Not really! The eye catching headline form the following article is actually very misleading (I used Google translate). In fact, this is a classic example of poor/misleading journalism on this subject…

Example of poor journalism about Google Analytics and privacy

As I wrote in my last article on this subject: Google Analytics and the new EU privacy law #3, if you use Google Analytics to collect personal identifiable information (PII) without the explicit consent of each visitor, then yes you are breaking the privacy laws in each of the 27 EU member countries. That is the same with any tracking tool/methodology. It also breaks the Terms of Service of GA.

As a web site owner, if you do not collect PII, have a best practise privacy policy that is easy to find, and do not share your data with 3rd party organisations (without asking for consent form the visitor), then there really is no problem of using Google Analytics.

A gray area is whether an IP address can be considered PII is open to interpretation. I personally consider it to be, but in criminal law an IP address by itself is not sufficient to identify an individual. I am not aware of any EU country where that is contrary. Of course, if in doubt, use the Google Analytics _anonymizeIP() function. This removes the last octet from the IP address prior to sending to Google’s data collection servers.

BTW, has anyone compared the before/after impact on the reports of turning _anonymizeIP on? My suspicion is that outside of large geographical, single cultural markets (e.g. outside US/Canada/Australia), using _anonymizeIP has little impact, so anonymizeIP() should be used on your website by default…

So the fear for web users and data protection regulators is really not what website owners can do with Google Analytics reports to identify an individual visitor – assuming you only wish to do business with professional, ethical organisations (anyone can abuse tracking tools to break privacy laws). Rather, the concern is how Google may triangulate originally anonymous data points to identify individuals within the Google network – which as we know, effectively IS the web.

That is very much a legitimate concern, but one that is not being addressed by articles written with a superficial knowledge of the issues involved. It is also not going to be solved by declaring a single tool, out of a plethora of tools, illegal to use. That said, may be it is Bjørn Erik Thon (see screenshot) who has not understood the issues fully…

Thanks to Eivind Savio of for bringing this to my attention.

I would be interested in any feedback form people that have had contact with the Norwegian Data Protection Authority.