the CNIL explains how to be in compliance

In February 2022, the CNIL announced formal notices against French websites that used Google Analytics, considering that the use of this tool was a violation of the GDPR, due to data transfers to the United States.

Today, the CNIL takes stock of the situation to help web players understand why certain settings of the tool are not sufficient to be in compliance and proposes an operational solution: the use of a proxy.

Changing the configuration of the conditions for processing the IP address is not enough to be in compliance

Following this position taken by the CNIL last February, some web professionals have changed their settings for the conditions for processing the IP address, but this is not sufficient according to the French administrative authority because the data continues to be transferred to the United States.

Another setting that is not sufficient: the encryption of the identifier generated by Google Analytics, or the replacement of it by an identifier generated by the site operator. The reason given by the CNIL: “this provides little or no additional safeguards against possible re-identification of data subjects, mainly due to the continued processing of the IP address by Google. »

What is the main problem for the CNIL?

The main issue highlighted by the CNIL: “direct contact, via an HTTPS connection, between the person’s terminal and servers managed by Google. The resulting requests allow these servers to obtain the Internet user’s IP address as well as a great deal of information about their terminal. These can, realistically, allow a re-identification of the latter and, consequently, access to its navigation on all the sites using Google Analytics. »

A proposed complex solution: the use of a proxy

The CNIL recommends using a proxy server (a proxy) to break direct contact between the Internet user’s terminal and Google’s servers. The idea is to guarantee that all the information transmitted does not in any way allow a re-identification of the person.

In its blog post, the CNIL lists all the necessary measures to be put in place for the proxyfication to be valid and the hosting conditions adequate. But setting up a correctly configured proxy is not done in a snap, and the CNIL is aware of this: “The implementation of the measures described below (note: proxyification) can be costly and complex and does not always meet the operational needs of professionals. »

Comparison of data transfers with and without proxy. © CNIL

Time to change web analytics tool?

Is it time to change web analytics solution? The question is valid. In its blog post, the CNIL already invites web players to turn to other solutions that do not transfer personal data outside the European Union… The beginning of the end for Google Analytics in France ?

The CNIL has published a FAQ on its formal notices from the CNIL concerning the use of Google Analytics. In particular, you will find a list of alternative audience measurement tools.

Leave a Comment