Italian websites that use Google Analytics to map visitor behaviour violate European privacy legislation. They transfer user data across the US, a country that currently does not offer an adequate level of data protection. Companies have 90 days to adapt the transfer of personal data to the European standard.
The Garante per la Protezione dei Dati Personali (GPDP) announced this in a press release .
GPDP: ‘US does not offer an adequate level of protection of personal data’
The Italian regulator says that website operators who use Google Analytics collect information about the behaviour of and interaction with visitors via cookies. They know, among other things, which pages they visit, how much time they spend there and which searches they perform. Google’s statistics program also allows them to collect information about the device they surf with, the web browser and the operating system they use, the screen resolution, language settings, and date and time.
All this data is forwarded to servers in the US. The processing of this data is unlawful, according to the GPDP. The General Data Protection Regulation (GDPR) considers IP addresses to be personal data that can be traced back to individuals. To make matters worse, IP addresses are not anonymized by default. Even if it did, Google can enrich this data with additional information that the tech company has.
The fact that the American government and intelligence services have access to the personal data transmitted via Google Analytics was also a thorn in the side of the Italian regulator. The country thus