EU: Google Analytics, Facebook Connect use could warrant legal action

Since May 2018, when GDPR officially went into effect, there have been numerous lawsuits and privacy protection groups that have made news.

For those unfamiliar, GDPR stands for general data protection regulation. It went into effect in 2018 as an overhaul of European Union consumer data protections. In this IMPACT Live talk, IMPACT Director of Community Events Stephanie Baiocchi explains how privacy, consent, and GDPR will impact the future of marketing:

As large and small companies have had to make adjustments (some more than others) to their websites and data collection online, there have been continual privacy issues brought to light in order to protect EU citizens. 

🔎 Related: Everything you need to know about the EU’s GDPR

Recently, one of those European privacy campaign groups, noyb, made waves with news about large companies websites potentially breaking privacy laws. The complaints filed were against websites using Google Analytics and Facebook connect. 

With this type of regulatory news update, it can be VERY hard to understand all the ins and outs. So, first, let’s cover the details - and later in this post we’ll cover what this all actually means in simpler terms. (And, if you’re feeling extra “in the weeds,” check out this post from TechCrunch.)

What is included in this complaint?

A good number of the 101 companies using Google Analytics or Facebook Connect that were included in noyb’s complaint included e-commerce companies, publishers and broadcasters, telcommunications and internet service providers (ISP), banks and universities — including Airbnb  Ireland, Allied Irish Banks, Danske Bank, Fastweb, MTV Internet, and many more.

🔎 Related: The ultimate Google Analytics checklist for clean data

The reason noyb filed complaints against these companies is because Google Analytics and Facebook Connect were found to still be sending data to the United States, even though both companies are still using standards that courts found to be violating the privacy rights over a month ago:

“Neither Facebook nor Google seem to have a legal basis for the data transfers. Google still claims to rely on the ‘Privacy Shield’ a month after it was invalidated, while Facebook continues to use the ‘SCCs’ [Standard Contractual Clauses], despite the Court finding that US surveillance laws violate the essence of EU fundamental rights.”

“We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now,” said Schrems, honorary chair of noyb, in a statement.

noyb also suggested that not only could these companies be in hot water, but that Facebook and Google could be legally liable if they are not proactively warning EU customers about their data responsibilities. 

At this point in time, this is as far as these complaints have gone. No legal action has been taken yet, as noyb is simply bringing light to issues they are seeing. 

At a high level, what does this all mean?

Here’s the short answer 

Companies that operate in the EU need to be very aware of the tools they are using on their website, like Google Analytics or Facebook Connect — that could be sending data elsewhere, making the site non-compliant. 

In addition, big tech giants like Google and Facebook will need to make changes quickly to their data processing between countries, or potentially face fines. 

How this affects EU-based or partially-based companies

Companies operating or partially operating in the EU will need to stop use of these tools, at least until they are able to ensure that data is not transferred to the US, breaking GDPR compliance. 

Fortunately, noyb provided free guidelines for companies that fall under this category to help them become compliant quickly. 

Schrems, honorary chair of noyb.eu, also said: 

“While we understand that some things may need some time to rearrange, it is unacceptable that some players seem to simply ignore Europe’s top court,” ...“This is also unfair towards competitors that comply with these rules. We will gradually take steps against controllers and processors that violate the GDPR and against authorities that do not enforce the Court’s ruling…”

How this affects American companies

The good news is that as long as you do not operate in the EU, this will not affect you. But, that shouldn’t stop marketers from understanding what these regulations are like in other countries.

As time goes on, United States regulations may become similar. For example, the privacy laws in California already mirror GDPR, so it’s a matter of time before more regulations are passed here. 

🔎 Related: Everything you need to know about the CCPA

In addition, the more news like this that comes out, the more aware consumers are of their personal data. So, although there may not be regulations, user-driven concern may cause marketers to consider how they approach their website copy and campaigns. 

Ensuring data privacy — even when it’s not legally driven — will continue to build trust with potential customers. Privacy statements on your website, content that’s written around how you use data, and so on, could be elements that make you stand out from competitors. 

🔎 Related: 7 reasons why your ideal buyers hate your website copy

All in all, it’s safe to say that privacy groups will continue to hold companies — small and large — accountable for privacy for the protection of people. And it’s our job as marketers to be able to understand and pivot quickly where needed to stay compliant, and (ultimately) keep our customers data secure.