Privacy & Information Security Law Blog

On September 15, 2011, the data protection authority of the German federal state of Hamburg (the “DPA”) published a press release confirming that Google has significantly improved compliance with respect to the implementation of Google Analytics in Germany.  This finding is the result of two years of fruitful dialog between Google and the DPA, which was acting on behalf of the conference of German data protection authorities responsible for the private sector (the “Düsseldorfer Kreis”).

According to the DPA, Google has now improved the use of Google Analytics by:

• Giving users of major browsers (i.e., Internet Explorer, Mozilla Firefox, Google Chrome, Safari and Opera) the opportunity to object to the collection of their data by using the Google Analytics Opt-out Browser Add-on function;
• offering website operators the option to request anonymization of IP addresses that are collected (by deleting the last digits); and
• entering into a data processing agreement with website operators regarding the processing of personal data in compliance with the German Federal Data Protection Act (“FDPA”).

The DPA endorsed Google’s intention to implement technical changes throughout Europe, and emphasized that “it is not Google, but the website operators using this product [as data controllers] that are responsible for ensuring privacy-friendly use.”

Against this background, the DPA also issued guidelines for helping website operators ensure compliance.  According to the DPA, website operators should:

• Enter into a data processing agreement with Google regarding the processing of personal data, using a standard agreement approved by the DPAs that imposes specific obligations on data controllers (i.e., website operators) in accordance with the FDPA;
• inform users about the use of Google Analytics in their privacy policy, and also provide users with an opportunity to object by using the following link: http://tools.google.com/dlpage/gaoptout?hl=de;
• entrust Google with the anonymization of IP addresses by appropriately adjusting the Google Analytics Program Code privacy settings, and using the “_anonymizelp()” function on their websites; and
• delete all old data that was collected using non-compliant Google Analytics, close old Google Analytics Profiles and establish new profiles.

The DPA cautioned that additional improvements might be necessary in the future, particularly following the implementation of the EU’s new cookies law and the introduction of Internet Protocol version 6 in Germany.