The impact of GDPR on Google Analytics – UK – Peak Demand

The General Data Protection Regulation (GDPR) is coming into force in May this year and forcing organisations to review the ways they collect and manage personally identifiable data of EU citizens.

Google Analytics is the industry standard for web analytics and is installed on an estimated 50 million websites.

How does GDPR impact Google Analytics?

Setting the scene – the role of the e-Privacy regulation

GDPR grabs the headlines and rightly so. It is a big deal for organisations impacting the way personally identifiable data is collected and managed. But for digital marketers in the UK it is actually the e-Privacy regulation that will govern much of our activity. This is intended for implementation alongside GDPR on 25th May 2018 – but it seems very unlikely that this target will be achieved as the text is still being negotiated.

GDPR will become law and be the over-arching framework dealing with the processing of personal data – but in the UK until the new e-Privacy regulation comes into force the specifics of electronic communications will still come under the Privacy and Electronic Communications Regulations (PECR) from 2003.

So the rules for electronic communications are changing but we don’t know exactly what they will be and we don’t know exactly when they will come into force.

Therefore, at this stage we can only look ahead based on the current draft text of the e-Privacy regulation and consider the implications for Google Analytics on that basis.

Do we need to gain explicit opt-in from users if we use Google Analytics?

No, not for a standard implementation of Google Analytics. Google collects a lot of data from every visit / visitor to your website but it does not store any personally identifiable information. A visitor’s IP address (which is now recognised as personal data by GDPR) is used to determine their physical location but the IP address itself is not data that can be accessed through Google Analytics. All data in Google Analytics is aggregated and anonymised.

Cookies fall under the framework of GDPR, but more specifically will be part of the new e-Privacy regulation. There has been a concern that explicit cookie consent will be required for Google Analytics. But in January 2017, the European Commission clarified the high-level privacy rules as follows:

The so called “cookie provision”, which has resulted in an overload of consent requests for internet users, will be streamlined. New rules will allow users to be more in control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent.”

However, we reiterate that the e-Privacy regulations are still in draft so it is possible that this could change in the future.

Update: 18th April 2018 – Google has introduced new consent policy in the EU

Google has contacted all Analytics users with this statement relating to it:

“Per our advertising features policy, both Google Analytics and Analytics 360 customers using advertising features must comply with Google’s EU User Consent Policy – to reflect new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consent from, end users of your sites and apps int the EEA.”

The need to comply with the new consent policy is linked to whether you use Google Analytics advertising features. This article assumes a standard implementation of Analytics that does not use advertising features. However, it is acknowledged that many Google Analytics installations do use advertising features. If you are not sure whether advertising features are enabled, go to your Google Analytics property, select Tracking Info and then Data Collection.

What if we’ve modified the Google Analytics implementation to retain a user’s IP address?

There are methods to adapt the standard Google Analytics implementation to retain each users IP address.

In this case, you have two problems.

  • You are breaking Google Analytics terms of service by storing personally identifiable data – see section 7 of the terms
  • You are going to have complications with GDPR compliance

As you are breaking Google’s terms of service the recommendation is to remove this custom code from your Google Analytics implementation immediately.

What if our website URL parameters include personally identifiable data?

It is possible that a form on your website uses a GET method which on submission pushes the inputs from the form as URL parameters in a new page. For example, if you have a contact form that asks for a name, email and phone number, you could end up with a URL such as:

https://www.yourcompany.com/thanks?name=person&email=person@domain.com&phone=012345678

Because this is a new page it will be recorded in Google Analytics as a pageview containing the URL and the parameters.

This breaks Google Analytics terms and causes GDPR compliance issues. You should remove the URL parameters by changing the form to use a POST method or finding an alternative solution.

What if we push data into Google Analytics via Custom Dimensions or Metrics?

Custom Dimensions and Custom Metrics offer the potential for powerful Google Analytics data segmentation options. Developers can insert context relevant data into the Google Analytics javascript code. Google Tag Manager provides a relatively simple way to collect data through Data Layer variables and insert into custom dimensions or metrics.

The key here is to stick to Google Analytics terms of not storing personally identifiable data. Organisations may see the value in using data from authenticated (logged-in) users within Google Analytics. But if this includes data such as names, emails, phone numbers or postcodes then you are breaking Google’s terms and you have problems with GDPR compliance.

What if we can determine an individual through standard Google Analytics data?

In some instances it is possible to work out the web actions of a specific individual through Google Analytics. For example, if you have an e-commerce store and use Google e-commerce tracking then you can create a custom segment for a visit that included a checkout with a specific order number.

However, the only way of linking a named individual with the web activity is to identify the user through the order number from your order management system. Without access to your order management system you cannot associate Google Analytics activity with an individual person.

There is a concern that this could force Google to stop the collection of e-commerce data in Google Analytics. Google doesn’t consider it is personally identifiable information and we very much hope that the regulators also see it this way, as e-commerce data in Google Analytics is an important element for running e-commerce digital marketing campaigns.

You should take steps to restrict Google Analytics access to users who have a need to access this information.

Are you concerned about your Google Analytics compliance with GDPR?

Do get in touch with us to discuss our Google Analytics implementation audit service.

Important Caveat

Interpretation of GDPR and e-Privacy regulations vary and will continue to prompt discussion both before and after implementation on 25th May 2018. Peak Demand is a digital marketing consultancy not a legal adviser.

9 responses to “The impact of GDPR on Google Analytics”

  1. I just need to know if I have to stop my monthly updated graph about the countries of our site visitors. You can see it at the foot of my homepage (URL given). I update this every month will it become illegal?

  2. There’s so so much conflicting information on GA and GDPR. Many sources I have read state that we must enable the anonymizeIp feature in GA to prevent the PII being sent to Google (for them to process and determine the location).

    I’d love to hear your thoughts on this?

    • Hi Christopher, I agree it is not clear what is expected. In a standard implementation the IP is held by Google but not visible to the Analytics user who collects it. In a strict interpretation you could say you are collecting personal data but on the basis that you can never see it or process it, I’m not sure it would be top of the regulators list of concerns. That said, I don’t see any real downside in using the anonymizeip feature.

  3. Google analytics adds a unique ID as part of its initialization to track new vs returning visitors, because of this unique ID which is classified as personal data, you can not load google analytics without consent.

    • Hi Danny, thanks for your comment. It is clear in the texts from the EU regulators that they had a strong intention with GDPR and ePrivacy to remove the constant cookie alert pop-ups. Yet, we can see so much confusion as to the actual implementation and post-GDPR launch I see more cookie pop-ups (and more extensive cookie pop-ups) than ever before. I expect the upcoming ePrivacy regulation will seek to address this. Anyway, to answer your point, Google doesn’t see the unique ID as personal data https://support.google.com/analytics/answer/7686480

      • Note also the last line of the linked document:

        “Note that data excluded from Google’s interpretation of PII may still be considered personal data under the GDPR.”

        Google doesn’t see IP addresses as PII, either. Are you suggesting we all use the “Google says” defence?

        Caveat: I am not a legal adviser, either 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Contact Us

We tailor the services we offer to your specific needs and budget

Contact us