According to the CNIL, Google Analytics does not comply with the regulations on the protection of personal data.

As a reminder, Google Analytics is a tool that measures the number of visits by Internet users to websites that integrate this tool. To do this, Google Analytics assigns a unique identifier to each visitor (considered as personal data) which is then transferred to the United States.

Following several complaints, the CNIL, in cooperation with its European counterparts, verified the conditions under which the data collected by the Google Analytics tool was transferred to the United States. The CNIL considered, like other administrative authorities for the protection of personal data, that these transfers were not compliant with the GDPR, in particular because Google did not put in place sufficient measures to prevent the American intelligence services from accessing this data.

The CNIL has thus issued a formal notice to the manager of a website to bring the processing into compliance with the RGPD and, if necessary, to stop using the Google Analytics functionality under the current conditions. The website operator in question has one month to comply. Further proceedings against other website operators are also in progress.

Therefore, we strongly recommend that you stop using the Google Analytics tool and replace it with a tool that does not result in a transfer to the United States. The CNIL also recommends that these tools be used only to produce anonymous statistical data, which would allow the website manager to avoid having to obtain prior consent from visitors.

To read the CNIL press release here

To know the audience measurement tools identified by the CNIL as being part of the list of consent exemptions here