What to do with Federico Leva’s email on Analytics and GDPR


Over the past few days, tens of thousands of users have received an email with the subject line, “Illegal use of Google Analytics: request for removal under Article 17 GDPR,” sent by Federico Leva.

This event is a direct consequence of the Italian privacy guarantor’s ruling, which defined the use of Google Analytics as illegitimate due to the transfer of data abroad (USA). But who is Federico Leva and why is his request more than legitimate? But more importantly, how should we act now?

Who is Federico Leva?

Interviewed on his YouTube channel by Matteo Flora, university lecturer and popularizer, Federico Leva, says he is originally from Milan and has been living in Helsinki for 5 years, where he would work in the software field. He describes himself as “an activist for free knowledge and digital free software.”

“It is no mystery that I am not a fan of Google Analytics, as it is proprietary software hosted by a company, Google, which has a number of legal problems due to its presence in the US. – says to Matthew Flora – I was positively surprised by the Privacy Guarantor’s measure, which said, let’s give people 90 days to wake up, then we’ll see what to do. This is quite a challenging statement. As unsurprising as it is that Google Analytics is in conflict with GDPR, most people only read information on Google and have no idea about this issue at all.”

He added: “I thought, therefore, to inform citizens about this measure. Indeed, users can exercise their right to request access to their data and its removal from a website. My request seemed peaceful, as it is easily justifiable and solvable. Removing Analytics and replacing it with other tools is quite easy. I send this message not because I am a moral imperative, but because I think it is a citizen’s right.”

Is Federico Leva right?

Federico Leva’s email is legitimate and is an invitation to companies to stop using the tool and remove user data within 90 days, as directed by the Privacy Authority.

In essence, websites that use Google Analytics 3 without the safeguards provided by the EU Regulation are in violation of the GDPR regulations, as they transfer user data to the U.S., a country without adequate level of protection.

Leva provided a mass emailing inviting recipients to respond via the LimeSurvey platform or through a simple email response. This methodology, however, remains very much at the limits of the legislation itself, as Leva uploaded data onto the platform – collected in what way? – without users’ explicit consent. As a result, LimeSurvey itself, after the fuss caused by his posting, proceeded to close his account.

The only error in his request, however, was that he did not provide his Client ID, a necessary piece of information in order to delete data regarding a user on Google Analytics.

What, then, to do in order not to have problems?

This affair has brought to light many questions in website operators and companies, raising concern and perplexity about the measures to be implemented.

In summary, if you have received Federico Leva’s email, you are left with only two options:

  • Delete his data from your Google Analytics: you can reply to the email asking for his User ID and then proceed
  • Remove Google Analytics 3 from your site and replace it with another tool.

What about for those with Google Analytics 4? The issue at the moment is very complex. In fact, on the one hand, by hiding users’ IP, we should not run into problems. However, at the European level, we already know that there are active proceedings that Google will have to respond to, and we will, therefore, have to see how the Garante will move. At this time, we recommend that you proceed in using Google Analytics 4 but consult with your attorneys and DPO and possibly find viable alternatives.

Request information