You may have seen it pass: the Commission Nationale de l'Informatique et des Libertés (CNIL) published on its official website additional information to comply with the GDPR - and this involves a proxy method.
In this context, what is proxyfication and how will you be able to continue to track and measure the audience of your site without risking penalties?
Why is Google Analytics deemed not in compliance with the GDPR
It has been 2 years since the Court of Justice of the EU invalidated the Privacy Shield (judgment of July 16, 2020), the device that made it possible to regulate the transfers of personal data between Europe and the United States, considering that the risk of access to them by the American authorities did not respect the rights of European nationals.
You know the rest and in particular the more recent events: the filing of multiple complaints in various Member States by the NOYB association has, among other things, led the CNIL to question the use of Google Analytics by various French companies.
To cite just a few examples, Sephora and Auchan have been the subject of formal notices. In fact, any French website can be checked and penalized if it does not quickly bring its GA data into compliance.
The 2 major concerns that currently stand out with GA in the eyes of the CNIL are therefore the following:
- La non-anonymization integral data collected by the audience measurement tool. Although an IP address anonymization feature is well offered by Google, it does not cover all transfers and there is no guarantee that it will be carried out. front the sending of data to the United States... which potentially leaves the American authorities free to access without privacy protection.
- The fact that the data collected or hosted on the servers of companies headquartered in the United States. Google initially defended itself by arguing that the situation was theoretical, but in fact, American intelligence can easily obtain access to the data of a company headquartered in the country.
The problem is therefore twofold: anonymization is not systematically implemented since it is optional AND it risks taking place after the transfer, so the authorities can have access to the IP data in plain text (especially if the request is initiated from the user's terminal; in this case it is not only a criterion of identification, but also of location)
Important note: this means that although the focus is on Google Analytics, every American statistical measurement tool today is concerned with the same questions!
The CNIL proposal: a complex method of proxyfication
First observation of the French authority:”a simple modification of the settings is insufficient“.
And to detail:
“Another idea often put forward is that of using the “encryption” of the identifier generated by Google Analytics, or of replacing it with an identifier generated by the operator of the site (...) The resulting requests allow these servers to obtain the Internet user's IP address as well as a lot of information about the user's terminal. These can, realistically, allow the user to be re-identified and, as a result, access to his navigation on all sites using Google Analytics.
Only solutions that make it possible to break this contact between the terminal and the server can answer this problem.. Beyond the case of Google Analytics, this type of solution may also make it possible to reconcile the use of other measurement tools with the GDPR rules on data transfer.”
That's it, it's settled and couldn't be more clear.
So what to do?
The CNIL recommends a solution for avoid direct contact between the user's terminal and the tool's servers. In other words, she recommends using a Proxy, so a proxy server.
This proxyfication should serve as an essential step in pseudonymization of data before being transferred to Google servers (or other audience measurement tool based in the US).
To do this and make the entire installation compliant, proxyfication must ensure that under no circumstances can a person be identified again once the information has been transmitted.
© CNIL
The precise criteria for a compliant proxyfication of your installation
The CNIL presents several measures that it considers necessary for the process to comply with the RGPD:
- The absence of transfer of the IP address to the servers of the measurement tool.
- Replacing the user ID by the proxy server
- The removal of the referring site information (or” Referer ”) external to the site;
- The removal of any parameters contained in the URLs collected (for example UTMs, but also URL parameters allowing the internal routing of the site);
- The reprocessing of information that can participate in the generation of an imprint (or Fingerprint), such as the” User agents ”.
- The absence of any identification collection between sites (Cross-site) or deterministic (CRM, unique id)
- the removal of any other data that may lead to re-identification.
Proxy hosting conditions are also recommended.
What are the alternatives if all this seems too complex to you?
For several weeks now, we have been recommending to set up a Matomo add-on (based in Europe), in order to be able to collect compliant data now and migrate completely if the need arises... without losing history and with a system similar to your current Google Analytics installation (3 then 4)!
Contact us to talk about it, our tracking & Analytics experts are at your disposal for any questions and need support on this subject.
