back to article France says Google Analytics breaches GDPR when it sends data to US

French data protection authority CNIL has declared that Google Analytics breaches Euro privacy law the General Data Protection Regulation (GDPR) because it transfers European netizens' data to America. In a statement this morning CNIL said it "considers these transfers to be illegal," blowing a large hole in French usage of …

  1. Loyal Commenter Silver badge

    To be honest

    I'm surprised it has taken this long. All that juicy tracking data being slurped to the US where it is aggregated and sold on to the highest bidder, with no way for the subjects to have any say about it.

    1. Anonymous Coward
      Anonymous Coward

      Re: To be honest

      Let's hope that website is a large one: eBay. Someone using eBay in their area of jurisdiction, i.e. ebay.co.uk has no choice in the matter in terms of using Google services and completing a Google Captcha, to login.

      Maybe, just maybe, the eBay customer is happy using eBay, but has no intention of sharing data with Google for analytical purposes. At the moment they have no choice in the matter, there is no way to switch this on/off, within eBay's settings. It's certainly not informed consent, it's forced consent.

      1. steelpillow Silver badge
        Devil

        Re: To be honest

        I have noticed a growing trend for very obviously Google-brand Captchas to be fed by local javascript, thus circumventing visitors who disable cross-site scripting. It will be nice to see that brought down.

    2. Patched Out

      Re: To be honest

      You're absolutely wrong! Google doesn't just sell the data to the highest bidder, they'll sell it to anyone who can pay their price!

      1. Tam Lin

        Re: To be honest

        They also use it to feed their <cough> search engine.

        Say "soup bowl" analytics garner a high price as manufacturers of same enter a price war.

        Coincidentally, a large number of searches for "spark plugs", "Paris schools" and "active shooter" all return Soup Bowls as the highlighted result.

  2. alain williams Silver badge

    Also consent not sought

    Before taking personal data the GDPR also mandates that the user be clearly informed and their consent sought. This does not happen with any of these things.

    1. PriorKnowledge
      Trollface

      Remember this word: Interstitial

      You’ll be hearing it a lot if GDPR gets enforced. Without one it’ll be hard to get consent for things like Google Fonts, Cloudflare, Facebook/Google/Apple SSO etc. where objects are intentionally remote-loaded directly from the homepage for convenience.

      I think it’s time our web browsers implemented a consent API (does anyone remember P3P?) rather than web developers gunking up sites with boilerplate code.

      1. heyrick Silver badge

        Re: Remember this word: Interstitial

        We had a consent API. The DNT header item, that was blatantly ignored as people choosing not to be tracked was "inconvenient".

      2. 2+2=5 Silver badge
        Joke

        Re: Remember this word: Interstitial

        > Without one it’ll be hard to get consent for things like Google Fonts,

        As a font designer I'm particularly proud of my "1 px by 1px sans serif" with the full 65000 Unicode characters so web-site collaborators developers can use one character per web page for tracking....

        Also allows 256 character long ligatures for breadcrumb trails. :-)

      3. Loyal Commenter Silver badge

        Re: Remember this word: Interstitial

        Why would you need consent to load things like fonts from another site, unless a unique identifier is included in the request, which could be used to track you.

        In which case, I do not consent.

        1. SImon Hobson Silver badge

          Re: Remember this word: Interstitial

          Google (for example) gets a request to load one of it's fonts. It gets your IP address, information about the browser, AND a referrer URL. So then it knows quite a lot it can correlate with it's other data - at the very least it knows that someone at your IP address is browsing a particular site, and by fingerprinting your browser it can determine which of you (assuming multiple people sharing the address) it is.

          So yes, they get a lot of information from this seemingly innocuous traffic. Why else do you think they offer it "free" ?

      4. Justthefacts Silver badge

        Re: Remember this word: Interstitial

        Linux.org website is not GDPR-compliant. Just a thought.

      5. Justthefacts Silver badge

        Re: Remember this word: Interstitial

        Any router forwarding non-encrypted transatlantic IP packets is also violating GDPR. Email, for example.

        If you read the CNIL judgement, it’s nothing to do with what private info Google have access to. It’s purely “ these are not sufficient to exclude the accessibility of this data for US intelligence services.”

        The US intelligence services routinely sniff all transatlantic cable traffic. Unless it’s going over an encrypted protocol, it’s an open book to them.

        Since the IP routing protocols can forward via any legal path, *any* email leaving France *might* go via the US. Hence all email outside the country has just been ruled illegal. If you read the court decision, clicking Accept makes no difference at all to this.

        The law doesn’t give a damn what was *intended*. Once the words are down in black and white, the rules are exactly what the words are, taken without regard for any technical assumptions *you* may have.

        1. SImon Hobson Silver badge

          Re: Remember this word: Interstitial

          Forwarding packets is required in order to fulfil a contract (whether direct or indirect, express or implied). If you want your packet delivering, then you need routers to forward it. Thus that's covered by one of the other legitimate reasons, not by "informed consent".

          1. Justthefacts Silver badge

            Re: Remember this word: Interstitial

            No, I handed you my packet in the U.K. with instructions to deliver to Singapore. I absolutely do *not* give you permission to forward it through either France or the US, subject to deep packet inspection.

            It’s up to you technical types to work out how to follow the law.

            1. SImon Hobson Silver badge

              Re: Remember this word: Interstitial

              No, you handed over a packet to be delivered without any special handling instructions. Therefore it is quite legitimate to deliver it by the most efficient* route.

              If you want packets delivered by a specific route, then you can do that - you just need to specify it when arranging your connections. Be sitting down and prepared for a reassuringly expensive quote.

              Or, you encrypt your packets en route which you can do quite simply if you control both ends - if it's a (e.g.) public web site then the opportunity to analyse traffic in flight is (or should be) the least of your worries, especially with SSL enabled sites.

              * Where "efficiency" is going to be a combination of cost and available bandwidth, perhaps with a bit of commercial (e.g. contracts) thrown in.

              1. Justthefacts Silver badge

                Re: Remember this word: Interstitia

                You’re on my lawn here. I was a network Design Responsible, and in this case that means I didn’t just buy equipment, I wrote the proprietary protocols and specified the relevant parts of network architecture. I’m keeping on the right side of confidentiality, by only stating publically available knowledge in network standards and regulatory requirements.

                It is a regulatory requirement for *all* networks to provide a Lawful Intercept interface allowing governments to identify and monitor the traffic packets of an individual citizen of theirs, under court order. It is an *additional* requirement of the US government to be able to monitor the traffic packets of their citizens, anywhere in the world. This adds the (complex) requirement to be able to route their identified citizens packets for interception out to the USA and back, in real-time, even if the network is in, say, the Netherlands. The reason for doing that, is that they *also* have the right to hide whether a particular individual is being targeted. So they Hoover up *all* the packets (capitalisation intentional). Technically the routing is informally called “tromboning”, cue laughter, except the sort of people who talk about it don’t have much of a sense of humour.

                The tromboned packets are typically under carrier-grade encryption. Contrary to what you probably guess, there is *no* matching legal requirement to provide any carrier transport encryption keys, which may be not only temporary but distributed without a central monitoring / storage location to tap into. It won’t be obvious to you why we might have packets transiting our network without them being in clear anywhere, but to explain that would mean revealing the network architecture, which would easily tell you which network it is, which I’m not prepared to do. The fact remains that the US agencies were entirely uninterested in gaining access to our traffic encryption keys.

                Does that help you in your thoughts as to whether very standard SSL website encryption is at all relevant in this discussion?

                FWIW, after a bit of initial “resistance” to Legal Intercept from European states, they are now avid users. It’s *huge*. Ultimaco in Germany for example, make hundreds of millions a year out of this.

                https://utimaco.com/products/categories/lawful-interception-overview/lawful-interception-management-system-lims

                And after all I’ve said about the USA, although theirs is a technically complex requirement, even if they were monitoring every single US citizen on the network, they’d be a minority user of Legal Intercept compared to several EU nations.

  3. vekkq

    Hello El Reg, Google Analytics is loaded long before any cookies are accepted, if at all. As you noted, GA doesn't qualify as necessary.

    1. devin3782
      Joke

      Yes but you forget necessary is relative, I'm sure El Reg consider it necessary to collect their stats at the expense of its readerships privacy.

      I keep Google's analytics banned as it seems website owners can't be trusted.

      1. Mark White
        Black Helicopters

        You joke but I know at least one popular national site which believes google analytics is a necessary for the site to function. The reasoning... it is on their cookies information page as necessary so it must be.

        1. Hans Neeson-Bumpsadese Silver badge

          You joke but I know at least one popular national site which believes google analytics is a necessary for the site to function.

          I fear there are legion who could argue that...something along the lines of (a) I provide this website free at the point of use, (b) I can afford 'a' because I fund the site through advertising, (c) to deliver 'b' in such a way that it's viable I need Analytics...therefore GA is necessary

          1. Justthefacts Silver badge

            Confusing GA with advertising?

            Commenters seem remarkably ill-informed about Google Analytics and its *non* connection to advertising.

            GA primarily tracks which pages a user already on my website go to, and in what order. Almost completely Nothing to do with advertising, it’s about which pages on my website are my customers interested in, and how do they use it.

            I use GA on my website for several purposes:

            1) Which of my products are customers interested in *at all*, but never buy because there is something in the detail they don’t like including the price. Do they click on tech details and then leave. And which products are a total waste of both my time and the customers, as nobody even clicks on them.

            2) Which of my products are in some sense *duplicates*? To me, they seem very different, but in practice customers look at both products A and B, but always buy B of the two. Then I should spend no more of my time (which ultimately the *customers* must pay for) developing product A.

            And inverse: is a product a gateway drug? They arrived thinking they had a budget of X searching for product A. But in practice when they saw B, they are happy to pay 50% more for the extra features. So I never see Product A in my sales figures, but it’s crucial that I do offer it

            3) Is there something totally broken on my website that I don’t know about. Perhaps my Contact Me page is entirely broken, and I’m losing 90% of all customers who want to contact me, because they are just giving up. How would I know?

            4) How much time do people spend? Do I have products that are so attractive it takes them less than a minute to buy? Do I have people cruising for two hours? Why? What info are they looking for and not finding that’s stopping them making a decision? Perhaps they are spending ages on the Ts and Cs….do I have problem there they aren’t happy with?

            The only *remote* connections to advertising are:

            GA tells me what fraction of users arrive from Google search, how many from social media, and how many from other sources. Guess what, I already know that info.

            GA links with Google paid search nicely, allowing them to target their search results better. But here’s the thing, you with your GDPR policy and ad-blockers. By the time you’ve been served Google search results, let alone actually clicked over to my page…..that phase is already completed so far as my website is concerned.

            If you are repeatedly searching for Dulux, going to dozens of websites but clicking away within seconds….then yes GA on those websites will be informing on you. Google will assign you a low “buying intent”, and the cost-per-click they will assign in the auction between websites for paid search results *next* time you search for Dulux will be low. I’m really not sure why you’d give a crap about that.

            1. John Brown (no body) Silver badge

              Re: Confusing GA with advertising?

              How much does GA actually provide though? Is there more than could be gleaned from the website access logs? Are there offline analytics that could provide all of the above without running GA scripts and cookies? It's many years since I was interested in that stuff. I was using Apache back then and, IIRC, Webalyser(??) which did quite a bit of analytics, but not at the depth you describe. But then I wasn't running a business and it was simply "nice to look at" and see where in the world site visitors were coming from. I'm sure Webalyser or equivalents must be vastly more powerful nowadays, although I can imagine advertisers insisting on GA data in the same way printshops used to insist on only Postscript submissions years ago, because they can't or won't consider anything other than the market leader.

              1. Justthefacts Silver badge

                Re: Confusing GA with advertising

                So firstly: very few businesses have access to their servers, let alone the server logs.

                IT staff don’t see that….because only a tiny proportion of the UK’s 5.6million businesses have any IT staff at all. 99% of businesses run on hosted web platform (Squarespace, Shopify, hosted WordPress), and use GA or HotJar.

                Those businesses that do “have their own website server”….95% of them spent 5k on a one-off contract with a web-developer, and they pay someone to “renew the website” once every couple of years. They aren’t going through logs. Every morning, the completely non-technical marketing manager takes a squizz through the dashboard, to find out whats going on, that’s it.

                Secondly: GA and HotJar *nominally* have access to less data than server logs. But in practice, they are honed by millions of hours of whingeing, sorry business customer requests, to be actually useful in visualisation and marketing strategy. And to the extent they *aren’t*, there’s a next layer of other marketing company offerings that integrate and do other stuff with it. Oribi et al.

                Thirdly, many people confuse the fact that they read lots of news and blog websites which host advertising banners, with the idea that somehow most websites display advertising. In fact, *a teeny tiny minority* of websites have advertising. E-commerce and business websites sell their own stuff not somebody else’s. But people spend lots of time reading a very small number of free high-volume sites, that host advertising, and it skews their perception. The largest worldwide flinger of ads is Google Display Network, serving ads on 2 million websites….out of about 180 million active world websites. 1.1%. The largest platform for “native” advertising Outbrain…..just 100,000 websites display their banners. Just 0.05%.

                It’s fairly obvious really, but sometimes the obvious is difficult to see. Total internet advertising spend in the U.K. is £16bn. Total e-commerce revenue was £693bn. Advertising is just 2.3% of total e-commerce. It’s a rounding error. But if you effectively ban internet advertising by making the terms too onerous, you don’t just lose the £16bn (which a lot of people would cheer), you also lose the £693bn.

                1. Missing Semicolon Silver badge

                  Re: Confusing GA with advertising

                  So, how much do you pay for your GA stats? Nothing? You think Google lets you use the service for free because they are such good guys? No, of course not! We, the users, pay for it with our PI and advertising tracking!

                  1. Justthefacts Silver badge

                    Re: Confusing GA with advertising

                    I’d be happy to pay for GA, it’s just a business software tool. And I very much doubt that there is a business on the planet that hasn’t paid for it anyway at some point, in a roundabout way.

                    You need to sign up to Analytics to authenticate when you set up a Google Ads account. When you buy any Google Ads, you are effectively paying for a bundled Analytics, even if the Analytics itself is technically free. I don’t know anyone who hasn’t tried Google Ads at some point, even if they don’t use them now, and even if they subsequently uninstalled Analytics.

                    1. Anonymous Coward
                      Anonymous Coward

                      Re: Confusing GA with advertising

                      "I’d be happy to pay for GA, it’s just a business software tool."

                      *only* for *you*. But you already said that you don't care about users, so what do you care.

                      For users it's a user tracking tool directly welded into advertising. No more, no less. And zero benefits from that tracking.

                      1. Justthefacts Silver badge

                        Re: Confusing GA with advertising

                        As I I’ve explained that’s *total rubbish*

                        GA has a minor role being integrated into advertising, but broadly it’s nothing at all to do with *advertising*. In terms of a bricks-and-mortar shop, it’s basically just the salesperson who watches the customers who come into their shop, and sees which products they pick up and turn over in their hand. The only sense in which the individual is tracked at all, is that I know that I might have had 200 customers, but only 50 unique ones. Literally the only thing I care about in that statement is the number 50. That’s it. Otherwise it’s just “customers hovered near the chocolate aisle”, or “customers were nauseated by the smell of the loos, and left immediately”.

                        No, do you *not* have some “human right” to come into my shop, and not have your “privacy invaded” by being noticed as you go around my store. I’m not going to “sell your data”, that’s just paranoid delusion, it’s nothing at all to do with my business model. I have no interest in you before you come in, and no interest in you after you leave. By definition, if you left without making any attempt to contact me, then unfortunately nothing I had to offer was of interest to you. You’ve gone, and the best label I have for you is “someone who wasn’t interested”. But it is crucial for my business to learn from failure *on aggregate*. And yes I absolutely *do* have the right to do that: you *came into my shop*.

                        You will never be getting adverts targeted at you by me, *or by anyone else including Google*, on the basis of my GA data. You would only be targeted by Google insofar as you clicked one of their search results to get to me in the first place. If you reached my website by using DuckDuckGo, or from my business card at a trade fair, I wouldn’t know you from Adam, and nor would Google have a clue who you were. As it happens, GA *does* tell me it’s best guess about *average* demographics (restricted to age and gender). That is of no interest to my type of business. But if it were…..that’s Google telling *my website*. Not *my website telling Google*.

                        Your allegation that I am somehow colluding with Google to target advertising is *completely ludicrous* from the point of view of who benefits. Who could Google *possibly* send you to, if they used the knowledge that you were interested in “products like mine”? My competitors, that’s who. You are literally claiming that I am colluding with Google to encourage you to buy my competitors products. It’s total insanity.

                2. JassMan Silver badge

                  Re: Confusing GA with advertising

                  It’s fairly obvious really, but sometimes the obvious is difficult to see. Total internet advertising spend in the U.K. is £16bn. Total e-commerce revenue was £693bn. Advertising is just 2.3% of total e-commerce. It’s a rounding error. But if you effectively ban internet advertising by making the terms too onerous, you don’t just lose the £16bn (which a lot of people would cheer), you also lose the £693bn.

                  Are you saying that everyone who blocks adverts never buys anything? I don't think so.

                  I for one buy what I need after researching several review sites, checking a manufacturers reliability ratings then finally comparing prices. I NEVER buy anything simply because I saw it advertised. In fact I usually refuse to buy things which I see advertised unless it really does turn out to be something I need at the time (rather than something I have just bought a week earlier), or if I do need X product, that the advertised one actually has some USP which is worth its while.

                  1. Justthefacts Silver badge

                    Re: Confusing GA with advertising

                    You are focusing only on what *you* buy.

                    Flowers? Day out for the kids? Tree surgeon - how many tree surgeon companies do you even *know* without referring to the top Google hits….all of which are promoted listings?

                    I sell full-custom manufactured components to other businesses, using a technology that most of them don’t know exists, let alone my companies name. There’s just no way that they would find me without advertising. And no way that I would know what industries to target, or value proposition to sell without analytics. It’s different per country, and this is really the *only* sensible way to get the info you need to do business without a local team of salespeople in-country.

                    This isn’t even just about e-commerce. I do attend trade shows…..which cost me £30k each out of my own pocket, and I attend about half a dozen worldwide. Would I spend that to travel to a country where my company has no name recognition at all? Just to be the weird guy in the corner, rather than the one they’ve come to the exhibition to see what it’s all about? Of course not. If the EU turns out to be serious about tanking all targeted advertising and analytics, I’ll still send someone to Singapore, Beijing, and San Jose (yuck) but Dresden can stuff that bill for £30k up their jumper (plus hotels, restaurants, taxis and plane-tickets). Personally, I think this is going to go away when people really understand the impacts on their daily lives, and the millions who will lose their jobs overnight.

                    As a business, this is a far bigger threat than Brexit. Given that I am a U.K. manufacturer, you will be surprised to know that 2021 was a bumper year for me, partly *because* of two major new customers in Germany, out of five total. But it looks like I won’t be getting any new ones in Europe, and I’m not spending hundreds of thousands chasing ghosts there, while Asia and US are open for business.

                    I’m a small business by these standards, high 7-figures, giving up on maybe 20% of world market when my business grows over 30% per year is just not my primary concern while there is so much growth potential worldwide. I have a total budget to acquire new customers, and whether I spend in Europe or Asia is just a judgement call. Compare my attitude as a small business to what a megacorp says when faced with *losing* 20% of world market share. There’s your answer.

                    1. Pascal Monett Silver badge

                      And the penny drops.

                      You're not a user. You sir, are a customer.

                      1. W.S.Gosset Silver badge

                        No mate, you're way off. Welcome to the reality of the overwhelming majority of users. It's not _your_ reality, due to your personal skills, experience, aptitude, and work environment. But by the same token, your personal reality is the exception, not the norm. For precisely those same reasons. Take a step back -- look wider.

                        I've been rated "at least" 6th Dan by London's World Tae Kwon Do Federation, but I don't sneer and giggle and point the finger and demean people who feel nervous in dangerous situations. But I HAVE learned some useful defusing techniques by listening to people who have had to operate in those situations without those skills.

                      2. Justthefacts Silver badge

                        Yes…..

                        Yes……

                        I’m one of Google’s customers. I run my own business, and I have suppliers, who I pay. That’s how businesses work, and that’s how an economy works.

                        I think the freetards just have a very distorted view of the world. Google happens not to charge for this tool. But if it cost me £300 a year, and it’s any good, the first thing I do is click Accept, because that’s almost petty cash. The second thing I do, at some point halfway down my list of priorities, is scout around to find if there’s a tool that would give me better data insights. And I would use that.

                        And right at the bottom of my list, would be finding something cheaper.

                        But Honest to God, I’m never ever going to get so far through my list of high priority tasks that I have time to shop around for a tool to replace something that basically works for my business, and learn something new, and get a whole bunch of other people to change what *they* do, for the sake of a couple of hundred.

                        1. Loyal Commenter Silver badge

                          Re: Yes…..

                          It works for your business, by allowing google to collect data on your customers. It's the customers who get tracked, not you, so you don't care; it's an externality.

                          Most of your customers either don't know or don't care that they are being tracked and profiled by Google, either (on top of whatever traffic analysis you are using GA for).

                          This doesn't mean google isn't using visits to your web site, along with others to collate data on people across the web. It also doesn't make this right. It just means you don't care. Which doesn't make me want to be your customer.

                          1. Justthefacts Silver badge

                            Re: Yes…..

                            You are correct about the externality and “don’t care” aspects.

                            But indeed, you *aren’t* my customer, I’m 100% certain of that. I have about 20 corporate customers for my specialist engineering parts, who I now know well, and I’m hoping to get *another* 20 customers over the next few years. My average order size is $50k.

                            But you are *also* not the customer of www.threadsstyling.com

                            Fashion forward, and just about the hottest thing right now. Luxury and expanding explosively, annual sales over £40m. Typical items £1k-200k. They *have* a website, but mostly because a bunch of old farts told them they needed it to be investable. They do business almost entirely on Insta and WhatsApp.

                            Go to the “Privacy Policy” tab at the bottom, and click it. Let me know how that goes for you (it goes to an error page). People are spending 17grand on a Fernando Jorge on that website in seconds….except they mostly aren’t, they are DM’ing on Insta.

                            You are applying your assumptions about websites, and what they do, and lobbying some deluded men in suits to get a bunch of rules extended to the rest of an economy which you have no idea even exists, let alone how it works. My only fear is that you may influence that bunch of lobbyable distant central planners, who *also* have no idea how most of the economy actually works, and just stamp all over it with your big clumpy feet destroying what you don’t understand.

                            1. W.S.Gosset Silver badge
                              Thumb Up

                              Re: Yes…..

                              > You are applying your assumptions about websites, and what they do, and lobbying some deluded men in suits to get a bunch of rules extended to the rest of an economy which you have no idea even exists, let alone how it works.

                              A very neat and very concise summary.

                        2. Anonymous Coward
                          Anonymous Coward

                          Re: Yes…..

                          "I’m one of Google’s customers."

                          No. If you are not paying them, you aren't the customer. Google is paying *you* for your customer tracking services. Literally. That's what GA exists for.

                          "something that basically works for my business" .... me and my business. Right. F**k the customers attitude shines through.

                          Common CEO syndrome where customers exist to be exploited in every imaginable way as long as CEO doesn't have to do anything, or *gasp*, *pay* someone to do it.

                          1. Justthefacts Silver badge

                            Re: Yes…..

                            As I’ve explained:

                            #1 My company *does* pay Google for their services. Google Ads. That is a *completely different discussion*. Over the years I’ve probably spent about £50k with them. Google Search Ads (do you have a problem with that? Or would you just like Search provided as a charity? Anyway, different discussion).

                            Plus a brief flirtation with Google Display Network, which is what I think annoys everybody: ads being sideloaded as banners into blogs and news sites. Let me tell you the advertiser experience, because I think it’s going to make you laugh like a drain. There is essentially no way to tell them where to place the ads. Google place them, then over the next few days you see where they’ve gone and blacklist any locations you don’t like so they don’t go there any more. I make high-tech high-value custom engineering components using a unique technology. My minimum order value is maybe $10-20k. You know where my ads were showing? Overwhelmingly Freemium games. Thousands and thousands of them. The odd dozen went to the Mail Online, but no engineering blogs or trade publications. For a couple weeks, I played whack-a-mole. I’d blacklist a set of 20 pages of Freemium games, and within a couple of hours Google would find another thousand to trial and see if those worked. This was early in the company, I was an idiot. I literally almost cried when I realised that I’d spaffed the weeks marketing budget on advertising on *Tinder*. Swear to God. After a month of that, I was done.

                            #2 There are plenty of businesses and business models where GA *does* improve Google’s ad targeting, but I’m not one of them.

                            It’s important to realise that much of Google’s curiosity about you is satisfied by guessing your gender and age. And it already had enough information about you to categorise that, about ten years ago. The first time you ever appeared on the planet, it wanted be able to check whether you shopped for men’s or women’s stuff when you were on John Lewis or New Look or wherever, and what type, and then it knows. *It doesn’t need to check whether you’ve Transitioned more than once a year*.

                            The rest of it comes from a totally brain-dead lookup table into Google Product Codes. If you look at a Hoover618x on ShinyElectricals.com, GA will spot it and do two things: Firstly if ShinyElectricals.com are advertising on Display Network, then any news or blogs you go to, those pesky ShinyElectricals.com ads will follow you. But if ShinyElectricals *arent* paying Google for GDN ads, but their competitor LuxuryElectricals.com who also sell Hoovers are…..now you get an ad for their hoovers instead.

                            In other words, if I sell consumer goods and install GA but don’t buy the ads, Google are *totally screwing me over by using my internal shop data to sell my pre-sales potential customer to my competitor*. Gee, thanks Google. And you think you as the end customer have cause to be angry with them.

                            However. That’s not my business. I don’t sell Hoovers. I don’t sell anything that has a Google Product Code or looks like one. Any human could look at my site and know that my stuff is engineering, but their algorithms really don’t. It might as well be Zogberts Alien Toilet Paper for all their algorithms understand. And that’s why it ended up being advertised on Tinder.

                    2. W.S.Gosset Silver badge

                      Re: Confusing GA with advertising

                      Yep 100% to everything you say here. The reality of running a business. As opposed to being tucked deep inside the "someone else's problem" security blanket.

                      Tangentially, though, "Dresden" being a write-off was a surprise. My own Germany experience is extensive but skewed, but I would have thought for manufacturing that --if not Dresden-- Aachen, Dusseldorf, or Frankfurt would have been on your list.

                    3. Jon 37

                      Re: Confusing GA with advertising

                      No one is stopping you from doing analytics. They are stopping you from using non-EU services for analytics.

                      1. Justthefacts Silver badge

                        Re: Confusing GA with advertising

                        Right….and you want me to spend *my* time analysing court-cases and deep-diving on Google’s data-processing network architectures? And still take the chance that I’m wrong and get sued? Notice that the companies in court here aren’t Google. It’s just ordinary everyday businesses that have a web presence.

                        Sorry, but you can f* off with that. I will use one of the industry-standard off-the-shelf toolkits. If that’s not good enough for the EU, I won’t be doing business there. And if it becomes worldwide, I’ll probably just shut the whole lot down, and take up a hobby, I’ve paid off the mortgages. I run a business not to become rich, but because I’ve got something that I think is worthwhile doing. To make something out of nothing. I carry dozens of people who also believe in this, and every day we design and make physical stuff that was just impossible five years ago.

                        But you want me to finance the entire Covid pandemic, and put everything on the line, just so some arsehole can whinge about my website? F* off.

                        Go shop at Amazon, and buy plastic toys from China, which will be the only thing left once your lot have shut all the small businesses down.

                        1. Anonymous Coward
                          Anonymous Coward

                          Re: Confusing GA with advertising

                          "Right….and you want me to spend *my* time analysing court-cases and deep-diving on Google’s data-processing network architectures? "

                          No, you pay someone who knows. Minor one-time cost, so an absurd claim to start with. Just like most of the other BS you spew,

                          Also: Reading the news related to your job is enough in this case, but obviously that's too complicated too.

                          1. Justthefacts Silver badge

                            Re: Confusing GA with advertising

                            This was a court case. Highly paid lawyers on both sides combed through the law with a fine tooth comb, and convinced themselves that the law was on their side, otherwise they wouldn't have gone to trial. Paying a corporate lawyer for advice for this type of stuff is a waste of time and money: there are two sides to every case. If you want your company to survive, it's much better to simply not be in the car when it crashes, than to be wearing the seatbelt.

                            In this case, given that it's the weekend, my immediate action was to geo-block France and Austria late last night (OK 4am), so the site is no longer visible from there. That holds until Monday. I've booked an emergency internal discussion Monday to figure out a plan and get the views of others. I do think we've got a real EU GDPR problem with GA, don't say I don't listen to you guys.

                            My preferred thought at the moment is that we geo-block the EU on Monday, which gives some breathing space while we figure out what to do. I only have a couple of customers in Germany (and I do mean two), and I figure we can clone the site without GA, and have it visible to them alone so they don't know anything's up. We can park acquiring any new customers in the EU until this whole debacle becomes a bit clearer.

                            For the rest of the world, no, GA stays on until some UK court says they think GA isn't GDPR-compliant.

                            1. Justthefacts Silver badge

                              Re: Confusing GA with advertising

                              Ah, well I should have communicated better with my marketing manager! Turns out the world of digital marketing has been on fire since the ruling, and she’s been all over this since then. She’s come up with (and already implemented) a much neater solution working over the weekend. She’s great!

                              Geo-based page redirect, with a twist. France, Austria and Benelux go to Black Hole (she’s phrased it *so* much more elegantly and professionally on the website), because essentially those countries aren’t really our potential customers any more: their geopoliticals are they aren’t going to buy anything from ex-EU.

                              The rest of EU get page re-directed to a GA-free cloned set of pages, but crucially that gives us the chance to provide location-based pricing. Without analytics, we will be going blind into new countries and new industries without even the first clue what products we should be offering. So that’s going to take much longer and we start off at a disadvantage in negotiations. That risk all has to be paid somehow, otherwise we operate at a loss. She’s picked 10%, which, well why not, 10% is always a good number for a risk. It’s only a starting point in negotiation anyway.

                              So, those customers will probably have to pay up to an average additional $5k each, per order, to pay for the loss of information of not having their cookies tracked. Ok. It’s an answer.

                      2. Justthefacts Silver badge

                        Re: Confusing GA with advertising

                        That's very true, thank you. And at last someone who is asking the right question.

                        I am happy to use pretty much *any* service for analytics as an alternative. EU-based if that is what is required to meet GDPR. Since we haven't looked since forever, I'd be genuinely grateful to hear some good proposed alternatives. I'm absolutely not being sarc'y, if there's good stuff I want to know.

                        It does need to have a standard dashboard that any marketing professional will be familiar with, and basically "answer the standard set of marketing questions asked". And to be sufficiently industry-dominant that any third-party marketing tool with other useful stuff, will have implemented an integration for it.

                        More urgently, it needs to solve the following problem that nobody has even mentioned - although marketing people talk of little else over the past year. So I don't understand why this topic hasn't come up. Absolutely *any* tracking system that uses cookies and sits on the *front end*, is getting murdered to death and beyond by all the cookie-blocking technologies in various browsers and IOS14, basically everything. Which of course you are "happy" about.

                        Whether I'm ethical or not, GDPR-compliant or not, today in February 2022 it's simply true that I am aware of definitely less than half of all actual sessions via front-end tracking. The statistics are still "good enough" (and how many times do I have to say that *nobody is being indivdually tracked, we don't give a damn if your name is Steve*), but very soon they won't be.

                        You don't need any legislation at all to kill GA, it will be useless to businesses by the end of this year if not earlier, as will all front-end analytics systems. But, there simply aren't any equivalent *back-end* analytics tools (or "server logs" as ElReg commenters want to put it) that are as standardised across all platforms and off-the-shelf that I am aware of. EU-based or not. Evil or not.

                        That's the problem.

                        I'm very sure that a bunch of companies realise this, but unless I miss something, nothing really standard has emerged yet.

                3. Anonymous Coward
                  Anonymous Coward

                  Re: Confusing GA with advertising

                  "So firstly: very few businesses have access to their servers, let alone the server logs."

                  That's proper bull****it. Anyone who has a web server, has access to server logs too. Literally every one.

                  The thing you don't know that, tells a lot about knowledge level.

                  Even the hair salon mentioned later *has* access to logs. Which is irrelevant because they probably don't understand anything GA provides either, it's there because someone told them to install it.

                  1. Justthefacts Silver badge

                    Re: Confusing GA with advertising

                    Jeeeeesus.

                    “Anyone who has a web server”. Which is *basically none of them*. It’s 2022. Almost *nobody has a web server*. I’m not talking about being hosted on a managed cloud service. The vast majority of e-commerce websites are on hosted platforms: Shopify, Squarespace, Woocommerce or other.

                    The companies who have web servers are the large ones who have IT staff. Which is why IT staff think companies have web servers. And IT staff are quite, quite sure that “even one-man bands have web servers”…..because they themselves are running one on a Raspberry Pi at home.

                    I really don’t understand why you think that everyone has a server….and at the same time what GA provides is some high-powered fu that only IT people understand. It takes absolutely zero tech background and expertise to install and flick through the pages, just follow the video tutorial; as easy as setting up your iPhone for the first time. “Understanding what GA provides” and developing a strategy is what marketing bods do, not IT.

                    And before you get uppity, I’d expect to get an excellent, insightful, experienced marketing person to be doing this as a part of their job at less than 40k a year. If you’re not getting more than that doing IT, you’re doing it wrong.

              2. 2+2=5 Silver badge

                Re: Confusing GA with advertising?

                > How much does GA actually provide though?

                Convenience, mostly. Possibly it's considered an independent source of metrics for assessing website popularity and therefore advertising rates?

              3. Anonymous Coward
                Anonymous Coward

                Re: Confusing GA with advertising?

                " Is there more than could be gleaned from the website access logs?"

                Yes. GA doesn't provide anything you can't find from the logs.

            2. stiine Silver badge

              Re: Confusing GA with advertising?

              Thefactis that you can run your own local version of GA (and could via a downloadable vm image some time ago).

              Also, if you can code a website, you can read the damn logs that have lots of errors that you seem to be implying that only GA can discover/report.

              1. Justthefacts Silver badge

                Re: Confusing GA with advertising?

                “If you can code a website”. “run a VM image”.

                Do you have *any concept* how much a minority sport that is? Any idea at all just what a small percentage of the 5.6million U.K. businesses even contracted an IT person to build their website in the first place, let alone keep one on staff?

                Do you think the owner of these businesses knows how to run a VM image, or keeps someone on staff who does?

                https://trevorsorbie.com/salon/hampstead-hair-salon/

                Www.Appleyardflowers.com

                https://www.bayfords-treecare.co.uk/services

                https://www.heathercoleman.co.uk/

                1. Dan 55 Silver badge

                  Re: Confusing GA with advertising?

                  So, resuming your argument: Companies (or their outsourced web developers) know enough to provide a shopping cart on their website and handle sales but don't know enough or have the time to look at their own logs and can't even install a local off-the-shelf dashboard running under php alongside the website running under php, but somehow do know enough to plug it into third party analytics and as it's third party they have the time to religiously check that every day and glean information about product views and sales from it.

                  1. Cuddles Silver badge

                    Re: Confusing GA with advertising?

                    Indeed. This seems very much like the arguments about Facebook moderation being difficult and other similar issues. The problem is not that it's particularly complicated, or unreasonable to expect it to be done, it's simply that it might cost a bit of money and therefore no-one can be arsed to even try. Do I know how few businesses are able to code a website or find someone to do it for them? All of them are able to do so. If you want to run your business on a website, then it's up to you to do it properly. Saying you can't be bothered to run your site competently should be exactly as acceptable as saying you can't be bothered to file your taxes properly. In both cases, if you do it wrong you're likely to be breaking the law. It's not an optional extra, it's a fundamental part of running your business.

                    1. Justthefacts Silver badge

                      Re: Confusing GA with advertising?

                      Rubbish.

                      I certainly can “run a website properly and competently”. I own a business with 7-digit revenue. My website is a significant factor in that success. You’re not the gatekeeper of “properly”.

                      1. Dan 55 Silver badge

                        Re: Confusing GA with advertising?

                        No, and neither are you. The GDPR is.

                        1. Justthefacts Silver badge

                          Re: Confusing GA with advertising?

                          Right. And in the U.K., GA and *other analytics* are GDPR-compliant. Unless a U.K. court says otherwise. And if they do, I will take the appropriate action.

                          A lot of this is just Google-hate anyway. Nobody has anything to say against HotJar, which is at least as widely deployed. And I would be quite happy to use HotJar as an alternative, I don’t care.

                          And all the “just read the server logs” stuff is not GDPR compliant. I did a quick search, and not found a single company who wrote in their GDPR that they might be going through server logs. So if you’re reading server logs to identify customer website behaviour beyond what they actually bought, in any way other than required to serve the order, you’re doing it illegally.

                          1. Anonymous Coward
                            Anonymous Coward

                            Re: Confusing GA with advertising?

                            "And in the U.K., GA and *other analytics* are GDPR-compliant. "

                            Blatant lie. GA isn't because data transfer into USA and can't be either as the GDPR is essentially the same as in EU and it has been judged illegal, several times already.

                            But I can see that you don't care about that either, it's "me and my business". As usual.

                            "And all the “just read the server logs” stuff is not GDPR compliant."

                            Oh, *now* your're a lawyer too. And wrong, of course. GDPR specifially defines *local site maintenance* as an exception. Key word: Local.

                            *That* data isn't sent to USA to be aggregated to every other GA site, globally.

                            1. Justthefacts Silver badge

                              Re: Confusing GA with advertising?

                              But you aren’t using the logs for “local site maintenance” are you? If you are telling customers that, you are telling porky pies. You are using the logs to extract strategic insights for your business.

                              And what’s your policy for when you are deleting those logs? If you want to compare what happened “before” with now, you’re going to need to store them…..indefinitely?

                      2. Anonymous Coward
                        Anonymous Coward

                        Re: Confusing GA with advertising?

                        "My website is a significant factor in that success. "

                        And who made if for you?

                        1. Anonymous Coward
                          Anonymous Coward

                          Re: Confusing GA with advertising?

                          Duh, GA made it. He says so in oh so many words :P

                        2. Justthefacts Silver badge

                          Re: Confusing GA with advertising?

                          My off-the-shelf platform provider, plus off-the-shelf tools.

                          Nobody says it isn’t a skilled job, with thousands of hours of embedded experience.

                          But it’s reusable work

                        3. Justthefacts Silver badge

                          Re: Confusing GA with advertising?

                          The platform provider, plus the developers of the tools.

                          Nobody says it isn’t skilled work that embeds thousands of hours of experience and time.

                          But it’s reusable work. Templates.

                          Just because there are a million hairdressers in the world, doesn’t mean anyone needs to develop a million hairdressing websites. It’s the same stuff with different photos, and a little bit of text.

                        4. Justthefacts Silver badge

                          Re: Confusing GA with advertising?

                          In other news, I don’t run a Finance server on which I run my accounts. Nor do I have “a Finance department”. I have an operations manager who does this as a quarter of his job, and the accounts are held in Quickbooks Online. It’s sufficient for our needs.

                  2. Stork Silver badge

                    Re: Confusing GA with advertising?

                    In many cases things come with a template, or it’s what you web developer does, and shows the owner how to see stats.

                    As owner, you can spend your time on a different solution or something that helps your business.

                  3. Justthefacts Silver badge
                    Facepalm

                    Re: Confusing GA with advertising?

                    “Or their outsourced web developers”.

                    Hello, this is the 2022 calling. Here in the future, we don’t have “web developers” who “provide shopping carts and look at logs”. We’ve heard that some hyperscale Corps and Orgs do that, it’s probably worth that for them with multi billion sales to optimise CTRs by 0.1%

                    The rest of the 5.6million businesses in the U.K. sign up to off-the-shelf platforms that cost us *£150 a year*, which also provide disaster recovery *better than what we could do with a “server room” that is actually just the old stores cupboard*. Most e-commerce websites don’t even customise the *layout*, they just pick up the most appropriate *theme* from suggested, choose a couple of colours and have a logo designed.

                    In other news, there’s some new companies that allow you to have image-focused ad billboards (if you sell Lifestyle or Makeup products) without having to develop and maintain your own tech infrastructure? Or even run your own TV channel, with tech tutorials, tips and everything? YouTube and Instagram. Some of the newer companies use them, you might want to take a look?

                    1. Anonymous Coward
                      Anonymous Coward

                      Re: Confusing GA with advertising?

                      " sign up to off-the-shelf platforms"

                      ... which might be at least semi-true, but every one of those provide access to access logs.

                      Which you don't know, obviously. How much Google is paying you, anyway?

                      You seem to have *a lot of time* to argue for GA.

                  4. Justthefacts Silver badge

                    Re: Confusing GA with advertising?

                    Yes. Yes, they do.

                    Where “know how to provide a shopping cart” is defined as “put their credit card into Shopify, and download the web template”. An 18yr old Make-up influencer can plumb in what you regard as the tech bit of the website in under an hour. The photos are what costs the money, because you need a professional product photographer to not look crap and amateur.

                    Plug into third-party analytics….yes….do you think that’s difficult, given there’s web tutorials walking you through? “Religiously check every day”. Yes….of course they do. That’s called “running a business”. Even I do it once a week, and I employ a marketing manager. I just want to know what’s going on.

                  5. W.S.Gosset Silver badge

                    Re: Confusing GA with advertising?

                    @Dan 55:

                    > Companies (or their outsourced web developers) know enough to provide a shopping cart on their website and handle sales but don't know enough or have the time to look at their own logs and can't even install a local off-the-shelf dashboard running under php alongside the website running under php, but somehow do know enough to plug it into third party analytics and as it's third party they have the time to religiously check that every day and glean information about product views and sales from it.

                    Correct.

                    .

                    "Plugging in third-party analytics" is, for 99.9999% of companies, ticking a box on a third-party control panel, btw.

                  6. codejunky Silver badge

                    Re: Confusing GA with advertising?

                    @Dan 55

                    I can answer that. Yes. That is right. Occasionally I will help out people in the trades who want something small doing (that would cost £100+ for maybe a small text change in 2 minutes). They know nothing of the website beyond it exists and they gave someone money to put it there and run its magic.

                    Previously I did some actual work with a company who's most savy IT people were secretaries answering the phone and taking orders by hand written notes and retrieving paper records even with the computer sat in front of them. The people who did the work operated huge machines daily and not one of them could tell you how to turn on a computer (very literally!) at best turning on the monitor. This was a little over a decade ago and I still meet people with the same IT skills as them.

                    I know one wordpress website creator (not gonna say developer) who couldnt do any of the code stuff just used the plugins and templates to create the websites for small businesses.

                    Remember the audience on here has seen a computer before and likely have an above average use of them.

                    1. W.S.Gosset Silver badge

                      Re: Confusing GA with advertising?

                      > I know one wordpress website creator (not gonna say developer) who couldnt do any of the code stuff just used the plugins and templates to create the websites for small businesses

                      Web "developers" are themselves execrable (normally). (I have a horror story or 3 from running the backend of a major international hotel chain during one contract)

                      But from turning up at a number of well-attended WordPress user group meetings, I can confirm that essentially ALL WordPress "developers" wouldn't know the difference between code and a code. They were, at BEST, assembling collations of plugins. It was dumbfounding, gobsmacking. *

                      Key point: 99% of businesses regarded these guys as their IT experts. As in, god-like guru level.

                      .

                      * as a surreal but deeply refreshing counterpunctual counterpoint, that group included an actual core WordPress developer. He had extraordinary patience.

                2. Anonymous Coward
                  Anonymous Coward

                  Re: Confusing GA with advertising?

                  Funny, that hair salon won't even load on my computer through pihole and ublock. And, lo and behold, it's nothing but scripts to some ad networks.

                  1. Justthefacts Silver badge

                    Re: Confusing GA with advertising?

                    Good. Exactly.

                    Why would a stylish hair salon in a very up-market part of London want to pay money to attract the attention of somebody who uses pihole and ublock? Just possibly you are starting to understand there is a whole world out there, of whose existence you were unaware.

                    You don’t shop there, and you never will.

                    1. Alumoi Silver badge

                      Re: Confusing GA with advertising?

                      Using pihole and ublock doesn't mean I'm poor, it just means I'm smart.

                      Being smart also implies I'm never going to a fancy/posh/the new black place just to get a haircut.

                      1. Justthefacts Silver badge
                        Happy

                        Re: Confusing GA with advertising?

                        What a revealing comment.

                3. Cederic Silver badge

                  Re: Confusing GA with advertising?

                  I'm sorry, I'm confused. I don't care whether they have the skills or not, they have to obey the law and they do not have my permission to sell my life to Google.

                  If they can't create a legal and customer friendly web presence then I'm entirely happy that this may lead them to have no web presence.

                  1. Justthefacts Silver badge

                    Re: Confusing GA with advertising?

                    I think the point you are missing, with all respect, is that you aren’t the target customer for 99% of businesses. The upmarket hair salon in London, for one. Or a beauty influencer in Cornwall, posting on Insta. They won’t be selling your life to Google, or Facebook, because you are never going to shop there. Most businesses have no interest in you, in just the same way as you have no interest in them. But they shouldn’t need *your* permission to operate.

                    Of course, businesses need to obey the law, and will do so. I do so, and will do so. If the only businesses that could operate were ones of the type that *you* deem to be a “customer-friendly presence”, we would have a very small economy indeed. I’m not even sure we’d *have* an economy: 60 million people can’t live off the earnings of Raspberry PI alone. Which, by the way, *does have* web analytics, quite a lot of it.

                    So the real point is: don’t *change* the law to restrict to only the type of businesses *you personally* want to buy from. You understand what that type of political system is, right?

                    1. Cederic Silver badge

                      Re: Confusing GA with advertising?

                      I like beauty influencers, 'Glow Up' has some massively talented MUAs on it and I really wish I knew how to match my skin tones to the best eye shadow, blusher and lippy combos.

                      None of which is relevant to their need to obey the law, and none of which makes that law anything to do with me any more than the rest of their target clientele. Just as these businesses claim not to know how to do these things their customers often do not understand the need for it.

                      Should I as someone with a lot of IT and data privacy experience abandon other consumers to exploitation and invasive use of their data? Don't worry about answering: It doesn't matter what your views are, I have a professional obligation not to step away and ignore this.

                      These companies don't need permission to operate, they need to obey the law. The law that's there to protect their customers against their malpractice and/or ignorance. Oh, that that enforces my moral right not to be sold to Google. I didn't change that law, but please be assured that I would and do argue that it's important, and absolutely to protect customers of all businesses, whether I frequent them or not.

                4. W.S.Gosset Silver badge

                  Re: Confusing GA with advertising?

                  > Do you have *any concept* how much a minority sport that is?

                  The short answer is No.

                  As you'll have noticed from your downvotes, a substantial subset of ElReg commentards live in a cosseted subset of world and of Narrative, such that they find facts offensive. You may recall in times of yore, Richard Chirgwin's lunatic fantasias --often citing references as AuthoriTAY which flatly contradicted him-- which cleaved to virtue narratives were highly lauded while Tim Worstall's pointings-out of real-world commercial realities were ranted at as being offensive.

                  I found your expatiation of the current normal real-world business use of web analytics a breath of fresh air -- thank you. Quite neat/clever "blackboxing" for some of your derived business information.

                  For all those who were outraged and downvoted, can I suggest you get an appreciation for how limited the *available* tools are for 99.9999% of the population --who still need to get things done, despite that-- and for just how much real-world effect can be achieved with a startlingly small deep-knowledge, by trotting along to your local club for crackers for their next CTF event and watching startlingly pig-ignorant Individuals sliding into and through reasonably hardened installations with absolutely no idea what they're doing but access to a standard toolbox and rules-of-thumb via "social" sites.

                  Then consider that the average SME can't afford your full-time skills let alone the infrastructure your comments seem to regard as an absolute minimum "given", but --without them-- must still earn money or evaporate. So they must use what they have available to them. The best way they can.

                  Railing at the 99.9999% for not having vastly greater resources makes commentards look precious, not superior.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Confusing GA with advertising?

                    "As you'll have noticed from your downvotes, a substantial subset of ElReg commentards live in a cosseted subset of world and of Narrative, such that they find facts offensive."

                    proper BS. More likely you do and anyone disagreeing with you is a 'commentard'. Facts are welcome but you haven't any. That's kind of a problem, isn't it?

                    "average SME can't afford your full-time skills"

                    Proper strawman argument to start with. No-one claims that. *Full time*? Insane.

                    " let alone the infrastructure your comments"

                    Infra? WTF? They have 'marketplace' somewhere. marketplace collects logs. Literally *less* infra than what GA needs.

              2. Stork Silver badge

                Re: Confusing GA with advertising?

                I think an awful lot of commentards have a very limited idea of what running a small company actually means.

                We had a small number of cottages in the Algarve and apart from website I handed listing sites, enquiries, communication with guests after they booked and when they were with us, as well as activities, billing and accounting. My wife coordinated cleaners, maintenance and gardening.

                Website changes were done at Christmas, as only in November and December when we were closed did we have time. After new year there were too many enquiries to concentrate.

                We used GA as it gave us info we really needed, such as which devices and format our users had - iPhone in portrait we learned.

                Were there alternatives to CA? Perhaps, but not on logs accessible to us. And changing an otherwise economical, reliable hosting company with good support for no particular benefit? We could also take a week off.

                TL, DR: running a small company you are often short of time. If you have an economical and functioning solution to a periferal part of your business, you don’t spend time on changing it.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Confusing GA with advertising?

                  such as which devices and format our users had - iPhone in portrait we learned

                  And that's important for your business of renting rooms how?

                  Oh, oh, I know the answer to this one: iPhone owners are used to pay more for the same service so you can hike your price. And that's not profiling, no siree!

                  Out of curiosity, do you reject Android or WinXP users? Or Linux users?

                  1. DoctorPaul

                    Re: Confusing GA with advertising?

                    To optimise their web site photos / layout based on that knowledge maybe?

                2. SImon Hobson Silver badge

                  Re: Confusing GA with advertising?

                  running a small company you are often short of time

                  I know first hand. But then that is not an excuse for not complying with the law. If it were, then a valid defence to speeding would be "but officer, I'm very busy and speeding shaves a few minutes off my day so that's legitimate".

                  GDPR is no secret, how GA works is no secret, at least to anyone with enough knowledge to be competent at assessing whether they are complying with the law. If you don't want to put the time in to educate yourself, then you consult someone who already has - and pay for a share of their investment.

                  It's no different really to someone deciding that it's cheaper/better/easier (for whatever their combination of preferences/constraints is) to pay an accountant to do their tax returns vs doing them themselves.

                  As suggested fairly early on, the main surprise is that it's taken this long to reach a legal conclusion. Everyone who had a clue could see that Safe Harbour was a sham, and when that was struck down it was obvious that Privacy FigleafShield would be struck down as soon as it ground it's way through the courts. Similar things like GA - there's no way to opt out of it as doing so breaks too many sites, including sites where I spend money buying their goods and services, but it exports PII out of the EU and that makes it illegal without informed, specific, and freely given consent. "You can't buy ${essential parts} from us if you don't agree" is not freely given consent - and it's rightly illegal under GDPR.

                  And the thing to remember is that legal compliance is not a "one off" activity - done that, tick the box, forget about it. Laws change, both because they've been explicitly changed by legislators and because it gets "clarified" by case lore. It may have been assumed up till now that using GA was legal - now it isn't. So you either deal with that or sooner or later you'll find yourself on the naughty list.

                  I recently got in touch with a supplier as when I went to their website it offered unlawful options regarding cookies etc. As it happens, they didn't moan about it "not being their job to comply with the law, boo-hoo, woe is me" - they thanked me for bringing it to their attention as they don't normally see the cookies prompts etc, and they'd just had some website updates done which had broken something in that area.

            3. heyrick Silver badge

              Re: Confusing GA with advertising?

              The gateway drug is your use of GA. As has been pointed out, your logs will give more details than GA is likely to (for a start, it'll pick up on behaviours of people who block analytics) without compromising people's privacy.

            4. Anonymous Coward
              Anonymous Coward

              Re: Confusing GA with advertising?

              "Commenters seem remarkably ill-informed about Google Analytics and its *non* connection to advertising."

              So you don't know *anything at all* what GA does, do you?

              You actually believe it 'just' collects some data and provides *you* a summary of *your* website and that's all? Really?

              Sorry, but you must be really stupid and naive.

              Whole point of GA is to track everyone on every site that uses GA. What you get isn't even top-10 of its functions, it's just a bait to get you to install it and you sell user's privacy by doing so.

              Obviously it's not a problem to you, you don't care as long as it's legal (and it isn't, you know that too).

              Being arrogant and claiming only poor people don't like tracking, makes you a good CEO: If reality doesn't fit into visions, ignore reality.

              That's easy to see by reading the comments.

      2. julian.smith
        Mushroom

        I keep Google's analytics banned

        I use uMatrix which, by default, blocks Google's

        - doubleclick.net

        - google-analytics.com

        - googletagmanager.com

        That, plus a VPN, puts a big spoke in that wheel

  4. ShadowSystems Silver badge

    Good.

    Fuck Google. Yes I have a Gmail account, but that doesn't mean I want Google tracking my every move elsewhere. While at Gmail & checking the spam folder, fine, but the moment I log out is the moment their need to do so ends.

    My browser allows the creation of the GA cookie while I'm logged in, but I manually turn off that capability the moment I close that tab. If I'm not logged in & actively checking my email folders, you have *zero* right to follow me around like a damned stalker.

    "But it's in our T&C's you agreed to!" No, I did not. a *contract* is a mutually negotiated instrument, what you've given had zero negotiation prior, no ability to negotiate during, and no ability for the customer to renegotiate after. What it is is a one sided "take it or leave it" form of pseudo-voluntary indentured servitude.

    I'll let you know what I'm doing on the Gmail site itself, but nowhere else, any time else, for any reason.

    1. imanidiot Silver badge

      Re: Good.

      Very much this.

      As to the T&Cs I'll add that the T&Cs I agreed to when I made my Gmail accounts (and that's all I've ever made, I never explicitly made Google or Youtube accounts or anything for their other products), those were all implicitly created when they made or acquired the products. I made my Gmail accounts in the first year it was available (2005 this side of the pond iirc) prior even to the Youtube acquisition and there was definitely a lot less stuff about tracking and data sharing and the likes in there back then. All the changes after that have been made on the basis of "I've altered the deal, pray I don't alter it further" and "take it or leave".

      Google can suck it. I will also add that since EU law means that this French verdict is basically valid for the entire EU. ALL EU websites using Google Analytics are now in violation of GDPR until further notice. Possibly El Reg too, since the UK put GDPR into their laws before they threw their toys out of the pram.

    2. SW10

      Re: Good.

      A contract most certainly does not have to be mutually-negotiated, nor are you entitled to negotiate during, not to renegotiate after.

      I’ll confidently bet that you have entered into a number of one sided "take it or leave it" contracts - the “leave it” part is the choice you’re generally granted and perhaps feel peeved about missing in this case

      1. PriorKnowledge

        That’s true but also

        You’re good to ignore large chunks of agreements if they’re legally unenforceable. It’s fair game to block trackers and adverts and attempts to force users to see said adverts, even if the ToS forbids it for the same reason you’re free to write your own programs to interoperate with something proprietary (in the UK) even if the proprietary software EULA says no.

      2. Anonymous Coward
        Anonymous Coward

        Re: Good.

        "A contract most certainly does not have to be mutually-negotiated, nor are you entitled to negotiate during, not to renegotiate after."

        But obviously companies are. Because *they* change them "contracts" all the time by announcement.

        Funny thing, isn't it?

      3. SImon Hobson Silver badge

        Re: Good.

        True a contract does not have to be negotiated, but it must have been reached by a fair "meeting of minds". Where there is a take it or bog off, then you are at far more of a risk of it being challenged and parts declared unenforceable - or even, as in this case, found to be illegal.

    3. Anonymous Coward
      Anonymous Coward

      Re: Good.

      ""But it's in our T&C's you agreed to!"

      100% meaningless in EU and most probably meaningless in USA. And anyone who throws that argument, knows it.

  5. TimMaher Silver badge
    Meh

    Pi-hole

    I am told that it blocks GA.

    Not verified that yet.

    1. Rahbut

      Re: Pi-hole

      GA is blocked - as are the ads in Google Search (and whilst shopping in Amazon). Obviously that's largely down to your block lists, but the basic lists Pi Hole ships with should do the trick.

      Also good for blocking Samsung tellies sending back unnecessary viewing data.

      1. LenG

        Re: Pi-hole

        Actually, pi-hole does not block the text ads at the top of a search as they are served from google.com. However, it does block http://www.googleadservices.com so if you click on the ad you will not see it. In some ways this is the worst possible outcome as it can leave you with a completely unclickable page of crud when you do a seach. Fortunately, if you run an in-browser adblocker as well and block google.com with that then the ads vanish (at least they do with Adblock Latitude).

    2. Totally not a Cylon
      Boffin

      Re: Pi-hole

      Yes, it does.

      And google apis, google fonts, etc

      Need to do some setup first; clear the pi-hole logs and then access a page, see what is loading, block it, clear the logs and reload the page. If it fails to load then allow one bit until it loads......

      It's amazing just how much unnecessary junk is loaded by each page.

      1. W.S.Gosset Silver badge

        Re: Pi-hole

        Ghostery

        Browser plugin.

        Does the same with a lot less faff, plus (assuming you didn't congigue it not to) will flash you a list per page of just how much crap it's blocked. Can be quite eyebrow-raising, at times.

        1. Rahbut

          Re: Pi-hole

          Ghostery is fine on a browser, but it's not network wide...

          e.g. there's no reason Samsung tellies should be phoning home with viewing data.

          And you'd be surprised how much stuff is going back to Facebook if you've got WhatsApp installed on a phone - pi hole blocks that as well.

  6. Anonymous Coward
    Anonymous Coward

    Where is the UK in all of this ?

    Where is the UK in all of this ?

    1. JassMan Silver badge

      Re: Where is the UK in all of this ?

      Considering we have a government running gov.uk which has GA turned on, and on many pages is listed as necessary, I'm guessing they are not going to enforce the UK version of GDPR. However it seems that each department has their own set of cookies on gov.uk so our glorious leader should do a bit of leadership and tell all his ministers to clean up their act. [As if.]

      The more worrying thing which needs testing is, if you reject cookies on one part of the site but then view another departments pages, is it then turned on for for pages where you have previously rejected cookies.

      The root gov.uk certainly has "essential":true and claims to allow you to turn off "measurement" which is says uses GA but on other parts of the you can't turn analytics off. According to my cookie manager I have visited 15 different subsites within gov.uk and they vary between 1 and 15 cookies but I have never been given the option to turn of more than 3.

      1. John Brown (no body) Silver badge

        Re: Where is the UK in all of this ?

        "gov.uk which has GA turned on, and on many pages is listed as necessary,"

        All those sites claiming GA is "necessary" are lying IMHO. I have the GA domain blocked in NoScript and as far as I can remember, it's one of the blocked domains I've never had to temporarily unblock to get a site to work.

        1. Justthefacts Silver badge

          Re: Where is the UK in all of this ?

          Yes…and at the same time, 100% no.

          In my case, will my website work *today for you* if you block GA? Absolutely.

          Will I continue to allow my website to be accessed from your country long-term, if your country deems *all analytics* to be illegal according to GDPR? Ummm. No. I will simply geo-block IP addresses from there…..exactly as 25% of Fortune 500 companies in the US currently geo-block IP addresses from the EU, due to GDPR. You may not like that they do it, downvote all you like, but those are the figures.

          Every business is different. Without analytics and advertising I’m simply going to have zero real customers in France for example. But my technology is unique and largely unknown, so having my website accessible in France simply gives potential competitors an easy chance to know what I’m doing and that *my technology is possible and economic*. They don’t have to copy, that’s not my point, but just knowing it can be done is info I would prefer my competitors don’t know.

          Obviously if I have real paying customers in France, that’s just part of doing business. But if I have *no* paying customers in France, its just lose-lose. Off goes that switch. And no, this isn’t “complicated web developer stuff”. I’m literally looking at the single-click radio button in my off-the-shelf web platform that controls this.

          Just FYI, I have the switch OFF for Benelux countries. My website is inaccessible from there. I have no real likelihood of industrial customers there, and while it’s a not a critical concern I would rather an eager Commissioner didn’t accidentally stumble upon it, decide that this was a strategic new technology for them, and start subsidising competitors. It’s not a biggie….but *it’s one click*. It’s a no-brainer.

          1. Phil O'Sophical Silver badge

            Re: Where is the UK in all of this ?

            You seem to be saying that you're perfectly willing to let Google harvest and monetize your customers' personal data in order to make your business life easier and cheaper, and if the law prevents you from doing so you'll simply abandon those customers.

            Doesn't sound like a company I'd want to do business with.

          2. SImon Hobson Silver badge

            Re: Where is the UK in all of this ?

            deems *all analytics* to be illegal

            I suggest you try reading the article again.

            At no point have analytics been made illegal - what has been made illegal is the use of Google Analytics as currently implemented. This is simply because, without explicit and freely given consent, users' PII is being exported to the US where it does not enjoy the same level of protection as it would if kept within the EU. It could be fixed in several ways - Google could fix their stuff to be legal to use in the EU, sites could use ${some_other_analytics} that is legal, or the US could change their laws so that they weren't completely incompatible with EU privacy law.

            The USA doesn't seem interested in improving their laws (quite the reverse), I don't see Google giving up on an income stream, so that basically means website owners will need to find a different way of getting that information.

          3. John Brown (no body) Silver badge

            Re: Where is the UK in all of this ?

            "if your country deems *all analytics* to be illegal according to GDPR?"

            Did you read the ruling? GDPR is about PI data being sent to jurisdictions where it won't have the required levels of protection. If Google and other analytic operators choose to do the processing inside the areas covered by GDPR and only export the aggregated, anonymised data, then they will be fully compliant.

            "Ummm. No. I will simply geo-block IP addresses from there"

            That's fine by me. If you don't trade in the EU or UK, have no presence in the EU or UK, then no one will miss you.

      2. Anonymous Coward
        Anonymous Coward

        Re: Where is the UK in all of this ?

        oh that glorious leader, I hear celebrating the status quo is on the agenda <nudge,><nudge>

        Date - Friday April 1st 2022

        Venue - 6 Pancras Square, London N1C 4AG

        Time -12 noon onwards

        BYOB!

        1. heyrick Silver badge

          Re: Where is the UK in all of this ?

          Bring Your Own Bullseye?

          1. Anonymous Coward
            Anonymous Coward

            Re: Where is the UK in all of this ?

            Bring Your Own Boris?

    2. Chris G Silver badge

      Re: Where is the UK in all of this ?

      Yes!

      Or no!

      As far as I know, the UK was obliged to continue fully with GDPR but many UK sites that I visit seem to think it no longer applies to them.

      Though, to be fair, quite a few European sites ignore it too or at least do not follow the guidelines fully.

      GDPR needs to be taken more seriously by site owners as well as ICOs across Europe, while the ICOs do not actively look for and prosecute rule breakers, there is little incentive to take it seriously.

      The process for reporting transgressions should also be made simpler.

  7. Fonant
    Thumb Up

    Plenty of alternatives to GA

    * Self-hosted client-side analysis like Matomo (will miss some people who block such things, but otherwise interesting).

    * Server-side log analysis like AWstats (can't tell you about client-side stuff, but logs every request).

    * Custom server-side activity logging (customised to tell you what you want to know).

    * Relax, talk to your customers, etc. Analytics can't tell you everything.

    1. devin3782

      Re: Plenty of alternatives to GA

      Yup talk to your customers.

      All the client side stuff like google tag manager does it creates a positive feedback loop. I should add there's the ELK stack too (Elastic search, logstash and kibana) as an improved AWStats.

    2. imanidiot Silver badge

      Re: Plenty of alternatives to GA

      "Relax, talk to your customers, etc. Analytics can't tell you everything."

      That is difficult on a website though. Because my consistent answer to those "surveys" and polls that sometimes pop up while you're browsing is "no, fuck off".

    3. LDS Silver badge

      Re: Plenty of alternatives to GA

      AWStats actually logs nothing - it does process your server logs to extract information. It has also a client-side script to gather some info that can't be provided by logs (screen size, etc.) - it's not mandatory.

      It's lighter than an ELK stack and easier to install - one needs Perl though.

      Just be aware of the data retention window - if one deletes the web server logs after a while, after they've been processed by AWStats, most of their data will be kept in the AWStats data files.

  8. Jet Set Willy

    NoScript is your friend

    Amongst many other tracking scripts, google-analytics.com shall not pass. Firefox, natch.

  9. hitmouse

    Many countries have data residency requirements for specific uses such as research or medical data.

    There is little clarity from the major cloud services providers (Google, AWS, Microsoft Azure) as to whether cedata processing e.g. for voice, is done locally, in "region" or in US. There's even less clarity over whether third-party plugins to their platform services obey any residency laws.

    1. Richard 12 Silver badge

      It's irrelevant, sadly

      After the US forced Microsoft US to hand over data stored in servers in Ireland, owned by their Irish subsidiary - instead of asking the Irish government for access - all such contracts were clearly null and void.

      Max Schrems then proved the case for the hard of thinking.

      The only legal options are to use companies that do not have any base in the US and aren't owned by any US company, because the US can, have and will require any US-based company or owner to exfiltrate your data to the US regardless of its physical locations.

      1. Alan Brown Silver badge

        Re: It's irrelevant, sadly

        or any company with any offices in the usa

      2. SImon Hobson Silver badge

        Re: It's irrelevant, sadly

        Yes, that case rather exposed MS's claims about data security etc as being "rather misleading". If MS's claims were true, then MS in the USA would have been physically unable to hand it over, and MS in Ireland would have refused to do so for legal reasons.

  10. david 12 Silver badge

    ..From corporations to US law enforcement and spy agencies...

    How exactly is this different from EU and UK law, which also permits secret transfer of customer data from corporations to EU and UK law enforcement and spy agencies?

    Evidently there is *some* difference, because the courts have been finding a difference, but is it only that EU spy agencies are classified categorically as 'not American'?

    Because 'transfer to US law enforcement and spy agencies" is always quoted as the fundamental objection, I was surprised* to see exactly the same exemption in EU/UK regulations

    *Yes, I was that naive

    1. mpi

      Re: ..From corporations to US law enforcement and spy agencies...

      The problem is not that companies can be forced to hand data to government agencies, the problem is that companies can be forced to hand data to ANOTHER governments agencies, with no oversight, no way of even knowing if it happened, and no way for the people whos private information is handed over to do anything about it.

      European Agencies are governed by European Law, controlled by European Watchdogs, and have to answer to European Courts.

      1. This post has been deleted by its author

    2. Filippo Silver badge

      Re: ..From corporations to US law enforcement and spy agencies...

      There's a very big difference between your own government spying on you, and a foreign government spying on you. I'd prefer it if nobody spied on me, sure, but the two scenarios are nowhere near the same.

  11. Local Laddie

    Its possible to anonymize the IP in GA Analytics

    I assume the issue with breaking GDPR is with the users IP address (considered PIIl data) being sent to the USA. But Google Analytics can be configured to anonymze the users IP, which 'should' comply with the EU (and UK) GDPR

    ref:

    https://support.google.com/analytics/answer/2763052?hl=en

    Perhaps the webmaster was unaware of this setting?

    1. Anonymous Coward
      Anonymous Coward

      Re: Its possible to anonymize the IP in GA Analytics

      "IP address"

      No, a lot more than IP address. Browser signature and everything GA can find about the computer it runs on: OS, OS version, OS user, time zone and such.

      Basically enough data to identify the user. with >90% accuracy.

  12. shd

    Does this also affect the Google "Captcha" which seems to be springing up on a lot of websites? (Think it was initially served from recaptcha.net). It means that it's not possible to log into some web sites if you have google.com disabled in the browser - so they lose my business. They presumably also ship data to the US.

    1. SImon Hobson Silver badge

      Good question - and one I suspect Google will be careful not to answer directly or honestly.

  13. Plest Silver badge
    Facepalm

    We all knew this 15 years ago!

    We all saw this years ago, anyone listen to the techies at the coal face? Yeah right! Jeez, when will company top bods listen the techies....sorry, stupid thing to say. They ain't listened in 40 years, they ain't listening now are they!

  14. 4389hhsdfs345
    Boffin

    Watch prices rise

    If businesses don't have access to the analytics, their targeting effectiveness decreases which results in advertising costs increasing.

    As a result the end user pays more for their goods. A point many people seem ignorant of

    1. Richard 12 Silver badge

      Re: Watch prices rise

      Targeting effectiveness is already worse than pure chance.

      Deliberately advertising a one-off purchase to someone you are quite sure has very recently made said purchase is an obvious waste as they'll definitely not buy it again. You'd do better by showing it to someone at random.

      Analytics are pretty clearly useless for targeting advertisements. Matching the advert to the content on the page is far more useful.

      I suppose analytics are somewhat useful for determining whether your site visitors always bounce away because they followed an advert by accident...

  15. Anonymous Coward
    Anonymous Coward

    "If businesses don't have access to the analytics, their targeting effectiveness decreases which results in advertising costs increasing."

    Proper BS. *Anyone* can have local analytics. Not just GA.

    Also claiming targeted advertising actually increases sales is BS to start with, there are several actual research papers published on that lately. Even more ridiculous claim is that businesses" can sell *more* junk by advertising more. Sure, no ads mean not many sales, but it's always a diminishing returns.

    How much Google paid for that, anyway?

    "As a result the end user pays more for their goods."

    As a result people won't buy your stuff because it wastes 30% of the price to useless advertising. Which part of *that* you chose to ignore? Major ignorance of a advertising man, I see.

  16. MortyCapp

    GDPR Rules

    Nothing surprising here, if you know your GDPR.

  17. The_Software_Bureau

    This latest ruling against Google in France demonstrates the growing influence of privacy, particularly since it is expected that more EU countries will follow suit. This coupled with the recent appointment of a new ICO in the UK, who is already making his feelings known regarding compliance to GDPR suggests that for brands data management has never been more important. Compliance has never really been been a ‘nice to have’, although many organisations have taken this approach. It is clear that this can no longer be the case as we are moving into a time when it really is a ‘must have’.

    Ben Warren, The Software Bureau

  18. aldolo

    eu rules back in uk via usa

    brexit will reach new levels

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022