Is My Use Of Google Analytics GDPR Compliant?
Checklist 1: Steps to make your Google Analytics GDPR compliant
1. Control how you are transmitting personal data to Google
It is not sufficient to filter out personal data via the Google Analytics filters.
The transmission must be stopped on code-level to prevent the data from ever being sent to Google Analytics.
Check your page url’s, page titles and other dimensions. Ensure that no personal data is being collected.
A common example of personal data collection is when you capture a page url that contains an “email= querystring” -parameter.
If this is the case, it is likely that you are leaking personal data to other marketing technologies in use on your site!
2. Turn on IP Anonymization
The IP address is personal data according to the definition in the GDPR. IP addresses are by default never exposed in reporting, but Google uses them to provide geolocation data.
Therefore, it is a good idea to turn on the IP anonymization feature in Google Analytics.
This change will slightly reduce the geographic reporting accuracy of your Google Analytics account.
To turn on anonymization, you must make a change in the code.
If you use Google Tag Manager, adjust your tag or Google Analytics Settings variable by clicking into More Settings -> Fields to Set and then add a new field named ‘anonymizeIp’ with a value of ‘true’.
If you don’t use Google Tag Manager, your tag management system may have this setting exposed as an option, or you may need to edit the code directly.
Once implemented, Google will anonymise the IP address as soon as technically feasible by removing the last octet of the IP address before any storage or processing begins (your IP becomes 220.127.116.11 — where the last portion/octet is replaced with a ‘0’). Once this features is enabled, the full IP address is never written to the disk according to Google.
What is the GDPR and how does it affect my website?
The General Data Protection Regulation is a EU law that sets out strict requirements on how data of EU citizens may be handled.
It is enforced on 25 May 2018 and affects companies, organisations and websites large and small, that handle personal data of users from the EU.
For website owners, the regulation means that you have to go through all of your personal data processing activities and make sure that they comply.
Typically, data processing activities on websites are one of two types:
- on the one hand, contact forms, email subscriptions and the like, where the personal data is explicitly requested and submitted directly by the user,
- and cookies and online tracking on the other.
With the enforcement of the GDPR, you have to go through both, and revise what data you are gathering, whether you really need this data and why, and how you are keeping it secure.
The problem with cookies in the GDPR
Due to their multiple uses, cookies are often the tricky part of ensuring compliance with the regulation.
Cookies serve a range of different purposes from functionality and performance, over statistics, to targeted marketing.
Some are necessary for the website to work, and some are not. Some enhance the user experience, some serve for monitoring and user profiling, and some do both.
Some are set by the website itself, while the majority are of third party provenance, typically set by embedded third party plug-ins.
On top of that, cookies on websites tend to change, meaning that getting an overview once and for all will not suffice.
In general terms, though, cookies do track users’ actions and are therefore subject to the GDPR.
Plugins, embedded content, and tools in use on your website all set cookies.
As a website owner, you are responsible for all of the data processing activities going on on your website, of first party and third party provenance unheeded.
What is considered “personal data” in the GDPR?
The issue for website owners when it comes to using tools such as analytics, is the broad definition of personal data in the GDPR:
Not only IP addresses, contact information and sensitive data such as medical and financial records are personal, but also any data which can identify someone “directly or indirectly” using “all means reasonably likely to be used”.
This includes pseudonymous data, online identifiers and cookies which, as the GDPR states, can be combined with other data to create “profiles of the natural persons and identify them”.
What personal data does Google Analytics collect?
Google Analytics works by means of tracking code that is added to the pages of your website. Every user is registered with a unique ID, so that Google Analytics can provide you with insight into how many unique visitors there are to the site, for example, and how many users return.
With Google Analytics, one can survey how often any single user has visited the website, what pages they visited, for how long they stayed and how they interacted with the site.
Combined with their enormous statistical data on internet users, Google Analytics can provide very precise information on what segments your website attracts according to demographics such as age, gender, professional and private interests, geographical location etc.
An accurate overview of what data Google Analytics actually tracks is difficult to get hold of, as it is constantly developing and improving, and Google does not provide transparency about their methods.
According to their Google Ads Data Protection Terms: Service Information, Google Analytics collects the following types of personal data:
- Online identifiers including cookie identifiers
- internet protocol addresses and device identifiers
- client identifiers
“We collect information to provide better services to all of our users – from figuring out basic stuff like which language you speak, to more complex things like which ads you’ll find most useful, the people who matter most to you online, or which YouTube videos you might like.
We collect information in two ways:
1. Information you give us.
For example, many of our services require you to sign up for a Google Account. When you do, we’ll ask for personal information, like your name, email address, telephone number or credit card. If you want to take full advantage of the sharing features we offer, we might also ask you to create a publicly visible Google Profile, which may include your name and photo.
2. Information we get from your use of our services.
We collect information about the services that you use and how you use them, like when you watch a video on YouTube, visit a website that uses our advertising services, or you view and interact with our ads and content.”
According to the GDPR’s definition of personal data described above, the tracking of user behaviour and profiling is only compliant with the EU-regulations when the website obtains prior consent from the visitor, i.e. blocking Analytics until the visitor has opted in.
3. Go through the collection of Pseudonymous Identifiers in your Google Analytics
Your Google Analytics implementation may already be using pseudonymous identifiers. These may include the following:
User ID: Control that the user IDs are alphanumeric database identifiers, and not data written in plain text such as emails, usernames etc.
Hashed/Encrypted data such as email address: Check, if you can do without hashed or encrypted data. Google has a minimum hashing requirement of SHA256. However, it is recommended to avoid collecting data in this manner.
Transaction IDs : Transaction IDs are technically pseudonymous identifiers, since when linked with another data source, it can lead to the identification of an individual. Make sure that this ID is an alphanumeric database identifier.
Checklist 2: Steps to make your website’s use of Google Analytics etc. compliant
- is specific and up-to-date at all times,
- is written in a plain and understandable language,
- provides clear instructions on how one may opt in and out of ones data being collected.
2. Implement a GDPR compliant cookie consent
- Obtained prior to the setting of the cookies on the user’s browser (strictly necessary cookies are excepted from this rule)
- Given on the basis of clear and specific information about what the consent is given to
- Based on a true choice. The user must be able to opt out of all but the strictly necessary cookies and still use the site.
- Retrievable. The user must have access to their settings and make changes to what cookies they want to accept and reject.
- Kept as documentation that the consent has been given.
Elemental Media can help set you up so that your website has a cookie consent solution that does all of that.
GDPR Report: GDPR and Google Analytics
Digital Third Coast: How does Google Analytics actually work?
Shivarweb: What does Google Analytics do?
Google developers guide: Google Analytics cookie usage on websites
Stackoverflow: What data is collected by Google Analytics (by default)
Medium: Google Analytics and GDPR Compliance
Google Ads Data Protection Terms: Service Information
GOOGLE IN EUROPE Getting ready for Europe’s new data protection rules
Googles EU User Consent Policy
Full classification of Googles Ads products
The full article can be read here:
Cookiebot – Is my use of Google Analytics GDPR and ePR compliant?