IMY’s decisions against CDON, Coop, Tele-2, and Dagens Industri put the finger on many points that have been clear for a long time but for which most have put their heads in the sand.
Summary: Using Google Analytics is not allowed and can be penalized
What happened?
In addition to fines of SEK 12 million to Tele2 and SEK 300,000 to CDON, four companies were ordered to stop using Google Analytics following complaints. The companies sent personal data to third countries based on contractual clauses, but without having sufficient additional safeguards.
Summary: Using US services like Google Analytics requires special effort, investigation, and documentation – and is still a gamble
Does it concern me?
Do you use Google Analytics? Do you base your decision to transfer data on standard contractual clauses? Do you have sufficient technical safeguards for this? Using US cloud services always requires you to do your homework properly, it’s not easy – but that’s the law.
IMY says, “These decisions have a bearing not only on these four companies but can provide guidance for other organizations using Google Analytics as well.”
Summary: Using Google Analytics is not legal
What needs to be done now
If you want to take a chance and continue using Google Analytics, it’s time to make sure that you have higher safeguards than those that have now been ruled inadequate. Now we know for sure that this is problematic and can be the basis for very high sanction fees.
The easy option is to switch. If you need an alternative to Google Analytics, we recommend our Matomo service. There you get both the operation of the system organized, but also many nice features that do not come with Matomo but are sold as plugins.
Summary: Switch to Matomo. Using Google Analytics is too difficult and illegal
You are wrong. You can anonymize data
It is not completely ruled out that it is possible to use Google Analytics legally. What we can see is that none of the companies sanctioned in this decision managed to do so. GA4 (which no one seems to like) may differ from GA3 on which decisions are based. You can create your own solutions that may hold up. Things can change. But who should you trust and dare you take a chance?
Summary: Read the decisions and make sure you have done much more or stop taking chances and hope for luck
What we have done at Rackfish
At Rackfish, we switched to Matomo a few years ago. We first chose Matomo’s cloud service but ended it when we discovered that it was also on American infrastructure (Amazon), which we judged was not allowed. We have subsequently set up our own infrastructure, on our own servers in Stockholm, Sweden, for Matomo and provide this as a service to our customers.
More information
Read the decision of the Swedish Authority for Privacy Protection
See and order our Matomo packages
Rackfish product page for Matomo