Analytics Blog
5 Actionable Steps to GDPR Compliance with Google Analytics
Disclaimer: I am not a lawyer and this blog post is based on my own research and interpretation of the General Data Protection Regulation (GDPR) and e-Privacy Regulation. You are advised to seek legal counsel that specializes in the GDPR and e-Privacy Regulation to ensure that your organization conforms to these regulations. GDPR is complex and interpretations vary. If you have questions or suggested clarifications, please comment and provide sources, as appropriate.
Countdown to GDPR
What is GDPR and Why Should I Care?
The General Data Protection Regulation (GDPR) is a European Union (EU) data privacy regulation that puts the customer/individual in control and it goes into full effect on May 25, 2018. The purpose is to consolidate privacy regulations across the EU.
If you are not yet familiar with the details of GDPR and why you should be taking action for readiness ahead of the May deadline, read my blog post on how to Avoid Penalties and Build Trust by Becoming GDPR Compliant.
Quick Highlights of GDPR
- Monetary administrative penalties of €20 million or 4% of worldwide revenue if your organization is not in compliance.
- Subjected to GDPR even if you don’t have a physical presence in the EU; if you provide goods or services to EU citizens, you are impacted.
- The definition of personal data is expanded and clarified to include IP addresses, cookie identifiers, and GPS locations.
- Explicit consent and transparency is required; this means that inactivity and pre-checked boxes are not considered consent.
- EU citizens have the right to be forgotten and personal data must be erased upon request.
- GDPR is an opportunity to build trust and help your brand stand out.
While the GDPR may at first appear daunting, I’ll provide you five actionable steps to help you on your journey towards GDPR compliance with Google Analytics.
Disclaimer: Be aware that this blog post is only considering Google Analytics and not the other marketing technologies that your site likely uses.
Google Analytics: Your Data Processor
Under the GDPR, if you use Google Analytics, then Google is your Data Processor. Your organization is the Data Controller since you control which data is sent to Google Analytics.
With Google as your Data Processor, they have obligations to conform to the EU GDPR. According to Google’s own Privacy Compliance website, they are “working hard to prepare for the EU’s General Data Protection Regulation.” You can see more details on this site and it is almost certain that Google Analytics will be fully compliant by May 25, 2018. As part of being a Data Processor, Google must provide a data processing agreement that you’ll need to accept.
As a comparison, Adobe Analytics is working on the same GDPR readiness, as is Mixpanel.
Actionable Steps to Become GDPR Compliant with Google Analytics
#1) Audit Your Data for Personally Identifiable Information (PII)
Hopefully this doesn’t come as a surprise, but collecting Personally Identifiable Information (PII) is against the Google Analytics Terms of Service.
This is true both of Google Analytics Standard and the paid Google Analytics 360 solution. Whether you are confident or not, now is the time to audit your data collection to ensure that you are not transmitting PII.
- Check your Page URLs, Page Titles, and other data dimensions to ensure that no PII is being collected. A common example of PII data collection is when you capture a Page URL that contains an “email= querystring” parameter. If this is the case, you are likely leaking PII to other marketing technologies in use on your site!
- Ensure that any data entered into forms by Users, that is also collected by GA, does not contain PII.
- Be aware that simply filtering out PII (via Google Analytics filters) is not sufficient; you must address this at the code-level to prevent the data from ever being sent to Google Analytics.
#2) Turn on IP Anonymization
Under the GDPR, an IP address is considered PII. Even though the IP address (by default) is never exposed in reporting, Google does use it to provide geo-location data.
To be safe, we recommend turning on the IP Anonymization feature in Google Analytics. This requires a code change to enable. If you use Google Tag Manager, adjust your tag or Google Analytics Settings variable by clicking into More Settings -> Fields to Set and then add a new field named ‘anonymizeIp’ with a value of ‘true’.
If you don’t use Google Tag Manager (GTM), your tag management system may have this setting exposed as an option, or you may need to edit the code directly.
The result of this change is that Google will anonymize the IP address as soon as technically feasible by removing the last octet of the IP address (your IP becomes 123.123.123.0 — where the last portion/octet is replaced with a ‘0’). This will happen before storage and processing begins. “The full IP address is never written to the disk” when this features is enabled.
The impact of this GDPR change on your data is that geographic reporting accuracy is slightly reduced.
The impact of this GDPR change on your data is that geographic reporting accuracy is slightly reduced. Click & Tweet!
#3) Audit your Collection of Pseudonymous Identifiers (hashed Emails, User IDs)
Your Google Analytics implementation may already be using pseudonymous identifiers. This may include the following:
- User ID — This should be an alphanumeric database identifier. This should never be plain-text PII such as email, username, etc.
- Hashed/Encrypted Data such as Email Address — “Google has a minimum hashing requirement of SHA256 and strongly recommends the use of a salt, minimum 8 characters.” — Source. We do not recommend collecting data in this manner.
- Transaction IDs — Technically, this is a pseudonymous identifier since when linked with another data source, it can lead to the identification of an individual. This ID should always be an alphanumeric database identifier.
Under both GDPR and the Google Analytics Terms of Service, this appears to be an acceptable practice. But, this is where you are advised to ensure that your Privacy Policy is updated to reflect this data collection and purpose, as well as to gain explicit consent (via opt-in) from your users. In both cases, the language used needs to be clear (no technical or legal terms) and answer the questions of, “what data is collected?” and “how it will be used?”
If you are familiar with the GDPR at this point, you may be asking yourself how you can reasonably honor a User’s request to be forgotten.
This is tricky as Google Analytics does not (currently) provide a method for selective data deletion. From our point of view, you’ll likely need to delete the User ID from your CRM to satisfy this requirement, which will prevent the record in Google Analytics from being associated to a known individual. We do not have insight into Google’s plans, but perhaps they’ll offer a method of User ID/Client ID data deletion by the time GDPR goes into effect. (UPDATE: Thanks to Yehoshua Coren for letting us know that Google announced at Superweek that they will support User ID/Client ID data deletion.)
#4) Update your Privacy Policy
The most important update to your Privacy Policy under GDPR is that these notices need to be written in a way that is clear, understandable, and concise.
As it always should have been, the intent of the Privacy Policy is to describe what you do in a clear manner and then, most importantly, your organization needs to follow through and do what it says. Your audience of the Privacy Policy is the end user (not lawyers).
Per this eConsultancy article, you should consider the following questions when writing your privacy notice:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
#5) Build an Opt In/Out Capability
The big question on everyone’s mind is if they really need to get explicit consent for tracking. After all, this could be a substantial amount of work and could absolutely impact the participation of users in your Google Analytics data. The answer to this question is multi-pronged in that most likely you will, that it depends, and that you should seek legal counsel.
Let’s dive into a few considerations to think through.
The most common approach to this that we’ve seen is to have an overlay modal on the page that asks the user for permission and then once granted, the page either reloads or the Google Analytics scripts (and other marketing technologies) proceed to execute.
You may consider leveraging technologies such as Tealium’s Privacy Widget to achieve this technical objective. There are many other vendors to consider such as Evidon and TrustArc.
See our Healthcare.gov Case Study from back in 2015 where we helped implement the US Government’s first website to offer consumers the ability to opt out of tracking and to honor the Do Not Track browser setting. This was achieved by using Tealium iQ’s Privacy Manager technology.
If you are using Google Analytics data to collect UserID/Hashed PII or to assist in behavioral profiling or if you are using other advertising technologies, you’ll need to build an opt-in consent mechanism as well as functionality for your users to opt-out at any point.
Since Google Analytics also records an online/cookie identifier called the GA Client ID, and because this is part of the core functionality of the product, you will likely need to offer the opt-in consent for all EU visitors to the site. This is a point that you’ll want to seek legal counsel on, but if you read the regulation, it specifically mentions that online identifiers (such as the GA Client ID) are considered personal data and thus it would be subject to this regulation. We’ve read other sources that indicate that there would be no need to offer consent if you aren’t collecting User ID or any other pseudonymized data in Google Analytics.
There are requirements as part of GDPR to prove that consent has been given (audit trail). We recommend as part of the explicit action of affirmative consent, that you track/log this in Google Analytics as an event. You may also want to record this in your own database against the Google Analytics Client ID (and User ID if applicable).
Share Your Challenges
These five actionable steps towards Google Analytics GDPR compliance are a great way to help your organization either begin the conversation, or continue your efforts with new ideas that you may have missed. GDPR is a complex regulation and it is imperative that your organization develop the right roadmap towards becoming compliant.
While the focus of this post is Google Analytics, these steps also apply towards other digital analytics and marketing vendors. Each organization is different and there are certainly more that you’ll need to do for compliance, so we’d love to hear about your challenges.
Please share your tips, concerns, and questions in our comments section below to continue the conversation around how to progress towards GDPR compliance.