Published on Friday, November 15, 2019 - 15:59 by Martin Fletcher
Recently the Google Analytics tool has been attracting attention in Germany for not complying with the GDPR (DSGVO in German). In Germany there is a federal level Supervisory Authority, however much of the day to day work is managed by 16 states which have their own Supervisory Authorities.
Across the country the Supervisory Authority for Bavaria has suggested there may be up to 200,000 cases of websites using Google Analytics in a way that is not compliant with the DSGVO.
Google Analytics provides the owner of a website with information on how it is being used. It is able to track where in the world visitors are viewing the site from, how long they are spending on pages, what links are used to move between pages and a range of other metrics that can help the owner make decisions on how to optimise the site.
Previously most website operators have justified this form of data processing based on Legitimate Interests. However, this has always been controversial. In May 2018 the Datenschutzkonferenz, a body representing the state and federal Supervisory Authorities, stated that compliant use of analytics tools would require the prior consent of the user. This is an unpopular decision with website owners as requesting consent for using Analytics drastically reduces the amount of data received on website use. As such many owners continue to use Google Analytics and other similar tools without asking for the consent of the users.
I’m a bit of a behavioural psychology nerd and see this as being a good example of a situation where there is a diffusion of responsibility between the website owners. A classic example from social science is an apocryphal story about the murder of Kitty Genovese in New York. According to the New York Times, Genovese was stabbed to death and while dozens of people witnessed the assault none of them did their civic duty of calling the police because they thought others would do it anyway and they didn’t want to incur a personal cost for doing the right thing.
Cases such as this are common both at macroeconomic and personal level. Nuclear proliferation, overfishing, taking cheap short haul flights. All examples of individual actors making rational decisions that are in their interest but cause collective harm.
In a situation where 200,000 other website owners are using Google Analytics in a non-compliant way, there is little incentive for any one owner to change what they’re doing. As nobody wants to incur a competitive disadvantage by being the first mover in order to avoid a very small risk of being the one of the organisations to incur a penalty from the regulator. I have personally witnessed this attitude at a large number of organisations in the past, and it is a difficult one to argue against as a consultant.
There are cases where this diffusion of responsibility has been at least partially overcome, good examples that leap to mind are the Montreal Protocol to phase out use of CFCs, or efforts to ban whaling. In these cases it has required top down enforcement to push actors into doing the right thing. Supervisory Authorities will only be able to overcome the diffusion of responsibility if they are similarly able to enforce the rules of the GDPR.
In the past Supervisory Authorities have often refrained from imposing fines for non compliance when using analytics software, however this could be set to change. Large scale complaints in Hamburg (20,000 cases) and North Rhine Westphalia (70,000 cases), are shining a spotlight on non-compliance. This is particularly because Recital 129 of the DSGVO states that Supervisory Authorities are compelled to act in cases where data subjects have made complaints. The regulators are also working on a standardised model for calculating fines, meaning that the rate of investigations and successful imposition of penalties is likely to increase. By increasing the risk to website owners of non-compliance, the hope is that more operators will see it as being in their interest to opt in.
If you are interested in any of our services then please either use the contact form or contact us via of the methods below: