Google Analytics-Google Fonts GDPR violation rulings for businesses outside the EU
In February 2022, an Austrian legal decision declared Google Analytics to be in violation of the GDPR. A week later, a German court ruled that Google Fonts is also in violation of Europe’s data protection laws. These rulings affect businesses inside the EU and out.
What is the GDPR?
First, a recap. The GDPR is Europe’s General Data Protection Regulation, governing the privacy of EU residents. You’ve likely heard of the GDPR by now, as decisions in Europe are having a broader impact on global business and the way data privacy is handled everywhere. If you want the lowdown on what it’s all about, check out our 2018 article, Making Sense of the GDPR.
What’s the fine for violating the GDPR?
For businesses found in breach of the GDPR, fines can be up to 20 million Euros or up to 4% of worldwide turnover, whichever is higher. These fines are now starting to be enforced in Europe and can be enforced outside of the EU as well.
How are Google privacy violations creating problems for businesses?
This gets complex fast, but here’s the deal in a nutshell: the GDPR basically says that it’s illegal to take personalised EU data outside of the EU. An IP address constitutes personalised data and both Google Analytics and Google Fonts transfer IP addresses from the EU to the US. So any business using these free and very popular tools on their website can be found to be illegally violating the data of EU residents. The dodgy thing about Google Analytics is that even when you choose to anonymise IP addresses on your website and in your GA settings, Google still transfers the IP address before it is made anonymous in the system.
Is using Google Analytics or Google Fonts bad for Australian businesses?
The main issue to think about here for Australian businesses is not data held here in Australia, but data that may be held in the US. US agencies have the legal right to request any data held by a US company. So while most Studio Clvr clients are here in Australia, many of the online tools we use—much like everyone on the planet—are based in the States. Google Analytics and Google Fonts transfer private customer data from wherever your site visitors are back to the United States. I’m looking closely at the tools I’m using at Studio Clvr to ensure that the privacy of my site visitors and the site visitors of my clients are protected.
My business is not in Europe—why does this affect me?
If your business has a European presence or a website that caters to EU citizens, you are in violation of the GDPR. This doesn’t include websites that could be accessed by an EU citizen, but does apply to any business with an EU address, phone number, domain name extension, or with a European language option included on the site. So if you are targeting EU clients and are tracking European citizens visiting your website via Google Analytics or Google Fonts, you are in violation of the GDPR and can be fined for violating the privacy of European citizens. A company of any size can be fined.
I don’t have clients in Europe — should I care?
The EU is where this is starting, but privacy challenges are popping up the world over. I think it’s good business to stay ahead of the game in anticipation of an eventual update to the Australian Privacy Act (1988) and the privacy laws that affect your clients, wherever they may be. But it’s more than just the legals for me and a lot of folks in the design and tech communities I’m a part of. It’s an ethical choice. I’ve decided that I don’t need to know where people have come from before they land on my website, nor where they go from my website. I don’t want to be that icky remarketer who follows people around the internet. These forms of data-based advertising are likely to be unsound from both a business and ethical perspective before local privacy laws catch up and actively declare them to be illegal in countries outside of the EU.
What can I use as an alternative to Google Analytics?
Last year, I switched the website analytics for Studio Clvr from Google Analytics to Fathom Analytics ($10 off with my affiliate link) and I have not looked back. I no longer collect any third party (tracking) cookies on my website, so I don’t need to have a cookie banner. I cannot identify the personal information of my site visitors unless they explicitly provide it to me via a form on the site. I only see the simplified data I need to see and this is definitely enough for me to understand what’s happening with my site traffic so I can optimise my website accordingly. The really cool thing about Fathom is that it makes my site faster than it was with the heavier Google Analytics on there, so it’s also a win for my SEO.
Sign up to the Box Clever newsletter
Straight-up advice to help you work smarter, not harder (+ subscriber-only discounts) — direct to your inbox.
Can I still use free Google Fonts without violating data privacy laws?
You can still use free Google Fonts on your website, however, all businesses should avoid using the easily-integrated cloud version of the fonts. In light of the illegality of Google Fonts in Europe, it should now be standard practice to ensure that all fonts (Google or otherwise) are hosted locally on your website, and not pulled down from the Google cloud. Book some time with me if you need any help transitioning your fonts.
Key privacy points for every business to keep in mind
- Privacy laws are not only relevant in the country where your business is incorporated. Privacy laws are relevant everywhere, and you can be liable if you violate the privacy of your website visitors in their country.
- For many businesses, it is now illegal to use Google Analytics and Google Fonts. You can expect other tools to follow (I’m looking at you, Facebook Pixel).
- Even if it’s not yet illegal for your business to be using tools that violate the privacy of your website visitors, it’s an ethical imperative to think about the type of business—and the type of human—you want to be.
- You don’t have to be tied to these tools. There are awesome alternatives out there!! I can’t recommend Fathom Analytics highly enough, and sorting your fonts out is as simple as embedding them on your website.
Since publishing this article, I’ve done a deep dive on why privacy is important for your business website. That article goes beyond these specific Google violations to look at the key aspects of privacy compliance that you should be aware of for a legally and ethically sound business.
I am not a lawyer and the information in this newsletter and on the Studio Clvr website does not constitute legal advice. Consult a lawyer for specific privacy-related legal advice.
Affiliate links are used in this article — if you have enjoyed this free content, your use of my affiliate link will support more of the same. Thanks!