“On proxyfication, following the Cnil to the letter would transform Google Analytics into a simple counter of visits”

For Benoit Oberlé, CEO of Sirdata, publishers are not obliged to delete the original data with a proxy to make Google Analytics compliant. But this remains to be demonstrated.

Benoit Oberlé is the CEO of Sirdata. © Sirdata

JDN. You have analyzed the only alternative proposed by the CNIL to, under certain conditions, make Google Analytics GDPR compliant: setting up a proxy server (or “proxy”). What conclusions do you draw from this?

Benoit Oberle. Proxy can in effect make the use of Google Analytics compliant. The purpose of this intermediary server is to prevent US intelligence services from identifying users, either by intercepting their data or by asking Google to communicate it to them. Located in Europe, this proxy server is placed between the user’s browser and Google’s servers, wherever the latter are in the world. Whether it’s IP data or any type of identifier, the intermediate server transforms the data sent to Google so that it becomes impossible to trace back to the user. The advantage is that the individualization necessary for the analytics tool is preserved. We will be able to reconstruct the behavior and browsing history of the Internet user without being able to identify him.

But what is the interest for the publisher of this method, if he no longer knows the origin of his traffic, since the CNIL requires the deletion of all information of this type (referer, UTM, user-agent etc.) for that the proxy is valid?

The deletion of this information on the origin of the traffic seems considered by the Cnil as being necessary to avoid any risk that this could identify the user indirectly. If we were to follow the CNIL’s recommendation to the letter, Google Analytics would indeed become a simple counter of visits. In this case, publishers could think that this tool will no longer be useful to them. At Sirdata, however, we believe that the publisher is not obliged to go that far. From a legal point of view, the current issue is to determine whether or not the American regulatory framework (at the origin of this whole problem) allows the American intelligence services to identify the user thanks to these data sets. (referer, UTM, etc.) relating to the origin of the Internet user. Our analyzes are still in progress but for the moment we think not, because their request (or interception) can only be made on a person already identified, of whom they have a reasonable certainty that it is not in the United States. United. If our interpretation is correct, the publisher could keep the proxy solution while keeping the original data. In this case, the tool would still be interesting for measuring audiences, even if the direct link with other Google services is broken.

If the link with other Google services is broken, doesn’t this compliance make Google Analytics irrelevant for many publishers?

“We believe that American intelligence cannot identify the user thanks to the data relating to the origin of the Internet user”

Many publishers and advertisers who use Google Analytics do so for two reasons: it is an excellent tool for obtaining audience statistics on their site, but above all it allows them to establish a link with all the others. products from the Google galaxy, such as search, for example, to track conversions and use remarketing lists. And in fact, the compliance of Google Analytics with the GDPR on the issue of data transfer to the United States has the consequence of breaking these links. Only having the audience measurement component, however complete, the question arises for the publisher to change tools and replace Google Analytics, for example, with a solution benefiting from the exemption of consent. . This aspect is central and should weigh in this choice.

How does the consent exemption influence the decision to replace Google Analytics?

The cookie used by Google Analytics is not exempt from consent. Our publisher clients tell us that even when we use Google’s modeling, via the Google Consent Mode, non-consented traffic remains absent from the statistics. This is a problem they have been seeing for several months. However, if we add to this the consequences of compliance, the question becomes indeed significant, especially when we know that there are about twenty solutions exempt from consent. Provided that the tool is strictly partitioned for use in audience analysis, the latter can assign a cookie for this purpose, even in the absence of consent.

That’s a lot of obstacles… Why not directly recommend not using Google Analytics anymore?

Each publisher has its own constraints. Some want to cling to the tool, which they consider excellent. This is for example the case of smaller and more agile publishers, who prefer to wait a bit, even if it means having to disconnect in the event of a formal notice. Other publishers prefer, on the contrary, to get out of their dependence on Google. A number of large media groups are said to be moving towards a tool change instead, anticipating the effect of further legislation coming to Europe which could in theory further restrict access to US tools, even when data is stored in Europe. . The Sword of Damocles is indeed there and the subject is far from being resolved. Let’s not forget that a political agreement has been reached between Europe and the United States to provide a new framework for this issue of data transfer. You have to give time to time. And this time can be devoted to securing these transfers while waiting for an agreement between the two regions.

What is Sirdata’s role in this?

We are a consent management platform. Our role is to support publishers in their compliance and in their orientation on the consequences of their decisions to become compliant. We need to help our publisher clients make an informed choice. We will accompany them in all situations, whether they maintain Google Analytics or not.

Leave a Comment