Big Tech’s Tracking Tools: Google Analytics and the Meta Pixel
Tools like Google Analytics and the Meta Pixel can help businesses track how people use their websites and target individuals with behavioural ads.
But these products also provide US tech giants with personal data about millions of people every day. As such, regulators in the EU and beyond have been cracking down on how companies use Google and Meta’s “free” tracking technology.
This article explains why some of the legal issues around Google Analytics and the Meta Pixel have been resolved (for now)—but also explores some other privacy pitfalls still relevant to big tech’s analytics and marketing tools.
1. The Data Transfer Problem Is Over (For Now)
In September 2022, the Danish DPA published a press release about Google Analytics.
“The GDPR is made to protect the privacy of European citizens. This means, among other things, that you should be able to visit a website without your data ending up in the wrong hands,” said a legal adviser at the DPA.
“We have carefully reviewed the possible settings of Google Analytics and have come to the conclusion that you cannot use the tool in its current form without implementing supplementary measures.”
Since January 2022, regulators in Austria, Denmark, Finland, France, Italy, Norway, and Sweden have reprimanded, sanctioned, and sometimes fined scores of website operators for installing Google and Meta’s tracking tools.
However, most of these cases have focused on US data transfers—an issue that has recently (but perhaps temporarily) been resolved.
Google and Meta vs Max Schrems
Most recent online tracking cases in the EU have concerned international data transfers.
We won’t dwell on the topic—read Is Google Analytics Illegal Under the GDPR? for a detailed look at the issue.
Briefly—when transferring personal data outside of the European Economic Area (EEA), the GDPR requires you to ensure the data receives an “essentially equivalent” level of protection as it would receive in the EU.
The July 2020 Schrems II decision at the Court of Justice of the European Union (CJEU) established that transfers of personal data to the US generally did not meet this strict standard.
The court found that the US did not have a sufficiently strong human rights framework, and that people surveilled by US law enforcement authorities lacked an effective process for challenging infringements on their privacy.
The complainant in this landmark case, privacy activist Max Schrems, submitted 101 follow-up complaints about websites using Google Analytics and the Meta Pixel in violation of the GDPR’s data transfer rules.
These 101 complaints are the reason that so many Google Analytics and Meta Pixel cases have focused on data transfers.
Schrems’ complaints were almost all successful. In case after case, DPAs found that the personal data collected by these products was transferred to the US without adequate protection.
The EU-US Data Privacy Framework
The US data transfer issue has been resolved, for now, with the approval of the EU-US Data Privacy Framework (EU-US DPF).
European organisations can legally transfer personal data to companies self-certified under the EU-US DPF, including when using Google Analytics and the Meta Pixel.
However, the EU-US DPF might not last forever.
Max Schrems brought down the EU-US DPF’s two predecessors, known as “Privacy Shield” and “Safe Harbor”—and he’s hoping to do the same to the new framework, too.
Another privacy campaigner, French politician Phillippe Latombe (who also works for the French DPA), has already brought a case against the EU-US DPF via the EU’s “action for annulment” procedure.
If the new framework fails, transferring personal data to Google and Meta could once again become illegal. Businesses using these tools must accept this uncertainty until the CJEU has ruled on the issue.
For now, however, data transfers are not an issue when using Google Analytics and Meta Pixel. But, as we’ll see, there are other potential pitfalls associated with these products.
2. The Problem Has Always Been Bigger Than Data Transfers
So, the data transfer issue is over, or at least on hold. But regulators sanctioned Google Analytics or Meta Pixel users before the Schrems II case—and continue to do so even since the EU-US DPF passed.
Here are three examples of Google and Meta tracking cases that do not involve data transfers.
Danish DPA: October 2023
On 6 October, the Danish DPA announced that it had reported a gardening equipment company to the police for allegedly unlawfully collecting personal data and sharing it with Google and Meta.
In the first non-transfer-related Google Analytics or Meta Pixel case since the EU-US DPF took effect, the DPA recommended that the company, Texas Andreas Petersen, receive a fine of DKK 20,000 (around €2,682).
(By the way, reporting GDPR violations to the police is standard practice in Denmark whenever a fine is recommended.)
The Danish DPA’s fine against Texas Andreas Peterson consists of two elements: collecting personal data and sharing personal data—in both cases, without a legal basis.
In its 2020 guidance, Processing personal data about website visitors (in Danish), the DPA notes tracking tools can collect IP addresses, device IDs, device fingerprints, and information about a user’s browsing history.
“A single piece of information in itself” might not constitute personal data. But when you collect “a wide range of information”, you’re likely processing personal data.
Processing personal data under the GDPR always requires a “legal basis”—something Texas Andreas Peterson allegedly did not have.
Note that Google Analytics can be configured to collect varying amounts of personal data. The company states that Google Analytics 4 (GA4) “does not log or store IP addresses”.
But “processing” means more than just “logging and storing”. Even collecting and deleting personal data is still a type of “processing”, and collecting personal data via cookies normally requires consent.
Spanish DPA: November 2020
In November 2020, the Spanish DPA investigated allegations that the Spanish Victims’ Association (known as “JAVA”) had illegally published recordings on its website. During its investigation, the DPA visited JAVA’s website and noticed it was running Google Analytics.
The Spanish DPA found that JAVA’s website set the _ga`, _gat, and _gid cookies—all of which are associated with Google Analytics.
JAVA had a cookie banner—as is always required when using Google Analytics—but had not added a “Refuse all” button. As such, the DPA decided that the company was sharing personal data with Google without an appropriate legal basis.
The combined privacy violations earned JAVA an €8,000 fine.
French DPA: November 2020
The use of Google Analytics was one issue in a wide-ranging French DPA decision against the supermarket Carrefour.
The French DPA noted that Carrefour had failed to obtain consent before setting Google Analytics cookies on its website visitors’ devices.
Notably, the DPA said there was “no debate” that Google Analytics cookies can be “cross-referenced with (other) data” to identify users across different contexts. The intrusive nature of this data processing was a factor when deciding the company’s sanction.
The French DPA issued a €2.25 million fine against Carrefour (the nonconsensual use of Google Analytics was just one of several legal violations).
3. The Problem Extends Beyond Europe
Even outside of the EU’s strict privacy domain, regulators are targeting the use of big tech’s tracking tools.
In the US, there is no broadly applicable data protection or privacy law at the federal level. Nonetheless, US companies are facing enforcement action for using Google Analytics and the Meta Pixel.
Throughout 2023, the Federal Trade Commission (FTC) has been on a privacy enforcement rampage. Cookies and pixels are a top priority for this increasingly active federal regulator.
Despite its limited and somewhat outdated legal powers, the FTC has brought cases against several companies accused of sharing sensitive data with Google and Meta.
In a March blog post titled Lurking Beneath the Surface: Hidden Impacts of Pixel Tracking, the FTC highlights two of its 2023 enforcement actions—against remote therapy provider BetterHelp and discount drug retailer GoodRX.
While both companies operate in the health sector, neither is covered by America’s major health privacy law, the federal Health Insurance Portability and Accountability Act (HIPAA).
But the FTC pursued these and other companies’ tracking activities under other laws, namely the FTC Act (a consumer protection law) and the Health Breach Notification Rule.
The FTC says that health companies using pixels and cookies without consent could be enabling a “security breach”—a sign of just how seriously the regulator is taking online tracking.
Companies that are covered by the health privacy law HIPAA are restricted regarding how they share “protected health information” (PHI).
Historically, authorities have considered PHI to be people’s medical records, plus “obvious” identifiers, such as patients’ names and contact details. But this narrow view of health information is changing.
In July, HIPAA’s regulator, the Office for Civil Rights (OCR), sent a letter to 130 healthcare providers highlighting the “risks and concerns” around “technologies such as the Meta/Facebook pixel and Google Analytics”.
The letter, jointly written with the FTC, reminds healthcare providers that “HIPAA-regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to third parties”.
The OCR has emphasised the risks of Google and Meta’s tracking tools since late 2022.
A stricter regulatory environment has led some companies, such as remote therapy provider Cerebral, to proactively notify their customers of HIPAA breaches due to their use of Google Analytics and the Meta Pixel.
And an August 2022 class action lawsuit against Meta alleges that around 633 hospitals are using the social media giant’s tracking tools in violation of HIPAA.
4. Using Intrusive Tracking Tools Can Harm Reputation and Trust
We’ve seen that many authorities are focused on regulating the use of intrusive tracking tools. But most websites running Google Analytics and the Meta Pixel will not see enforcement action.
Yet even where these tools are deployed legally, the public and the media are becoming aware of the inherent privacy risks.
NHS Meta Tracking Scandal
In May, the Guardian published an investigation about a “data breach” within the UK’s National Health Service (NHS). The newspaper revealed that the Meta Pixel was installed on the websites of 20 NHS trusts.
The Guardian highlighted the sensitive nature of the web pages where the tracker was present, which covered topics such as HIV, self-harm, and “disturbing sexual behaviours”.
The NHS shared data about people’s interactions with these websites with Facebook, alongside visitors’ IP addresses and, in some cases, their Facebook IDs.
The pixel had been present on some of these pages for several years, meaning data about millions of people was likely compromised.
Police Tracking Scandal
Two months after publishing its NHS investigation, the Guardian reported on how UK police forces had installed the Meta Pixel on highly sensitive web pages.
The story revealed that Facebook received details of people who had filled in a form to “securely and confidentially report rape or sexual assault”.
One police force said it had initially installed the pixel tracking code on its recruitment pages. The police intended to use the tool to retarget people on Facebook who had abandoned job applications on the force’s website.
If that intended use of the Meta Pixel wasn’t creepy enough, the tracking tech somehow spread onto pages where tracking is unarguably inappropriate (and likely illegal).
The Guardian article quotes privacy researcher Mark Richards, who compared using pixels in this context to “asking someone to report a crime while a stranger is in the room”.
Big Tech’s Tracking Tools: The Beginning of the End?
As individuals, regulators, and lawmakers focus on online privacy, big tech firms have tried to portray their products as harmless and non-intrusive.
And with the EU-US data transfer issue at least temporarily resolved, tools like Google Analytics and the Meta Pixel are no longer inherently illegal under the GDPR.
But there’s still legal uncertainty around sharing so much personal data with the tech giants. Many companies implement these tools unlawfully—or use them in ways that could reveal highly sensitive data about vulnerable people.
- European regulators continue to enforce the law against companies that implement tracking tools illegally.
- US regulators are increasingly eager to penalise businesses that use these tools in sensitive contexts.
- The public appears unhappy that so much of their personal data is shared with Google and Meta without their consent.
As such, responsible businesses may wish to avoid becoming over-reliant on big tech’s tracking products.