What is Virtuoso behavior to comply with its website after the storm unleashed by the Privacy Guarantor / Google Analytics?
In Italy a provision was issued by the Privacy Guarantor on 23 June aimed at prohibiting the use of Google Analytics cookies, regarding the transfer of personal data, with the risk of their access by the US authorities.
How can your users create problems for you?
In the sacrosanct right to protect privacy, it may happen that a user sends you an email to request the deletion of all his browsing data from the control panel of your Google Analytics. The certain answer with all the information must be given within 30 days of the request, unless you have to respond with compensation for damages. See the case of the email sent by Federico Leva and the solution on how to respond to be in compliance: https://www.digife.it/come-rispondere-alla-mail-di-federico-leva-e-altre-richieste-simili/.
The Privacy Guarantor has given a maximum time of 90 days to comply with the new guidelines.
Legal / political scenario Europe vs America
The Analytics platform measures website traffic and tracks user behavior. The illegality derives from the transfer of data to the United States which was governed by the legal regime provided by the Privacy Shield. In July of last year the Schrems II judgment of the Court of Justice of the European Union declared the invalidity of this legal regime. The reason behind this choice is, in essence, that it does not guarantee a level of protection such as that which exists within the European Union thanks to the GDPR. The United States and Europe are negotiating a new agreement to replace the Privacy Shield. Through a series of measures, such as the Data Acts and the two regulatory packages (Digital Market Act and Digital Services Act) that are ready to come into force in the coming months, the rules of platforms and digital markets are destined to change.
Is Analytics the only software under attack?
In reality, Analytics is only the tip of the iceberg, since there are so many software that use navigation tracking and that transmit data to servers under the control of non-European companies. Among the best known cases, for example, there is Facebook which, with the installation of the pixel for ADS, performs tracking similar to Analytics.
With this provision, the Guarantor wanted to give a strong signal, to involve citizens on issues of privacy and data that are "captured" and processed by companies, in order to influence their daily lives.
There can be several solutions to be adopted, which in some way can be summarized in these 3:
- choose an alternative service to Google Analytics that allows you to have greater control over the data and to keep the same within the EU perimeter (thus verifying that the data cannot be accessed from third countries outside the EU, as happens now for Google Inc. );
- maintain Google Analytics using the latest GA4 release, which has various anonymisation solutions, and possibly use further measures, such as the proxy server, to safeguard navigation data;
- independently delete the connection codes with Google Analytics and deactivate the panel.
The choice of the most suitable solution depends on an analysis of the use made of Google Analytics in your organization, both to understand if there is an effective need and, consequently, a greater performance from the use of this tool, and to understand what data is actually transferred to large American corporations.
This problem needs to be tackled to raise awareness that important data, both personal and behavioral, is always provided on the internet, and it is right that big corporations do not take advantage of our ingenuity in the use of digital tools.
Today begins a new chapter of the Internet where companies must take action to protect their surfers, just as in their physical activities they would not allow the name, surname and sensitive data of their customers to be made public.