GDPR, Google Analytics and Matamo
GDPR is the world’s strongest set of data protection rules, improving how people access information about themselves and limiting what organizations can do with personal data. GDPR’s full text is a cumbersome beast with 99 individual articles.
Personal data is at the heart of GDPR. In general, this is information that allows a living person to be directly or indirectly identified from available data. Personal data can be something obvious, such as a person’s name, location data, or a clear online username, or it can be something less obvious, such as IP addresses and cookie identifiers.
What are GDPR’s key principles?
- Data minimization
Organizations should not collect more personal information from their users than is necessary.
- Integrity and confidentiality (security)
Personal information must be safeguarded against “unauthorized or unlawful processing” as well as accidental loss, destruction, or damage. In layman’s terms, this means that appropriate information security safeguards must be implemented to ensure that information is not accessed by hackers or accidentally leaked as part of a data breach.
- Accountability
Accountability is the only new principle introduced by GDPR; it was added to ensure that businesses can demonstrate that they are working to comply with the other principles that comprise the regulation. At its most basic, accountability can mean documenting how personal data is handled and the steps taken to ensure that only those who need access to certain information do so. Accountability can also include regularly evaluating and evaluating data handling processes and training staff on data protection measures.
Is Google Analytics 4 (GA4) GDPR Compliant?
GA4 is not fully GDPR compliant as of the end of 2022. Despite including all of the above-mentioned privacy-related features, GA4 has yet to reach an agreement with European regulators. Google has yet to regulate EU-US data protection following the invalidation of the Privacy Shield framework in 2020. Currently, the company does not adequately protect the data of EU citizens and residents from US surveillance laws. GA4 does not have a mechanism for ensuring intra-EU data storage or even identifying a designated regional storage location. Google also does not provide users with information about data storage locations or data transfers outside of the EU. This is a direct violation of GDPR, and the data processing agreement with Google requiring a limited transfer of data does not fully address the issue.
What is the best alternative to Google Analytics 4 and compliant with GDPR?
Recent GDPR rulings have specifically targeted Google Analytics for inadequate data protection.
According to the Berlin Data Protection Office, if you collect and send data to third-party services (such as Google Analytics) in Berlin that use data “for own purpose uses,” you must now obtain specific consent from visitors in order to collect that information.
Matomo is not one of them. The data you collect with Matomo On-Premise, Cloud, and Matomo for WordPress is yours to keep and work with. Matomo will never use your data for “own purposes” or for any other reason, as it is entirely yours.
The use of Google Analytics is illegal due to data transfers to the United States, according to the Authority and the French Data Protection Authority (CNIL).
Matomo Cloud stores data in Europe and does not transfer data to the United States. Matomo On-Premise, on the other hand, stores data in your preferred country.
