Google Analytics and the GDPR

We’ll get into the detail in a moment, but before we do, here’s a quick summary of what I’d recommend if you’re preparing for the GDPR when it comes to Google Analytics:

  1. Implement a cookie notice for people located in Europe
  2. Ensured that you’re not tracking any personally identifiable information
  3. Provide a clear and concise privacy policy
  4. Enable IP address anonymization for Google Analytics
  5. Select your data retention setting for Google Analytics

GDPR and Google Analytics

If you collect personal data on your website from people located in Europe then you need to be ready when the General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. The GDPR provides specific rights for individuals when their data is going to be shared. It means that people need to be informed about how data will be processed, how it will be used and importantly give them the right to ask for a copy of the information and even ask to have their personal data deleted. 

We’re going to focus on the GDPR in relation to Google Analytics, but it’s important to highlight that the regulation in Europe goes beyond collecting personal data for marketing. It can apply to any situation where personal data is being processed, like when you go to the doctor or sign up with an electricity provider.

Examples of personal data include:

  • First and last name
  • Home street address
  • Email address
  • IP address
  • Cookie ID

When it comes to Google Analytics you shouldn’t be sending any personal details that are readable in the reports. For example, if you can see someone’s name or their email address in Google Analytics then that would mean a breach of the Google Analytics terms of service.

This leaves IP address and cookie ID which are mentioned in the GDPR and can be personal data. This is where I’ve seen different interpretations of the regulation, so you’ll need to consider the data you’re collecting and how you see this fitting with the GDPR. 

Since Google Analytics doesn’t allow me to view individual IP addresses and I don’t have a way to know that it’s specifically you reading this blog post based on your IP address I don’t see this as personal data. And if you’re not comfortable with this, then you also have the option of using IP anonymization which I’ll discuss in a moment.

This leaves cookie ID as potentially personal data. When you access a website that uses Google Analytics, the tracking code will create (or update) a cookie in your browser. This cookie includes an identifier that’s called the ‘client ID’. This is a random and unique identifier for your browser. Now there are ways to link this identifier with personal data. For example, if you submit a website form, that form can capture the client ID from the Google Analytics cookie and send the identifier, along with your information to another platform. This then means that information stored in Google Analytics, like the pages you view can be combined with your personal data. This is a case where you absolutely need to be transparent with people and in the case of GDPR, you’ll want opt-in consent to combine the data.

On the other hand if you’re not combining personal information, like name or email address with data from Google Analytics based on the client ID (or another identifier), then I personally see it falling into a grey area. Is the client ID on its own personal data? Maybe. Maybe not. But if you’re looking to do any marketing based on someone’s cookie, then I’d suggest it probably is. So if you’re going to be running remarketing ads, then you’ll want to use a cookie banner on your website that allows people to opt-in to your marketing cookies.

It’s also important to mention that when it comes to cookies you need to consider the GDPR along with the ePrivacy regulation which is part of the Privacy and Electronic Communications Regulations (PECR). There are some proposed changes to the regulation which will potentially mean a slight relaxation when it comes to general website tracking, but for now it still requires an opt-in or implied consent.

1. Audit the platforms that you’re using to collect, process and store personal data

It’s the perfect time to review all of the platforms that you’re using and create a map of where you’re sending data. This will go beyond Google Analytics, but can be useful in identifying areas where you can minimize the data you’re collecting and storing. For example, I’ve been using Google Sheets and Zapier to transfer data into other platforms, but since auditing all of my platforms I’m looking to reduce and in some cases remove my use of Google Sheets and Zapier. This will make it easier if I ever receive a request for someone’s data to be deleted.

Once you’ve mapped out all of the platforms you’re using you should also list down the personal data that each one is processing. This might lead to other data minimization opportunities. You might even find you’re collecting something you’re not even using.

2. Add a cookie banner to your website

I’m not a fan of cookie banners and to be honest I’m not even sure if people actually pay attention to what they say, but it seems like most sites in the EU have one. If you’re going to be running remarketing ads, then you’ll want to inform people that you’re using cookies to target your advertising. I’m currently using OneTrust to add a cookie notification to my website for people located in the EU. It’s free and seems fairly easy to use (although I am a little confused by their consent settings).

3. Review the Google Analytics privacy features 

There are three privacy features you should be aware of when it comes to Google Analytics. They are the data retention setting, IP anonymization and the user deletion API.

The data retention setting allows you to control when user-based data is removed from Google Analytics. The default for the standard version of Google Analytics is now 26 months, but you can change this to 14 months, 38 months, 50 months or so the data won’t expire. The regulation is vague about how long you can store data, but the general recommendation is the shorter the better. I’d probably stick with the default or change it to 38 months if you want a longer window for your user-level analysis.

IP anonymization is an extra step you can take to ensure that the IP addresses that are sent to Google Analytics are anonymous. It basically removes part of the IP address so there isn’t as much granular detail available. Since you can’t report on IP address in Google Analytics it’s worth considering and the only downside is your location report won’t be quite as accurate.

Google will also be providing a mechanism for you to be able to delete user-level data from Google Analytics. This will be available via the user deletion API (it’s coming soon) and will allow you to respond to requests where people want all of their personal data deleted from the various platforms you’re using.

4. Include opt-in consent on all of your forms

If you’re collecting personal data using forms on your website, then you’ll need to include details about how their data will be used. You’ll need to provide the following details, so that they’re clear and easy to understand:

  • Name of your organization
  • Why you’re collecting the data
  • How you’ll use the data
  • That people can withdraw their consent

You’ll also need to ensure that people are actively opting in to share their personal data for the purposes you’ve stated. This will typically be in the form of an unchecked box that people can then select. Think of this as opportunity (or challenge) to really highlight the value that you’ll be providing to people.

5. Review your privacy policy

Finally, you’ll want to review your privacy policy. You’ll want to make it clear how you’re collecting and using data. It should be easy to understand and provide details for how people can get their data updated or even removed from the platforms you’re using. My privacy policy probably isn’t perfect, but I’ve tried to make it as simple and logical as possible. 

This isn’t intended to be legal or professional advice and your circumstances might require a different approach to privacy. I always recommend seeking your own legal advice when it comes to the GDPR, privacy and the way you’re using Google Analytics.