D: Measures against the use of Google Analytics announced

Hamburg’s data protection officer, Mr. Caspar, announced in an interview with the newspaper FAZ that he wants to take action against operators of Internet sites that use Google Analytics.

The analysis service has been the object of heated discussion for quite some time. The "Dusseldorf Circle" has presented demands for ensuring the collection of web statistics in accordance with data protection laws. Mr. Caspar believes that these demands have not been met.

The legal basis is section 15 of the Telemedia Act (TMG).

Originally, the service Google Analytics recorded the complete IP address. The Dusseldorf Circle qualifies the IP address as personal data. Recording and using this IP address is only permitted with consent of the user. However, obtaining such consent has not been implemented yet. In the meantime, the service provides the possibility of deleting the last octet of the IP address via the option "_anonymizeIP()", which eliminates the link of a person to the IP address.

Mr. Caspar points out that the possibility to object to the use of a pseudonymous user profile is not possible for all users; the plug-ins provided by Google do not work in all browsers. Effective implementation of the right of objection was one of the main demands of the Dusseldorf Circle.

Site operators are responsible for the use of Google Analytics. They are responsible within the context of processing personal data on behalf of others. For processing order data, section 11 of the Federal Data Protection Act (BDSG) stipulates special demands for the agreement. According to Mr. Caspar's explanation, the agreements that Google submitted are insufficient.

Mr. Caspar announced his intention of imposing penalties for use of Google Analytics. This can be via fines and/or a test case.

Fines of up to € 50,000 can be imposed based on the regulations of the TMG and BDSG.

Site operators should consider accordingly whether they want to continue using the service. In any case, they should use the option _anonymizeIP(), clearly point out the possibility of objection and think carefully about browser sniffing.

Sources:

www.heise.de/newsticker/meldung/Datenschuetzer-bricht-Verhandlungen-ueber-Google-Analytics-ab-1167438.html

www.faz.net/s/Rub594835B672714A1DB1A121534F010EE1/Doc~E3FCFE8EC3AF34FEC84F22338721DCF2D~ATpl~Ecommon~Scontent.html

www.bfdi.bund.de/SharedDocs/Publikationen/Entschliessungssammlung/DuesseldorferKreis/Nov09Reichweitenmessung.pdf