints from the NOYB association, the CNIL, in cooperation with its European counterparts, analysed the conditions under which the data collected through this service is transferred to the United States. The CNIL considers that these transfers are illegal and orders a French website manager to comply with the GDPR and, if necessary, to stop using this service under the current conditions.
CNIL, February 10, 2022
As part of the order, the CNIL ordered the offending website to adhere to the GDPR by ceasing to utilize the Google Analytics functionality or by using an alternative website traffic monitoring tool that doesn’t involve a transfer outside the EU and offering a one-month deadline to comply. The CNIL said its investigation also extends to other tools used by sites that result in the transfer of data of European internet users to the US.
What does this mean for website managers and marketers?
First and foremost, these latest decisions are just court rulings, not new laws. Google Analytics isn’t illegal per se. However, since there’s no standing data protection protocol between the US and the EU, based on these rulings anything that transfers personal data between the two entities is in violation of the GDPR.
These decisions, while made in the EU, impact many US companies big and small. Meta’s annual report was recently reported to have warned or ‘threatened’ that it may have to remove social media programs such as Facebook and Instagram from the EU if no resolution is found. This seems unlikely to be the outcome, and Meta quickly clarified in its blog post Meta is Absolutely Not Threatening to Leave Europe.
With all of this uncertainty, digital marketers and businesses can feel as if they’re left in limbo and not sure of what to do.
Can your website use Google Analytics and still be GDPR compliant?
In short and as of today, if data is being transferred to the US, a site is unable to be 100% compliant.
Specifically, the CNIL ruling highlighted the lack of equivalent privacy protections and the risk that “American intelligence services would access personal data transferred to the United States if the transfers were not properly regulated.”
Due to this, marketers and businesses are left with a spectrum of choosing how cautious to be.
One option a company could decide is that it’s simply too big a litigation risk and all tracking should be removed, resulting in serious marketing issues. A second option would be for a company to decide it’s not enough of a concern at this point to devote the time and resources needed for compliance. For many businesses, the answer at this point lies somewhere in the middle. Additionally, companies could install analytics packages that are GDPR compliant. Moreover, Google could also ultimately end up changing its current practices and stop sending data from the EU to the US.
As the international community and key players continue to debate and legislate, the best way to protect your site is to confer and confirm with your legal team. Any internet presence always opens the operator up to litigation to some degree. The best course of action is to mitigate that chance as much as possible while still being able to conduct business in a reasonable fashion.
Following in the EU’s footsteps, some US states have also been moving toward stronger data privacy with legislation like the California Consumer Privacy Act. Staying malleable to the evolving privacy landscape is becoming more important than ever before.
Improve GDPR compliance with cookie consent on your site
If your business decides to use US-based data collection software or cookies, all websites should still strive to be GDPR compliant with special attention to cookie consent.
Valid GDPR consent is summarized below:
- Explicit prior consent must be obtained before cookies are activated (apart from whitelisted, necessary cookies)
- Consents must be granular, i.e., users must be able to consent some cookies and not others
- Consent must be freely given, i.e., non-consent can’t preclude use of the site
- Consents must be withdrawn as easily as they are given
- Consents must be securely stored as legal documentation that the consent was obtained
- Consents must be renewed at least once per year. However, some national data protection guidelines recommend more frequent renewal. For example, Germany requires renewal every six months.
- IP anonymization must be enabled
Amsive Digital offers a full suite of analytics and web design services that can help to maintain privacy compliance both domestically and abroad. Our agency recommends the best way forward is to be as privacy-compliant as possible in all cases. Amsive Digital is committed to staying up to date on all privacy rulings. We’ll continue to monitor the situation closely and adjust our tactics to ensure all of our clients are as compliant as possible.
To learn more about our first-party solutions and the latest in cookie-free advertising, read Paid Media Targeting Beyond Cookies.
