If in recent days you too have received an email with the subject “Illegitimate use of Google Analytics: request for removal pursuant to art. 17 GDPR ", sent by a certain Federico Leva, don't panic.
In this article we will explain what it is, if and how to respond and how to behave in similar cases. Following the provision of the Privacy Guarantor of last 23 June, it may happen, in fact, to receive other emails with similar requests.
The case
The email in question recalls the decision of the Privacy Guarantor to prohibit the use of Google Analytics in Italy and no, it is not a fraudulent email. Although made in a manner that is not necessarily correct, the request for Federico Leva it is absolutely legitimate.
The text of the email reads:
Dear Data Controller, Dear Data Protection Officer,
I am writing to you as a user of the site _______ to request the removal of my personal data, pursuant to art. 17 ("Right of cancellation") of EU regulation 2016/679. Please respond within 31 days of receiving this letter to confirm compliance, as detailed below.
Your site incorporates Google Analytics, which transfers the personal data of all your visitors to Google in the USA. With the provision of 9 June 2022 (9782890), this was declared illegitimate by the Authority for the protection of personal data, as announced in the press release “Google: Privacy Guarantor stop the use of Analytics. Data transferred to the USA without adequate guarantees ".
The Guarantor "invites all data controllers to verify the compliance of the methods of use of cookies and other tracking tools used on their websites, with particular attention to Google Analytics and other similar services, with the legislation on the protection of personal data ", and sets a deadline of 90 days, after which it will proceed to further checks.
The email continues asking for the removal of their data and any backups, but that's enough to understand the request: Federico Leva requests the removal of their data from Google Analytics.
Is it necessary to answer? Yes, you are obliged to respond to the request within 30 days of receipt (and not 31 as indicated in the email). If not Federico Leva will be able to report your site to the Privacy Guarantor. How to answer? Let's see it.
How to reply to Federico Leva's email
As already mentioned, the request for Federico Leva it is legitimate and must therefore be fulfilled. First of all, we recommend that you respond by email and not using the form that you find linked in the request. In this way you will have a copy of the saved answer, in addition to the fact that the link mentioned above is no longer functional, since it is closed.
In order to comply with your request, you must have all the necessary information. In the reply email, ask for the following to be provided:
- your IP address;
- date and time of the last access to your site;
- his CLIENT_ID.
Once you have received this information, you can remove the applicant from Google Analytics. Here's how to do it.
How to remove Federico Leva from GA
The procedure is very simple. As for Universal Analytics, the steps to take are:
- log into Universal Analytics;
- from the menu select Audience (Public);
- from the submenu select User Explorer (User browsing);
- choose the date of your last access;
- search with its CLIENT_ID;
- click the button delete user (delete user).
While for GA4:
- access GA4;
- from the Explore selection menu;
- scroll through the options until you find User Explorer and click;
- set the date of his last access;
- select the user who made the request;
- click the trash can symbol to delete the user.
Why did Federico Leva send this email?
Questioned on the subject Federico Leva, activist, developer and IT consultant, replied:
It's no mystery that I'm not a fan of Google Analytics. I was positively surprised by the provision of the Guarantor, which said to allow 90 days for people to wake up and then we'll see what to do.
Many people do not know that Google Analytics is in contrast with the GDPR and for this I had this idea: I simply thought of informing people of this provision.
This is why I sent the famous email: people can know that they will be able to exercise their rights. The removal request seemed peaceful enough to me.
The purpose therefore seems to be informative but other users, made aware of the matter, could follow his example and send emails with similar requests to the managers of the sites they visited.
Now you know what to answer.