> Also transmitting PII data unencrypted to GA us (but GA does forbid that in their TOS as well).
There is a BIG issue here which is usually splitting hairs, but in this case is super-relevant.
Google's TOS forbids storing PII. GDPR forbids transferring Personal Data (PD). These are nowhere near the same thing. Pseudonymous identifiers are not PII, but are often PD.
Google Analytics requires a pseudonymous identifier to work (the "client ID," by default randomly generated value stored in a cookie). This may on its own constitute a GDPR violation, despite not counting as PII for Google's ToS or any other American law.
It's possible for a developer to disable GA cookies and/or provide a different client ID to GA, which would make cross-site user tracking and identification of individuals more difficult.
Google would still always get the IP and user-agent though, so maybe that's not enough. Proxying calls to GA and stripping anything which could contribute to a fingerprint should logically make it "legal" everywhere, I would have thought?
There is a BIG issue here which is usually splitting hairs, but in this case is super-relevant.
Google's TOS forbids storing PII. GDPR forbids transferring Personal Data (PD). These are nowhere near the same thing. Pseudonymous identifiers are not PII, but are often PD.
Google Analytics requires a pseudonymous identifier to work (the "client ID," by default randomly generated value stored in a cookie). This may on its own constitute a GDPR violation, despite not counting as PII for Google's ToS or any other American law.