The General Data Protection Regulation (GDPR) is coming into force in May this year and forcing organisations to review the ways they collect and manage personally identifiable data of EU citizens.
Google Analytics is the industry standard for web analytics and is installed on an estimated 50 million websites.
How does GDPR impact Google Analytics?
Setting the scene – the role of the e-Privacy regulation
GDPR grabs the headlines and rightly so. It is a big deal for organisations impacting the way personally identifiable data is collected and managed. But for digital marketers in the UK it is actually the e-Privacy regulation that will govern much of our activity. This is intended for implementation alongside GDPR on 25th May 2018 – but it seems very unlikely that this target will be achieved as the text is still being negotiated.
GDPR will become law and be the over-arching framework dealing with the processing of personal data – but in the UK until the new e-Privacy regulation comes into force the specifics of electronic communications will still come under the Privacy and Electronic Communications Regulations (PECR) from 2003.
So the rules for electronic communications are changing but we don’t know exactly what they will be and we don’t know exactly when they will come into force.
Therefore, at this stage we can only look ahead based on the current draft text of the e-Privacy regulation and consider the implications for Google Analytics on that basis.
Do we need to gain explicit opt-in from users if we use Google Analytics?
No, not for a standard implementation of Google Analytics. Google collects a lot of data from every visit / visitor to your website but it does not store any personally identifiable information. A visitor’s IP address (which is now recognised as personal data by GDPR) is used to determine their physical location but the IP address itself is not data that can be accessed through Google Analytics. All data in Google Analytics is aggregated and anonymised.
Cookies fall under the framework of GDPR, but more specifically will be part of the new e-Privacy regulation. There has been a concern that explicit cookie consent will be required for Google Analytics. But in January 2017, the European Commission clarified the high-level privacy rules as follows:
The so called “cookie provision”, which has resulted in an overload of consent requests for internet users, will be streamlined. New rules will allow users to be more in control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent.”
However, we reiterate that the e-Privacy regulations are still in draft so it is possible that this could change in the future.
Update: 18th April 2018 – Google has introduced new consent policy in the EU
Google has contacted all Analytics users with this statement relating to it:
“Per our advertising features policy, both Google Analytics and Analytics 360 customers using advertising features must comply with Google’s EU User Consent Policy – to reflect new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consent from, end users of your sites and apps int the EEA.”
The need to comply with the new consent policy is linked to whether you use Google Analytics advertising features. This article assumes a standard implementation of Analytics that does not use advertising features. However, it is acknowledged that many Google Analytics installations do use advertising features. If you are not sure whether advertising features are enabled, go to your Google Analytics property, select Tracking Info and then Data Collection.
What if we’ve modified the Google Analytics implementation to retain a user’s IP address?
There are methods to adapt the standard Google Analytics implementation to retain each users IP address.
In this case, you have two problems.
- You are breaking Google Analytics terms of service by storing personally identifiable data – see section 7 of the terms
- You are going to have complications with GDPR compliance
As you are breaking Google’s terms of service the recommendation is to remove this custom code from your Google Analytics implementation immediately.
What if our website URL parameters include personally identifiable data?
It is possible that a form on your website uses a GET method which on submission pushes the inputs from the form as URL parameters in a new page. For example, if you have a contact form that asks for a name, email and phone number, you could end up with a URL such as:
Because this is a new page it will be recorded in Google Analytics as a pageview containing the URL and the parameters.
This breaks Google Analytics terms and causes GDPR compliance issues. You should remove the URL parameters by changing the form to use a POST method or finding an alternative solution.
What if we push data into Google Analytics via Custom Dimensions or Metrics?
The key here is to stick to Google Analytics terms of not storing personally identifiable data. Organisations may see the value in using data from authenticated (logged-in) users within Google Analytics. But if this includes data such as names, emails, phone numbers or postcodes then you are breaking Google’s terms and you have problems with GDPR compliance.
What if we can determine an individual through standard Google Analytics data?
In some instances it is possible to work out the web actions of a specific individual through Google Analytics. For example, if you have an e-commerce store and use Google e-commerce tracking then you can create a custom segment for a visit that included a checkout with a specific order number.
However, the only way of linking a named individual with the web activity is to identify the user through the order number from your order management system. Without access to your order management system you cannot associate Google Analytics activity with an individual person.
There is a concern that this could force Google to stop the collection of e-commerce data in Google Analytics. Google doesn’t consider it is personally identifiable information and we very much hope that the regulators also see it this way, as e-commerce data in Google Analytics is an important element for running e-commerce digital marketing campaigns.
You should take steps to restrict Google Analytics access to users who have a need to access this information.
Are you concerned about your Google Analytics compliance with GDPR?
Do get in touch with us to discuss our Google Analytics implementation audit service.
Interpretation of GDPR and e-Privacy regulations vary and will continue to prompt discussion both before and after implementation on 25th May 2018. Peak Demand is a digital marketing consultancy not a legal adviser.