Since its launch in 2005 Google Analytics has become a well loved free statistics tool by UK bloggers, publishers and marketers alike. Yet, Chris Lightfoot explains, users of the service could be in breach of the UK Data Protection Act.

As many web publishers have discovered, and delighted in, Google Analytics is quite simple to implement. Google supply a bit of HTML which users of the Analytics service include in their web pages; the HTML fragment includes a JavaScript program from Google's servers. When a user views the page, their browser requests the JavaScript code and runs it. The JavaScript runs in the context of the site's page in the user's web browser and has access to personal information visible on the page. Information, particularly regarding how the user uses the page - links they click on, duration spent on the page etc. - is then supplied to Google through another HTTP request.

In this process various pieces of personal information are transferred to Google. At the very minimum the user's IP address is sent to the Analytics service. An IP address is often all the information required to identify the user, although not in all cases. The IP address is therefore considered personal information in the sense of the Data Protection Act, and as a consequence of how the Analytics service works is supplied to Google.

In principle Google can alter the JavaScript they supply to transfer almost any information on the pages viewed to their servers; for instance you could imagine that if Analytics were used on, say, a dating site, information about the user's profile could be supplied to Google. Worryingly, regardless of what the terms and conditions say, information is accessible to Google by varying the code they run on the client's browsers.

The JavaScript code used is the copyright of Google, and the terms and conditions of Analytics prohibit users of a site that use the service from auditing it to discover what information is sent to Google - although, even if they were to do so the JavaScript could later be changed. By including the Analytics code on their pages, the publisher of a website gives Google extensive access to personal information about their users.

An additional note here is necessary. Where as the IP address is considered 'personal data' - it is sufficient, perhaps in conjunction with other information, to identify a single living individual - other information accessible to Google through the Analytics service may be considered 'sensitive personal data', meaning that it gives information about an identifiable individual's racial or ethnic origin, political opinions, religious beliefs, trades union membership, health, sexuality, etc.

Under the Data Protection Act the conditions for handling sensitive personal data are naturally more stringent than those relating to non-sensitive personal data. In the example of a dating site there would obviously be a high degree of sensitive personal data, but even something as trivial as a weblog, where a person posts statements of a political nature under a pseudonym, could fall into this category.

This may be enough to worry the average web user, who is unlikely to be aware of whether a site is using Analytics without looking at the source code; however breaches of the UK Data Protection Act go much further.

As Google is a US company and the servers on which Analytics run are located in the United States. Generally speaking the UK Data Protection Act prohibits the transfer of personal data to countries which do not offer sufficient guarantees of data protection (the eighth Data Protection Principle), unless the consent of the data subject (the person to whom the personal data refer) has been given.

Most websites that use Analytics (indeed, every website that I have ever seen that does) do so non-consensually - users are not notified that their use of the site is subject to their personal data being transmitted to the United States and beyond the reach of the Data Protection Act. By transferring their users' data without consent to the US they are in breach of the eighth Principle and could therefore be subject to enforcement proceedings under s.40 of the Data Protection Act - and ultimately be subject to criminal sanctions if they fail to comply with a notice issued under that section.

There are a few circumstances in which it's permissible to transfer data outside the area covered by data protection legislation (roughly, the EU), such as, you may transfer personal data when the vital interests of the data subject are threatened. Another permissible circumstance is when an agreement has been concluded between the EU and certain foreign companies about the handling of personal data of EU citizens within those countries but outside the EU. One such agreement is the 'Safe Harbor', (negotiated by the Department of Commerce in the US) between the EU and the US, to which Google is a signatory. 'Safe Harbor' is considered controversial by some as it does not make clear whether it provides in practice the protections it is supposed to - specifically, adherence to the Data Protection Act Principles.

Even disregarding this, to comply with the 'Safe Harbor' provisions a US company must (among other requirements) notify users about the uses to which their data being put; and offer them a choice about such use. As already discussed these scenarios do not apply to the normal use of Analytics, as users' data is transferred without consent and without notice. Indeed, most users will not even be aware that Analytics is in use, unless they read the source of the affected web pages, have their browser notify them about the characteristic 'utmz' cookies, or take other specific steps to become aware of this. The 'Safe Harbor' provisions are therefore not relevant to use of Analytics.

The solution is very simple: don't use Google Analytics. There's no reason to transfer your users' personal data to another company, especially one outside the EU, and if you do, you ought to be informing them that you do so and obtaining their consent. And that doesn't mean burying it in sub-section 14 of an obscure terms-and-conditions document hidden in a tiny link at the bottom of your page - it means being upfront about what you're doing, before you do it! In any case there are plenty of log analysis tools that don't rely on breaching users' trust.

About the author
Chris Lightfoot is a software developer; in his day job he works for mySociety developing civic websites.