Is Google Analytics illegal in your country? (opens in new tab)

It's going to be hard when your own hands are tied by legislation but your competitor just does as they see fit.

Also them having the resources to drag out any court ruling for years and years ensures there is no level playing field whatsoever.

So yeah, maybe companies should be called out for thinking they are above the law just because they can afford endless legal battles.

Thanks for pointing that. Don't know how many time have met privacy advocates, etc has made a such a strong point against google, and still embedded youtube video or google font on their site. Is there are github page where one can block all google or fb used domains or ips? Would be very useful!

Don't shoot the messenger? I think everyone should have the right to voice opinions and point out problems with products, competitors or not. As long as the claims are factual and not FUD and bullshit. (I'm reminded of fud campaigns made e.g. by big corporations against open source, backed by their own shady fudfactory studies)

If a company can -- without lying or twisting facts -- point out that their competitor's product is dangerous/illegal/unsuitable/{whatever is relevant to me}, I'm all open.

Of course, the line between a fud campaign and plain good old information is sometimes very thin.

The competitor that put up this site appears to be a company that provides analytics that are not centrally collected and analyzed to serve ads across the internet. Their entire selling point seems to be that they do not engage in mass surveillance. Equating this to what Google analytics does (if this competitor's claims are accurate) is a false equivalency.

To me, this is no more objectionable than a foam insulation manufacturer capitalizing on asbestos bans.

It's really hard to make that claim when Google is known for anticompetitive behaviour, including crippling GA competitors [1].

We should probably acknowledge that Google is in the terminal phase where only forced split and divesture will help, and in the meantime, every action from competitors is fair game.

[1]: https://forum.matomo.org/t/adwords-campaign-rejected-for-goo... https://matomo.org/faq/troubleshooting/antivirus-program-or-...

Their product is open source and (assuming the say the truth) keeps the data on the server of the website owner. I would say this is better.

I love that you casually put not being illegal on the same level as a dashboard or a convenience feature.

> The Dutch Data Protection Authority warns that the use of Google Analytics 'may soon no longer be allowed', after a ruling by the Austrian privacy regulator. A definitive conclusion is said to come at the beginning of 2022.

As for the Astria ruling, this is part of it:

> The fact that Google LLC argued that Google Analytics was allegedly provided by Google Ireland Ltd since April 2021 was not considered relevant, as the violation occurred in August 2020.

So it might be illegal to have used GA before April 2021, but it very well might now be legal given that GA is now provided by 'Google Ireland Ltd', which was a move explicitly done by Google to comply with GDPR.

That page explicitly notes that cookies aren't sent and these requests aren't used for the ad machine. Is using Google Fonts at all the issue just on the chance they're using IP address matching for ads/is them having your IP too much of a risk?

We'll probably try it anyway, to be honest, but I'm not crazy about this type of advertising.

There is so much room to beat Google Analytics on UX alone. Is this really necessary?

It has been more than 3 and a half years since GDPR was implemented, yet it took concentrated efforts of non-profits and individuals to come to this extremely obvious interpretation that EU–US Privacy Shield is nonsense.

Maybe if EU and member countries actually made any enforcement efforts, a viable competitive space would emerge.

> Make a better product and beat them, don't use the fact that a government is banning them to upsell your own tracking software.

Google Analytics is not a good product if it can't legally be used. The competitor in this case is offering a better product because it can legally be used.

This isn't very convincing.

In industries that don't successfully self-regulate we get politicians that force a regulation in order to have good product out compete bad ones. It is especially common with lemon markets where information asymmetry between buyers and sellers is a significant reason of good products being unable to fairly compete with bad ones.

The value of personal information is a notoriously lemon market where the buyer, ie users, are not aware of the actually cost to themselves or to whom they are selling their information. One of the first requirements in GDPR is fixing part of this by forcing companies to disclose to whom the information is sent to. Secondly it partially address the cost aspect by forcing companies to disclose how the information get used and thus what the real cost to the user is. A bit like how banks need to disclose what the interest of a loan actually will be before the consumer signs the contract.

What makes privacy issues an even bigger issue is that the cost is not carried by the party who decide and benefits from the choice of analytic software. This is similar to environmental issues where the cost of a decision is not carried by the company that made it, but rather by those around them. Environmental issues is a typical example where self-regulations do not seem to work, as the end consumer has no information if a certain clothing item is made from child labor or by a eco friendly operation. A regulations job there is to put down some minimum standards that everyone need to follow, including information disclosure so that end users can actually know what they are paying for and how much.

As it is, it's very difficult to tell if something you're using is gathering data that you don't intend to gather (e.g. your hosting provider logging IP addresses for your hand-coded blogging software). I don't want to have even the tiniest possibility of being on the receiving end of one of those theoretically huge GDPR fines just by self-publishing some code and putting it on the internet.

It's just that website creators were defaulting to "just use Google Analytics" because it's convenient and they didn't care about their user's human right to privacy, and were thus externalizing human rights violations onto them.

The government is simply preventing externalization of harm, which even libertarians will agree if the governments job (of course agreeing on what level of spying is harmful is where the debate will be).

> PostHog is what I always wanted a Product Analytics SaaS to be. Private cloud option so GDPR becomes way more manageable, features built based on direct community feedback, focus on simplicity and usefulness over vanity features...Great job people!

Mmm I dream of [Private cloud options] to make [needlessly complicated government legislation] easy!

Yay privacy, I guess? Just add 3 more needlessly complicated middlemen.

I get what you're saying, but i feel like that's probably a sliding scale of how much people actually care about these things vs how much they want to just easily get things done.

For example, right now my personal website serves the following files, just to get Open Sans working:

  /fonts/open-sans-latin.woff2
  /fonts/open-sans-latin-ext.woff2
  /fonts/open-sans-latin-bold.woff2
  /fonts/open-sans-latin-ext-bold.woff2

    /* latin */
  @font-face {
    font-family: 'Open Sans';
    font-style: normal;
    font-weight: normal;
    font-display: swap;
    src: local('Open Sans'), url(/fonts/open-sans-latin.woff2) format('woff2');
    unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
  }

Furthermore, the characters that you'll want to show on your site will also make you write more code, just look at what Google does for Open Sans: https://fonts.googleapis.com/css2?family=Open+Sans&display=s...

Oh, and more styles? Well, be ready to add all of those as well, since most of the fonts out there won't necessarily be variable: https://fonts.google.com/specimen/Open+Sans#standard-styles

In comparison, Google Fonts just lets you choose what you want and copy something like the following:

  HTML:
  <link rel="preconnect" href="https://fonts.googleapis.com">
  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
  <link href="https://fonts.googleapis.com/css2?family=Open+Sans:wght@400;700&display=swap" rel="stylesheet"> 
  
  CSS:
  font-family: 'Open Sans', sans-serif;

In my opinion, those sizes should also be readily available in the web UI of Google Fonts, or most other sites that recommend fonts out there!

Do note that "someone responsible" can be a legal entity! Not only cooperations but also a "Verein" or a similar legal construct.

Also, note that you do not need to list your address, only a "Anschrift", which often times is the same thing as an address, but really just means "If I write this on a letter it has to be delivered to you." So a postal box for example works just fine.

If you are a startup you will have all of these things anyways, I don't know a single startup that isn't also a legal entity. Indie makers is a bit more tricky, but as mentioned before it is pretty easy to get around this requirement via a "Verein" or something similar.

As for free tools not being usable, I honestly don't think it is that big a problem. Google Analytics doesn't work for you? There are other offers out there. Or you could selfhost matomo. Or if you want then you can just go ahead and run an awk script on your Webserver log.

As for not finding information and on the sites of famous European indie makers, I am going to let you on on a secret. The "Impressum" was always intended so that consumers could have a look at who they are dealing with over the internet.

To this day it is still handled like that. If you aren't selling anything or doing anything else that "a classic" company would do it is highly unlikely anyone is going to care whether or not you have an Impressum.

Regarding the Impressum ("imprint"), the information you need to put on your website is already public, since the address of your company is recorded in the commercial register when you incorporate it. It can be annoying to have to use your home address, I agree, but there are plenty of coworking spaces or even just mailbox services that can solve this problem.

Regarding Google Analytics, I don't find it a competitive disadvantage to have to host analytics software that is less detrimental to user privacy.

Are there any other issues or annoyances you ran into that contribute to the impression you stated?

Google Analytics is free for businesses, but not because Google feel line they need to help small business get started.

Also consider that starting a business in countries like Denmark is easier that starting one in the US. Ease of doing business isn’t the only thing holding back EU startups.

That's been the law in the EU since 2001.[1]

1. In addition to other information requirements established by Community law, Member States shall ensure that the service provider shall render easily, directly and permanently accessible to the recipients of the service and competent authorities, at least the following information:

(a) the name of the service provider;

(b) the geographic address at which the service provider is established;

(c) the details of the service provider, including his electronic mail address, which allow him to be contacted rapidly and communicated with in a direct and effective manner;

(d) where the service provider is registered in a trade or similar public register, the trade register in which the service provider is entered and his registration number, or equivalent means of identification in that register;

The definition of "service provider" is (b) "any natural or legal person providing an information society service".

This is a basic requirement of European Union trade. It's intended to encourage cross-border trade, by insuring that, if there is a problem, the customer can find the seller. So, anonymous online businesses are illegal in the EU.

[1] https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...

If you're publishing ads, sending people to affiliate links, selling products, whatever, you're operating a business. All businesses should be held to a minimum standard of accountability.

You can use the ones that don't infringe on user privacy.

EU/Germany might not encourage a haphazard hodgepodge of poorly vetted services as squashed into a start-up. And it is a good thing.

Some regulation might have got a bit extreme. Granted. I think they will be revisited as the time goes by. But really, this feels like a reaction to contempt that many businesses have towards protecting their users.

You don't think you're being a wee bit dramatic here, homie?

Aka spyware.

Personally I use the self-host version of plausible, and I remove this cookie banner that is sooo invasive and by the way improve page-size and UX.

I use a virtual server precisely in Germany for less than 3€ a month and had it by my own subdomain like analytics.mydomain.eu

Not using SASS services (e.g. Firebase) just really sucks though.

We still use it (started with it before privacy shield was demolished) but we will have to migrate eventually. Don't know what we'll use exactly, maybe managed kubernetes with some platform for an easier workflow running on it? Idk yet.

Most countries in the world though has governments which ensure basic rights, and if you want to do business in those countries you follow those laws, no matter how it may reduce your profitability

The fact that 'productive folks' have been engaged in a chicken race with the regulators since GDPR came along in 2016 is entirely on them.

The second shoe dropped with Schrems II in 2020, and the race to find plausible technicalities to keep doing the same thing continued. Still no real attempt at fixing the problems.

If they had followed the spirit of the law rather than trying to get away with dubious technicalities, there would be no mad scramble to fix things now when it turned out those technicalities were in fact hopeful thinking at best.

I've only got a machine translation of the ruling (https://noyb.eu/sites/default/files/2022-01/E-DSB%20-%20Goog...), but it includes:

"The specific IP address used can no longer be determined by the complainant either. However, this is irrelevant, since the UUID in the cookies is already clearly linked to a person."

I've been skeptical of the "just turn on anonymizeIp" approach for this reason; xxx.xxx.xxx.0 plus, say, the user agent, is likely plenty to identify me.

There is a BIG issue here which is usually splitting hairs, but in this case is super-relevant.

Google's TOS forbids storing PII. GDPR forbids transferring Personal Data (PD). These are nowhere near the same thing. Pseudonymous identifiers are not PII, but are often PD.

Google Analytics requires a pseudonymous identifier to work (the "client ID," by default randomly generated value stored in a cookie). This may on its own constitute a GDPR violation, despite not counting as PII for Google's ToS or any other American law.

That's some very interesting information. So, the real answer to the question of whether it's illegal in Austria or not is a "MAYBE", and it is quite easy to make it legal? If so, that should be on this site.

To back that up:

https://autoriteitpersoonsgegevens.nl/sites/default/files/at...

Above is the official guidance from the dutch privacy authority. It basically documents the best practice since 2018: anonymize IP and how to configure several other privacy-friendly settings in GA.

Exactly one week ago they added an explicit note to the very top of the document. It says that soon GA (as a whole) may no longer be allowed. No matter how you configure it. They go on to explain that they're in the process of investigating two other complaints and will come to a final conclusion early this year.

The the demands that tiktok be sold?

Not... really? The internet (defined as the infrastructure and non-commercial websites) will be fine.

Corporations that collect and monetize data will just have to jump through more hoops (and many already do this because of the GDPR and Europe's general feelings about personal data). So they'll be fine too, even if they gripe a bit about it.

The only folks who would really be hurt would be small developers, because their potential audience will be limited until they take advantage of foreign hosting and segmenting their user's data. In the end, they'll probably be fine to, even if their growth is stunted while they comply with laws (and ultimately, the wishes of their customers).

Sadly, such nonsense is quite common in modern web design.

Rule: `-google-analytics-$script,domain=~wordpress.org`

URL: https://isgoogleanalyticsillegal.com/component---src-pages-g...

Edit: Couldn't get this formatted well, but it has google-analytics highlighted in the URL

Note that the ruling confirms the GDPR, the EU legislation.

Also, enforcement may be very inconsistent, since it is mostly left to each member state to handle.

EDIT: NVM, GDPR is a Regulation, not a Directive, so it's automatically law everywhere in Europe.

If true, they don't need to show the popup.

> google is going to punish you in your rankings if you do not use their integrations too.

If you have evidence of this it would be the basis of a massive antitrust case. (I'm not disagreeing and would not be too surprised, but - real evidence is thin unless you include the AMP carousel which is not technically part of "rankings".)

Source/proof?

Just search in your search engine of choice and you will find plenty. Lots of comparison online. Some are more, some are less complete or accurate. With advent of affiliate marketing among vendors, the reviews start resembling VPN market.

Not listing anything specific. My company has a product in this space, but I will spare you self-promotion.