In 2023, Echobox is releasing its own website tag, designed specifically to be used in conjunction with all Echobox products. If you use Echobox you will need to insert a small snippet of code onto your website to enable Echobox to continue functioning and maximize performance.
Why are we taking this step? Until now, Echobox integrated with Google Analytics to access the real-time traffic data required to perform. Recently, however, data authorities in a number of European countries have found Google Analytics to be non-compliant with the EU’s General Data Protection Regulation (GDPR) law. This non-compliance is based principally on Google’s transfer of data to countries with less stringent privacy laws, meaning that the right to privacy enshrined in GDPR law could be bypassed.
Echobox values the privacy of not just you, our customers, but your audience too. It’s in this context that we’ve taken the decision that we cannot, in good conscience, assist in potentially non-compliant transfers of EU citizens’ data to other jurisdictions. We therefore have no choice but to stop ingesting website traffic data from Google Analytics into our solution.
What happened to Google Analytics?
Understanding why we’ve chosen to go down this route means understanding Google Analytics’ checkered history with EU regulators and privacy law.
Google Analytics has long dominated the web analytics market, with more than half of all websites in the world using the service to compile information on who visits their pages. Recent developments, however, make its preeminent position less secure. In 2023, Google will sunset its current version of Google Analytics (also known as Universal Analytics or GA3) and replace it with its successor, GA4 (those using the paid-for Google Analytics 360 will be given until 2024). This change is more consequential than any other in the product’s 17 year history.
In the last few years, Google Analytics has been beset by regulatory issues, with bodies in Austria, Italy, France and Denmark all ruling that it violates the EU’s GDPR laws. The GDPR represents one of the most stringent data protection acts in the world, and importantly, its remit is wide. Any company which processes the personal data of EU citizens is held liable under GDPR law, regardless of where they are based or where the data is processed.
Accordingly, GDPR law affects US companies that receive European visitors to their website in exactly the same way as EU companies, or indeed companies from any other part of the world, so long as they have visitors to their websites from the EU. The effect of this has been significant: with the European market so large, it doesn’t make sense for companies to run parallel data protection policies, and so the GDPR represents a global standard that fundamentally shapes privacy protocol for large corporations around the globe.
The essence of these rulings follows the decision in Schrems II, where the European Court of Justice judged the EU-US Privacy Shield, intended to protect EU users’ privacy when their information is transferred to the US, to be invalid. This is because the US Cloud Act (Clarifying Lawful Overseas Use of Data Act) gives the US government theoretical access to the data of any American business providing “email, instant messaging, video conferencing, wireless telephone, remote or backup data storage, and cloud hosting or processing services” upon the provision of a warrant and regardless of where the data is held.
The possibility of a government being granted this kind of access to EU citizens’ personal data is in contravention of the GDPR; therefore any product which facilitates this — such as Google Analytics — is considered unlawful and companies who make use of these products could be exposed to considerable fines.
Google’s analytics product is far from the only element of its businesses that has troubled EU regulators. Earlier this year, Google was fined for breaching EU data laws by using asymmetric “dark patterns” to push cookies. Third-party cookies themselves will also be phased out of its Chrome browser, following public concern about online privacy.
What if I keep using Google Analytics?
The three rulings by the Austrian, Italian and French authorities, as well as the European Court of Justice’s judgment in Schrems II, indicate that any business that continues to use Google Analytics puts themselves at risk. Moreover, other EU countries look likely to take a similar position on the issue.
Since the EU passed the GDPR legislation in 2018, over 1,000 companies have been fined for breaches. In 2021, Meta-owned WhatsApp was fined €225m by Irish regulators for, among other things, a lack of transparency over how their data was processed, while in the same year, Amazon was found liable for €746m for violating data processing principles.
These fines are by no means reserved for big companies, as the law provides no exemptions on the basis of company size. In 2018, for example, the UK’s Information Commissioner’s Office fined a company called AMS Marketing Ltd over £100,000 for data breaches, despite the company having annual turnover of only a few thousand pounds. In the first six months after GDPR legislation was established, there were 59,000 reported instances of potential breaches across the EU.
In the case of Google Analytics, it is important to note that the liability for not complying with the GDPR may not only fall on Google itself. Where Google Analytics is deemed illegal, those companies who use it could face financial penalties, as under GDPR law the data controller (the owner of a website, say) is required to only use processors (in this case Google Analytics) who are GDPR compliant.
Is Google Analytics 4 GDPR compliant?
The short answers is: No. Google has taken measures to try and ensure Google Analytics is GDPR compliant, announcing in March of 2022 that it would stop tracking IP addresses. But fundamentally, this doesn’t address the issues of data transfer — and government access to this data — which is at the heart of the European rulings, and neither will GA4.
In September of 2022, Denmark’s Data Protection Authority followed Austria, Italy and France in ruling against Google. It also directly addressed the compliance of GA4, noting that “as with Universal Analytics [Google Analytics 3], the same issue [of data transfer] is also relevant for Google Analytics 4, as – depending on the location of the data subject – there can be direct connection to, among others, American servers before the address is discarded.”
This would mean that there are scenarios in which a visitor to a European website would have their data transfered to the US before the anonymization of their IP address could take place. GA4 is also, therefore, non-compliant with the GDPR regulations.
Unregulated, non-consensual EU-US data transfer remains the key issue.
The Echobox Web Tag
Echobox has previously supported an integration for Google Analytics to measure website traffic. But these new developments mean that were we to continue supporting Google Analytics, Echobox could be assisting in the non-compliant data transfer of EU citizens to other jurisdictions, and we are not prepared to do so.
Increasingly, the companies we work with are prioritizing the privacy of their audiences as public appetite grows for checks on how data can be used and by whom.
It’s our belief that we can help our customers transition towards a secure and privacy-focused future by implementing our own web tag — a small code snippet that must be installed on your website for Echobox to maximize your content’s performance.
It’s important to note that Echobox doesn’t collect any direct identifiers or personally identifiable information on who is visiting your websites, thus ensuring the privacy of your users’ data.
How does the Echobox Web Tag work?
The Echobox Web Tag is a small piece of code. You will need to install a code snippet on your website. When your website is loaded, this code will enable the Echobox Web Tag to capture data on your website. The Echobox Web Tag captures only the page URL and the page referrer each time a web page is loaded. The Echobox Web Tag also works perfectly with WordPress.
An important consideration for us when developing the Echobox Web Tag was to ensure that it had no adverse effects on a page’s load time. To accomplish this, we created the web tag to be “asynchronous”.
What does “asynchronous” mean?
Normally, when code is loaded on a page it is done in a specific sequence — the longer the sequence, the longer the load time — this makes it “synchronous”. On the other hand, when a piece of code is loaded alongside this standard sequence, this is “asynchronous”. As the “work” of the code is being done alongside the standard sequence, rather than as part of that sequence, it has no impact on load times whatsoever. The Echobox Web Tag also works seamlessly alongside other analytics tools that will allow you to monitor activity on your website in detail.
It’s important to note that data captured by the Echobox Web Tag will remain in the EU.
What other services does the Echobox Web Tag use?
To enable the Echobox Web Tag to work and process data, we use Cloudflare and Amazon Web Services (AWS) respectively — both widely used and highly respected companies.
Cloudflare is a Content Delivery Network, recognized by The World Economic Forum as a Technology Pioneer. Cloudflare ensures that the process of delivering content to a user from a website can be done safely and securely. The Echobox Web Tag uses Cloudflare to capture information from a website.
AWS is the largest provider of cloud-based computing in the world, and is used by some of the largest tech companies including Facebook, Netflix and Adobe. We use AWS to aggregate and process a website’s traffic data.
Are these services GDPR compliant?
Both Cloudflare and AWS are GDPR compliant. We only use Cloudflare to enable the cached Echobox Web Tag to work on your website. Once the code snippet is installed on your website, we use Cloudflare to deliver the web tag and obtain the requisite usage data.
Through using Cloudflare, all users’ IP addresses are “masked” by default, with users’ connections to websites processed through Cloudflare’s network of regional data centers.
What does “masking” mean?
Normally, when someone goes to a website, a specific sequence of numbers identifying the device used (an IP address) is logged to enable that website to send the content to the correct place. Cloudflare, however, serves as an intermediary. Users’ are routed through Cloudflare’s own data centers meaning that the IP addresses logged by a website will correspond to that data center rather than any specific device. IP addresses that are collected and processed by Cloudflare for security purposes are not accompanied by sufficient data to be potentially used to determine individuals’ identities.
With regard to AWS, who have data processing centers around the world, we have chosen to ensure that the data we collect is only processed within the EU, and is therefore subject to the regulations and safeguards imposed by GDPR.
In neither case does the company sell data to third parties. In neither case will data be transported to jurisdictions outside the EU.
Why should I install the Echobox Web Tag?
The Echobox Web Tag is the simplest and most secure way for us to continue to provide you with a great service and help support your GDPR compliance. The short snippet of code is quick and simple to install and will have absolutely no impact on your website’s load time. Once installed, you won’t ever have to think about it again.
Privacy and security are fundamental to what we do at Echobox. Through the Echobox Web Tag we can collect the information that we need for our products to function, in a secure fashion that prevents you from exposing your customers’ data to third parties that aren’t GDPR compliant.
If you are unsure or have further questions about the Echobox Web Tag, please feel free to reach out to our team who would be happy to help.