Google Analytics, GDPR Compliance and why you should use Beam
Can I use Google Analytics in the EU?
In January 2022, the Austrian Data Protection Agency ruled the use of GA violated GDPR. They were following the ECJ's ruling in the Schrems II case. Since then, France, Italy and the Netherlands have followed suit in making the use of GA illegal. More countries are expected to follow suit.
Why has GA been ruled to be illegal?
GA collects personal information about users (eg. IP address) to provide its service. It then transfers this personal information to its servers. The key problem is that those servers are US owned. This used to be ok. After the ECJ case of Schrems II, it was not.
What was it like before Schrems II?
Under GDPR Chapter 5, transfers of personal data outside the EU was ok if it was protected by a safeguard. Before Schrems II, the key safeguard was the US-EU Privacy Shield. This Privacy Shield (a legal framework which the European Commission approved in 2016) made it easy for US companies to receive personal data from the EU under EU privacy laws.
What happened in Schrems II?
The ECJ invalidated the US-EU privacy shield. This meant companies could no longer rely on this privacy shield to comply with GDPR chapter 5. So transfers of personal data from the EU to the US no longer complied with GDPR.
In January 2022, Austria's data protection agency decided that because Schrems II had invalidated the Privacy Shield, GA could no longer rely on it to send personal data from the EU to the US. And so they ruled GA was illegal in Austria. France, the Netherlands and Italy followed.
Is Beam Analytics GDPR compliant?
Yes. We do the same thing as other GDPR compliant companies like Fathom and Plausible. Being legally compliant is just table stakes.
All traffic is processed on EU owned servers No personally identifiable information (PII) is sent to US owned servers No cookies or any cookie-like technology are used.
Even though Beam Analytics' service is to track the website usage, this can still be done without collecting any PII and without using cookies. Below is an explanation of what we do to stay GDPR compliant.
What user data does Beam collect?
| Data Point | Quantity |
|---|---|
| Page URL | www.stackoverflow.com |
| Page referrer | www.twitter.com |
| Browser | Chrome |
| Operating system | macOS 12.5 |
| Device type | Desktop |
| Continent, country, city | Europe, France, Paris |
| Title | Beam - Google Analytics alternative that is GDPR compliant |
How do we count unique users?
Normally, you'd need cookies for this. But the solution, as used by Fathom and Plausible, is to hash the PII data.
hash(salt + pepper + useragent + ip) = fingerprint
This fingerprint anonymizes the user's IP and useragent data. This data processing takes place on Hetzner, a EU company with servers located in Germany.
Where is the data stored?
After the PII data is anoymized, it is cached in Render, along with session data. But that anonymized user data is not permanently stored anywhere. With our method, we effectively rotate the salt after 30m of user inactivity. After 30 minutes of user inactivity, that anonymized PII data is cleared from the cache. Only the session data is stored in our our managed database - Tinybird. See our blog post about our unique salt rotation approach and how it enhances user privacy.
Why use Beam over other GDPR compliant analytics companies?
Being GDPR compliant should just be table stakes. We're not looking to compete on legal compliance. Our goal is to better in two ways:
- Have more analytics features that can help your company. No other GDPR compliant web analytics providers have funnel analysis.
- Be affordable - substantially better value. And our pricing is very predictable and transparent. It's just a linear function so you don't have to worry about your costs exploding as things scale. For every extra 100k pageviews, it's just $2.
Hopefully this all makes sense to you. If this interests, sign up at www.beamanalytics.io. If you have any questions, email us at hi@beamanalytics.io.