Google Analytics is currently legal. The balls up of a EU online privacy law means that one day it might require user consent, but right now they're basically "officially" acting as a remote database where your users information and habits can be stored. That's no more illegal than many other cloud services.

I'm not too concerned about this since I trust GoG somewhat. In an inexplicable human manner, internet people sometimes find this hard to understand.

What I am concerned about, however, is how the staff reacts to this -- for some it might be a valid concern and I don't blame them for it. And that in consequence might or might not affect my trust in the company.

Google itself has lost it's personality altogether, so I don't trust it or even care if I do.

Yes, but there are some regulations about transmitting that information outside the EU that can come into play. Remote databases inside the EU are treated differently from those outside.

Note; it could just be a simple mistake introduced with the new site but it could still look bad.

I'm pretty sure my copy of Ghostery has been shouting about Google Analytics on GOG for some time now. Just as well for them, my purchase history must be confusing the hell out of them, as I've bought the same game about 10 times over.

Anyway, Google aren't based outside of the EU. They're registered as a corporation in Ireland, and have servers all over the world.

I don't think it matters, I'm in Mexico, they can just pay off anyone they need and nothing will happen to them. That's the Mexican Way!

(I DO get your concerns over this. But I personally don't care about this, really.)

I'd agree with Wpegg - this has been going on for at least the last year.

In part, I should accept some blame on this - I've noticed (and blocked) such connection attempts but until now didn't attempt to investigate what was being sent.

As for GA's legality, the EU legislation ([url=http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:NOT]Directive 2002/58/EC[/url]) has been most often discussed with regard to cookies. According to the [url=http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML]English text[/url], these would require permission under section 25.

Transaction data is covered also (section 16 "...in cases where the individual subscriber or user receiving such information can be identified...") so GOG is not permitted to send it to GA without user consent (section 23).

GOG is also required to ensure that their system is secure (section 20) - since using Google Analytics poses a security risk to any website, this is a second issue with GA (and would seem to prohibit the use of GA, in its current form, completely).

I'm not lawyer, but I'm pretty sure that law isn't in force yet. EU folks make laws, but then countries have to interpret them, and make their own laws that fulfil the requirements of the EU ones. The UK has granted a grace period (which we're still in) for complying with this directive. Most other countries are just ignoring it completely.

I have to agree, I don't understand the need for GOG to forward any information about the transaction to google or any other data collection company. I don't see it helping the customers of GOG in anyway except invading their privacy without their consent. And frankly, If GOG needs google analytics to gather statistics, then there is a big problem with their business model

Yep, the relevant legislation in the UK is The Privacy and Electronic Communications (EC Directive) Regulations 2003 (came into force 11th December 2003) and The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (came into force 26th May 2011).

Compliance with this EU Directive by member states has been poor and in the UK the ICO has given a [url=http://www.ico.gov.uk/~/media/documents/pressreleases/2011/enforcement_cookies_rules_news_release_20110525.pdf]one year delay (PDF)[/url] on enforcement - making it the 26th May 2012.

GOG and CD-Projekt's legal obligations however will depend on Polish law - so perhaps Keeveek could research the situation there?

None of this provides adequate justification for the current situation in my view though.

You can block GA by using extensions and similar stuff for some browsers like Firefox and Chrome, and Tracking Protection Lists for IE. Although, this would stop the client-side calls to GA, and you have no way of knowing whether GOG also makes server-side calls to GA.

CD Projekt may be based in Poland, but GOG is incorporated in Cyprus. So I have really no idea whatsoever about that one.

Well, as I said before, read the privacy policy again. It specifically states that they "do reserve the right to use or disclose your personal information".

That's what bothers me. You claim that they aren't passing anything that you consider to be personal information, but evidently they can.

On another note, it's possible I'm going crazy, but certain aspects of the Privacy Policy seem to have been updated overnight (possible I'm wrong), while the policy still says it's untouched since 2008. Interesting if that's the case.

You took that quote out of context: "We do reserve the right to use or disclose your personal information in certain circumstances, such as to satisfy a legal request or protect our property." As in if we think you are guilty of fraud or get a legal writ against then we disclose your personal info - that's pretty standard in legal documentation.

They aren't passing personally identifying information - could they pass less to Google analytics and it still be useful? I don't know. Would it be better if whatever they were using Google for was in-house? Sure, but it's not - at the moment - a big deal. Now if they were to change their policy to state that they can share your personal info with 3rd parties "to provide a better service to you" or some other clause like that, then I would be concerned about privacy where 3rd parties are concerned - but they don't state that and in fact explicitly the state the opposite. "We use your personal information to fulfill your requests and serve you better. We do not share your personal details with outside third parties without your consent." So yes, they can use your info in-house (and really as far as I can tell the only personal things I put in and they actually store about me are my e-mail, birthday, and country and all of which I can change at will), but they don't share that info with others and what they're sharing w/ Google Analytics does not appear to be personally identifying.

That's not actually true - it does not leave them free to do it at their discretion, because of the other clause in the privacy policy:

"We use your personal information to fulfill your requests and serve you better. We do not share your personal details with outside third parties without your consent."

Legally they cannot use a clause like: "We do reserve the right to use or disclose your personal information in certain circumstances, such as to satisfy a legal request or protect our property."

And then claim "we can do it to make money off of you through ads" or something like that - legally that would be fraud because the above statement would be intentionally misleading.