The German regional data protection authority recently issued a statement that the use of Google Analytics and similar products by companies to track consumer visitors to websites violated German privacy laws. The German Data Protection Act (“DPA”) requires that websites using analytics software must notify users that they are being monitored, and if the collected data is being transferred outside of Germany or the European Union, the company must get consumer consent for such a transfer. According to the German DPA, companies using Google Analytics failed to notify consumers of the use of analytics and failed to obtain consent prior to transferring the data to Google in the United States. Furthermore, the German DPA found that the data processor agreements between companies and Google did not meet the country’s statutory requirements in that the agreements failed to specify mechanisms necessary to effectively control how Google could process consumer personal data. The German authority did not pursue any enforcement actions or fines against Google as a result of its investigation.
TIP: Companies collecting data in foreign countries should keep in mind the (often more stringent) requirements of the local jurisdictions where they operate.