Recent reports from several European Data Protection Authorities (DPAs), the bodies empowered to regulate consumer privacy under the General Data Protection Regulation (GDPR), have ruled that Google Analytics violates the law. DPAs in Austria, France, and Italy have found that the tool, which allows website owners to track and analyze traffic to their sites, impermissibly passes European user data back to the United States without adequate safeguards. Other DPAs, including the Dutch Autoriteit Persoonsgegevens, are conducting similar investigations.

Google Analytics collects user data from cookies, including pages visited, browser information, operating system, screen resolution, selected language, date and time of page views, and the user device’s IP address. These decisions could have widespread implications for both Google and website owners because Google Analytics holds a majority market share for web analytics technologies. Other less prominent services could be in a similar bind as well. Data flows between the EU and USA have been in limbo since a European court struck down the U.S. Privacy Shield framework in Schrems II. While regulators agreed in principle on a new framework in March, a formal framework likely will not be announced until the end of the year. Until then, website operators serving European consumers should be on notice that their analytics services may land them in hot water with regulators. And with fines reaching as high as 4 percent of the business’s annual revenue, most organizations can’t afford to roll the dice.