The use of Google Analytics without the extension “anonymizeIP” constitutes a violation of data protection law and of the general right of personality. This was decided by the disctrict court („Landgericht“) Dresden in a remarkable judgement of January 11, 2019, which concerns the current data protection discussion on the use of web tracking technology (District court Dresden, judgement of January 1, 2019, reference number 1a O 1582/18).
As a result, every affected website visitor can assert omission as well as the usual ancillary claims (information, damages and reimbursement of warning costs) against the website operator if his data is stored illegaly. It doesn‘t depend on a competitive relationship.
Situation
The plaintiff, a natural person, brought a legal action against the operator of a commercial internet portal for omission, information and indemnity from pre-trial legal costs.
By accessing the defendant’s website, he found out that the defendant used the tracking tool Google Analytics for his website without using the function “anonymizeIp” to mask the IP address of the visitors in Google Analytics.
The plaintiff made this determination on the basis of an IP tool developed by himself, which serves the sole purpose of identifying missing references to the anonymization of IP addresses when using Google Analytics. The integration of Google Analytics without the extension “anonymizeIP” has the consequence that his personal data, in particular the IP address of the device used, is transmitted to Google’s server in the USA and thus to a third party without his consent when accessing the website. The plaintiff appealed against this and demanded omission of transmission of the IP addresses to Google.
The defendant argued that the use of the IP tool specially developed by the plaintiff to identify masses of missing references to the anonymization of IP addresses in Google Analytics was an abuse of rights. In addition, the plaintiff could have taken measures himself, for example by setting the appropriate browser settings, to prevent the transmission of his IP address to Google.
District court Dresden: Violation of the general right of personality
The district court Dresden has based the asserted claims of the plaintiff on a violation of the general right of personality and has granted the action. The plaintiff is entitled to an injunction according to analog Section 823 para. 1 German Civil Code (BGB) in connection with Section 1004 German Civil Code (BGB).
According to the court, the transmission of non-anonymised IP addresses to Google constitutes an unauthorised disclosure of personal data and thus a violation of the general right of personality and is also prohibited for data protection reasons. The plaintiff was infringed by the use of Google Analytics without the “anonymizeIP” addition, in particular in his right to informational self-determination and his right to respect for his personal identity.
In this context, the court assumes that IP addresses are personal data if they are stored by a provider of online media services when accessing websites.
Also according to the applicable data protection law, the disclosure of non-anonymous IP addresses to Google within the scope of Google Analytics can only be justified by an explicit user consent. This isn’t the case here, insofar the transmission to Google is contrary to data protection law. In addition, a mere reference to the general terms and conditions of the service provider, which contain a consent text, is not sufficient. Because then there is a lack of a conscious and clear action of the user, with which the consent is explained (District court Dortmund, judgement of February 23, 2007, reference number 8 O 194/06). The consent requirement can only be circumvented by anonymising the IP addresses, which removes the personal reference in such a way that there is no need for data protection.
Focused search for violations of the law is not an abuse of rights
Furthermore, the court emphasized that the claim was not excluded by the fact that the plaintiff deliberately searched for such violations of the law. The plaintiff had written to the defendant himself by e-mail out of court and had not demanded any reimbursement of costs. Instead, the plaintiff had only requested the submission of a cease-and-desist declaration with a penalty clause.
If the defendant had made the cease and desist declaration with penalty clause demanded out of court, it would not have incurred any costs as a result of the violation. The court couldn’t identify the pursuit of irrelevant objectives as the dominant motive for the initiation of the lawsuit, in particular the intention to make a profit.
No obligation to take your own measures to conceal your IP address
The district court also rejected an obligation of the complaining website visitor to conceal his own IP address if necessary in order to prevent it from being passed on to Google. It isn’t the plaintiff’s responsibility to protect his own data. Such an obligation would contradict the principles of data protection law, because the service providers could thereby evade their data protection obligations. The website operator must set up his website in such a way that the data protection rights are guaranteed.
Avoid warnings: Use Google Analytics legally compliant
On the controversial issue of whether the use of Google Analytics, with the addition “anonymizeIP”, is to be considered as data protection conform after the GDPR entered into force, the judgement of the district court of Dresden made no statement. Since also AnonomizeIP has further lacks, web page operators should exactly evaluate whether and in which form they use the tracking service of Google. Website operators who want to continue to use the tracking tool must consider some implementation requirements with regard to the GDPR in order to avoid fines and warning letters. The following points must be fulfilled:
1. Contract with Google about data processing
A processor contract must be concluded with Google according to Article 28 GDPR.
2. Terms of use, privacy policy and objection possibilities
In the moment visitors are accessing your website they must know that your website uses Google Analytics. They must be informed of the nature, extent and purposes of the collection and use of personal data.
Site visitors must be informed that they have the right to object – also via the possibility to opt-out of such use. It’s helpful here to link to the Google add-on, which makes it possible to “switch off” Analytics:
https://tools.google.com/dlpage/gaoptout?hl=de
3. IP anonymization
The site operator must select the settings in the tracking tool in such a way that the IP address is shortened by Google and thus anonymization takes place. On the pages on which Google Analytics is integrated, the Google tracking code must be supplemented by the function “_anonymizeIp()” – so-called IP mask method. You can find out how this can be incorporated into the page code on the Google page under:
https://developers.google.com/analytics/devguides/collection/gajs/methods/gaJSApi_gat?hl=de#_gat._anonymizeIp
Conclusion
It’s currently highly controversial at German courts whether GDPR infringements could be warned at all. However, the court primarily uses German tort law as the basis for its decision. It has awarded such a claim to every visitor of a website or every consumer in the event of unauthorised IP storage or IP forwarding within the skope of Google Analytics and based the asserted claims on a violation of personal rights – and not on data protection standards.
The private procecution of data protection infringements via personal rights injunctive relief claims as a new law enforcement option contains new warning risks for operators of portals and websites, as it enormously increases the number of consumers entitled to sue. Whether other courts will also follow this line remains to be seen.