Privacy & Information Security Law Blog

On January 24, 2011, the data protection authority of the German state of Rhineland-Palatinate issued a press release regarding significant breaches of data protection law by companies that maintain websites and create user profiles.

Website traffic and usage often is measured by website analysis tools such as Google Analytics.  According to the DPA, insofar as user personal data is processed in this context, the companies that run the websites are responsible for compliance with applicable data protection provisions, regardless of whether the company itself evaluates the user data or if it does so through a service provider.  In its current form, Google Analytics, which is frequently used for this purpose, is considered illegal by the DPA.

An investigation by the DPA found that more than half of the 100 largest companies assessed use some type of website analytics, and about a quarter rely on Google Analytics specifically.  The DPA also discovered that, contrary to the legal requirements of the German Telemedia Act, in half of the cases, individuals are not informed about the use of analytics or about the creation of user profiles.  In addition, the DPA states that companies frequently fail to obtain the consent necessary to transfer personal data to the United States.  The DPA’s study showed that nearly 60 percent of the 400 surveyed websites that use Google Analytics did not seek the legally-required consent.

The DPA also found that companies’ data processor agreements with Google do not meet the statutory requirements for such agreements pursuant to the Federal Data Protection Act.  In particular, the agreements lack the mechanisms necessary to effectively control how Google may process personal data.

Finally, the DPA emphasizes that companies that maintain websites should not escape data protection responsibilities by relying on service providers like Google.  Along with its supervisory efforts, the DPA will focus on providing guidance to companies.