> EU law just restricts storing & processing _personal_ data (GDPR)
To be clear to anyone reading: using Google Analytics without a non-Google-hosted anonymisation step breaks GDPR. This _has_ been litigated in court in several countries. There's no "ifs" or "buts" about it.
There's an implicit _for websites_ on there. Has it been litigated for non-website use like this where the program can control which fields are being submitted?
GDPR doesn't distinguish between websites and applications. It's about collection, storage, and transmission of personal information. No matter who, what, or where. One of the core pieces of information cracked down upon by the French DPA CNIL is that the IP of a user is considered protected under GDPR.
The German DPA has ruled that the usage of Google Fonts on a website broke GDPR because it forced the user's browser to reveal their IP to Google.
To be clear to anyone reading: using Google Analytics without a non-Google-hosted anonymisation step breaks GDPR. This _has_ been litigated in court in several countries. There's no "ifs" or "buts" about it.