computer dashboard with website analytics data

The ‘Commission Nationale de L’Informatique et des Libertés’ (CNIL) have said that the use of Google’s web analytics does not comply with the General Data Protection Regulation (GDPR), despite Google claiming that it does.

Who are the CNIL?

The ‘Commission Nationale de L’Informatique et des Libertés’ is the independent data protection agency for France. They regulate data privacy laws and focus on the collection, storage and use of personal data. In other words, they are the French equivalent to the UK’s Information Commissioners Office.

What is Google Analytics?

Google Analytics is a cookie based web analytics platform. It’s a very popular analytics tool, and website developers usually install the Google Analytics cookie on their customer’s website, which, like any other cookie, tracks user activity – if you don’t know if your website uses Google Analytics (it probably does) you should check with your website developer.

The cookies used by Google feed into the Google Analytic platform to provide insights, trends and statistics on website traffic so you can make decisions about what works and what doesn’t work to attract/retain/direct website visitors.

The CNIL Decision that Google Analytics Does Not Comply with GDPR

The CNIL have said that the use of Google Analytics by French website operators does not comply with the GDPR as it results in personal data transferring to the US without sufficient safeguards in place for data subjects.

Following the ‘Schrems II’ judgement on 16th July 2020, the EU-US Privacy Shield is now invalid; any data transfers from the European Economic Area (EEA) to the US should be legitimised with a sufficient safeguard, such as the European Commission’s Standard Contractual Clauses (SCC’s).

The CNIL have said that the mere use of SCC’s by Google LLC is insufficient for the use of Google Analytics and that further legal, technical and organisational measures are required.


The CNIL have suggested some solutions to using US based tools such as Google Analytics. These are:

  1. Break up the connection between the end-user and the analytics tool by using a ‘proxy server’ – a third party server acting as an intermediary between the end-user and the analytics tool, such as a VPN; or,
  2. Use another analytics tool that has servers based within the EEA, as that will be bound by the regulations and guidelines of the GDPR.

What does this mean for the UK?

The decision of the CNIL indirectly affects UK data controllers and data processors as it highlights the importance of considering the legal implications of the tools you use. The ICO already have a heightened interest in cookie usage and this decision ensures it will remain in the limelight for the foreseeable future.

Ensuring you are using cookies correctly could avoid breaking data protection legislation and, in turn, being issued a fine from the Information Commissioner.

When using cookies on your website, you should do the following:

  1. Tell people that cookies are being used on the website;
  2. Explain what cookies are being used and why; and
  3. Get the website users consent to store cookies on their device (this does not apply for ‘necessary’ cookies which are required to operate the site).


Stephens Scown have a cookie compliance kit which provides template wording, documentation and advice to keep you compliant. For further information on data protection website compliance, please contact our data protection team on 01392 210700 or by email at