Following similar decisions in three other countries, the Danish data regulator in September ruled against the use of Google Analytics outside the EU unless the user implements additional protective measures. The cases that produced the rulings have been filed by a consumer advocacy group focused on transfers of EU data to Facebook and Google in the US, where it is feared that US authorities will have access to the data.
Why It Matters
Although the Danish ruling, like the others before it, focuses on "big tech," the Danish regulator says explicitly that Google's customers in Denmark must use supplemental measures in order to employ the service lawfully. Since many small and medium-sized US businesses use Google Analytics on their websites, and may be doing business in Denmark, this is a potentially very broad ruling.
Specifically, the Danish authorities recommend pseudonymization -- in addition to toggling on new privacy controls that Google supplies -- but warn as follows:
you must put in place a plan to bring your use of [Google Analytics] into compliance by implementing supplementary measures.
...
If it is not possible to implement effective supplementary measures, you must stop using the tool and, if necessary, find another tool that can provide web analytics and allows for compliance with data protection law[.] (Emphasis added.)
The Danish decision and suggested measures are here.