On 10 February 2022, the CNIL issued a formal notice to a website using Google Analytics to comply with the RGPD.

Indeed, the CNIL considers that as Google Analytics stores its data in the United States, it considers “that these transfers are illegal and requires a French website manager to comply with the RGPD and, if necessary, to no longer use this tool under the current conditions.

As a reminder, Google Analytics is a free web traffic analysis solution, which has been widely developed for years, but like all free solutions that are developed and maintained for years by a private company, it was not forbidden to wonder if it was in its interest to continue using it.

As the saying goes, “when it’s free, you’re the product!

And indeed, it is obvious that Google was using your site’s traffic to improve its analysis and statistics in order to better target its advertisements and its search engine which is still what makes 80% of its turnover.

That said, the CNIL (French Data Protection Authority) put a definitive stop to the use of Google Analytics in France on Wednesday 10 February 2022 and last week issued a formal notice to this website manager.

But in fact the CNIL had already signed the death warrant for Google Analytics in 2020…

Indeed, in October 2020, the CNIL ( https://www.cnil.fr/en/node/120386 ) had asked website managers to “Allow the user to consent by a clear positive act: the silence of individuals, which can be through the simple continuation of their navigation, must now be interpreted as a refusal.

As a result, Google Analytics was only to be used for users who accepted cookies. As a result, Google Analytics now only analyses traffic from users who accept cookies. The right question to ask is “How many of my users accept cookies?

It’s a good thing that Netanswer hosts websites! So without necessarily being able to extrapolate to other populations, we can already know if, indeed, this rate of acceptance of cookies discredits Google Analytics or not.

And to compare, we use our internal tracking solution.

We host the sites of nearly 200 clients, and in 2021 we delivered nearly 17.5 million pages for all sites combined. By setting our cookies (which are safe) we have nearly 5 million visits per year (excluding bots, crawlers etc.). This is a good basis for analysis.

We looked at the figures site by site, and compared the traffic analysed by our tools with that analysed by Google Analytics.

If we do this comparison in 2020 where we did not limit GA’s cookies, the difference is between 0.8 and 1.1 with an average of 0.92 (excluding outliers) between our figures for visits or visitors and those of GA.

This figure varies from site to site, as we do not have the same rules for removing bots and analysing crawlers. By definition GA is a black box. But at 8% the figures are the same.

But if you look at the figures for 2021, it’s nothing like that!

There is a differential between our figures and GA’s between 0.2 and 0.45. This means that when we see 10 visits, Google Analytics sees between 2 and 4.5 depending on the site!

This suggests that the acceptance rate of cookies varies between 20 and 45%, with an average of 35% for all sites combined after removing outliers.

So even if we say to ourselves that we have a gap in 2020 of 8%, this means that GA was seeing in 2021 at best 38% of visitors. And of course it is likely that this 40% is biased in relation to the internet users who go to your site (people aware of the RGPD, at work vs. at home, on a smartphone or on a computer, digital native or not etc.).

The population of the sites we host (former students of prestigious schools, professional associations, federations, unions, B2B sites, etc.) is structurally different from the general population, but nevertheless we can safely draw the following conclusions:

  • Google Analytics greatly underestimates the traffic of your site, so it can no longer be used as a quantitative traffic indicator (visits, visitors, bounce rate, time spent per page…)
  • The probable bias of this sample which accepts cookies also invalidates the qualitative analyses of GA (M/F distribution, age, country, region…)

It would be surprising if the CNIL reversed its decision, or if Google changed its tool and complied with the RGPD. Indeed, the fact of storing the analyses of European sites on a European server and separating it from the analyses of its other clients, would prevent it from crossing its analyses between sites. User centricity has its limits in the time of the RGPD!

It is therefore necessary to turn to other analytics solutions, and while we’re at it, to use a solution certified by the CNIL. To date, there are 15 CNIL-certified solutions: https://www.cnil.fr/fr/cookies-solutions-pour-les-outils-de-mesure-daudience

We at Netanswer are in the process of doing our analysis, and within a month we will be recommending one or two solutions to our clients and interfacing with them.