Last updated: June 20, 2022

Google Analytics Decisions and Resulting Guidelines

What are the Google Analytics decisions?

On January 12, 2022, the Austrian Data Protection Authority (“DPA”) published that an Austrian website operator violated Article 44 of the General Data Protection Regulation (“GDPR”) for transferring personal data of EU residents to the US (Google LLC) through continuous use of Google Analytics, without guaranteeing an adequate level of protection as required by the GDPR (please see our publication here). 

On February 10, 2022 the CNIL (the French Data Protection Authority) confirmed that position and ordered a French website operator to comply with the GDPR, and if necessary, to stop using Google Analytics under the current conditions. 

These decisions followed 101 complaints filed by Noyb (European advocacy group) in the 27 EU Members States, on the basis of the Schrems II judgment that invalidated the adequacy decision to transfer personal data to the US (Privacy Shield) due to the lack of protection against US surveillance programs and access to EU individuals personal data by US law enforcement authorities.

Contentsquare’s take on CNIL’s guidelines

Recently, the CNIL released guidelines (here) regarding the transfer of personal data of EU residents from the EU to the US by audience measurement tools in light of the Google Analytics decisions referenced above.

We believe that the guidelines provided by the CNIL are not directly relevant to Contentsquare’s processing activities, and this is because such guidelines are directly responding to the Google Analytics decisions, and the actual transfer of personal data of EU residents from the EU to the US, where according to Contentsquare’s solution architecture and design, personal data of EU residents remains stored within our data hosting centers located in the EU (specifically in Ireland, Sweden, and the Netherlands) and not transfered to be stored in the US. 

Also, after recently conducting robust Data Transfer Impact Assessments (DTIAs) in that regard, following the Google Analytics decisions, we consider our current supplementary measures (including the ones we are now implementing as a result of such DTIAs) as sufficient to allow our and our customers compliance with such recent CNIL’s guidelines.

What do these decisions and guidelines mean for Contentsquare and our customers?

Following these decisions and guidelines, we would like to reassure our customers that they will be able to continue using our services for better human experience analytics. Our rigorous contractual, technical, and organizational measures are, and will continue to allow compliance with all legal and regulatory requirements.

This includes our ISO 27701 and ISO 27001 certifications — a standard of best practices for managing information security and privacy in compliance with legal frameworks such as GDPR. 

Although we believe our current measures are more than sufficient to protect our EU customers’ data, we think it is important to regularly assess the impact of these decisions on Contentsquare’s data processing activities. To this end, our Privacy and Security teams, with the support of external experts in the privacy field, assess our compliance with applicable data protection laws and regulations on an ongoing basis in order to evaluate whether additional supplementary safeguards are required to ensure such compliance.

For more information on Contentsquare's data protection practices, please visit our Privacy Center.