GDPR: Do I Really Need Consent for Google Analytics Tracking
Considering you are here, I assume you’ve heard about GDPR (General Data Protection Regulation). If the term ‘GDPR’ is new to you, read my other blog posts first:
- Avoid Penalties and Build Trust by Becoming GDPR Compliant
- 5 Actionable Steps to GDPR Compliance with Google Analytics
The GDPR went into effect on May 25th, 2018 and protects EU citizen privacy. Now that we are past the deadline, you may be asking yourself if you really need to gain consent for Google Analytics tracking? After all, if you provide an opt-in consent for Google Analytics, you’ll quickly be missing a lot of data on your visitors.
As mentioned above, in February 2018, I wrote a blog post detailing “5 Actionable Steps to GDPR Compliance with Google Analytics.” The advice I gave on this blog post still applies and now that we are several months after GDPR has gone into effect, let’s revisit one of the least clear tips: gaining consent for Google Analytics tracking.
Google’s Direction on Consent
On the official Google Analytics support site, they’ve added guidance as it relates to user consent for Google Analytics by stating:
“When using Google Analytics Advertising Features, you must also comply with the European Union User Consent Policy.” Click & Tweet!
To my knowledge, this is the only mention of GDPR consent requirement by the Google Analytics team.
This direction is quite clear. If you have enabled Advertising features in Google Analytics, then you need consent from the EU citizen first. Google defines ‘Advertising features’ as:
- Remarketing with Google Analytics.
- Google Display Network Impression Reporting.
- Google Analytics Demographics and Interest Reporting.
- Integrated services that require Google Analytics to collect data for advertising purposes, including the collection of data via advertising cookies and identifiers.
With the recent launch of Google Signals to enable Cross Device features in Google Analytics, this is also linked to being an ‘Advertising feature’ and you will need consent here too.
It would also seem that if you are NOT using advertising features with Google Analytics, then you do not need consent (more advice on that further below).
Why Else Might You Need Consent
In addition to Google’s statement about Advertising Feature usage, you should strongly consider gaining consent in the following situations:
- Collection of a User ID.
- Collection of any other pseudonymous identifiers.
- Collection of detailed geographic data (postal code, latitude/longitude coordinates).
User ID & Other Pseudonymous Identifiers
It is against the Terms of Service in Google Analytics (standard and the paid 360 version) to collect any PII. The litmus test is generally that if the data set in Google
Analytics alone can personally identify a visitor, then it is PII. What is not PII under Google’s terms would be pseudonymous identifiers such as numeric User ID. The Google Analytics support site provides advice on how you should encrypt an identifier that is based on PII by leveraging a minimum hashing requirement of SHA256.
Don’t confuse this with the definition of PII under the GDPR. Under GDPR, PII is expanded to include direct or indirect identifiers, such as an IP Address (hence the recommendation to turn on IP Anonymization).
Under GDPR, PII is expanded to include direct or indirect identifiers, such as an IP Address. Click & Tweet!
Are You Sharing Data With Google?
There are data sharing settings in Google Analytics that promote sharing your data with Google to help improve its services and to allow account specialists to inspect your data for opportunities. I’ve not heard of any clients benefiting from this data sharing and under GDPR, I don’t recommend sharing your data. The benchmarking setting is completely anonymous (and thus likely safe in the lens of GDPR) and is the only one remotely beneficial to your organization.
Data Sharing Settings in Google Analytics
In ‘Account Settings’ of the Google Analytics admin area, there are several Data Sharing Settings that you should be aware of:
How to Have Your Google Analytics Cake and Eat it Too
We’ve gone over a few areas where you may need consent to track data in Google Analytics. Unless you are in the camp of the most stringent interpretation of GDPR (specifically where any online identifier cookie, such as the GA Client ID, requires consent), then there is a method to consider. You can collect data in Google Analytics for your entire audience and then once opted in, expand your data collection as appropriate to include User ID and/or Remarketing data.
This method allows you to have data from all visitors to the site and then if the user opts in, you can include them in the ‘Advertising Features’ to enable remarketing, demographics, Google Signals, and other future features.
This is a win-win in my book as you are honoring the user’s privacy by not collecting anything that is PII or that can be used for behavioral ad targeting.
Designing a GDPR Compliant* Google Analytics Implementation
Recently, the Google Analytics team introduced a code feature to ‘Allow Ad Features’. This code setting is used to disable the beacons that fire to collect data for the advertising features. This setting will override the admin interface selection when the ad features are enabled.
Below is a method to follow for a GDPR compliant* Google Analytics implementation:
*Disclaimer: Consult your legal team before taking my advice
- On your Google Analytics tag implementation, set the ‘allowAdFeatures’ to false if the user has not consented (default value should be false until you have consent). In GTM, this is really simple to do via the More Settings -> Fields to Set option on the Google Analytics tag. See Simo’s great post on how to ‘Allow And Block Advertising Features In Google Analytics’.
- If the user has opted in, at that point, you should set the ‘allowAdFeatures’ to a true value so that Ad Feature beacons are sent.
- Turn on the Anonymize IP feature via your Google Analytics code. Brian Clifton recently researched the impacts of AnonymizeIP and found no accuracy issues at the country level, but there was more of an impact at the city level. Assuming you have clear consent for this type of data collection, then you could set the AnonymizeIP value to true at that point.
- In the Google Analytics Admin under Property –> Tracking Info –> Data Collection, turn on the advertising features you will be leveraging: Remarketing, Advertising Reporting Features, and/or Google Signals.
Sounds simple right?
The biggest effort is going to be building/implementing a consent management modal to allow the user to select their preferences. Once you have their preference stored in a cookie, then you can decide whether to set the ‘allowAdFeatures’ on the Google Analytics tag to true or not.
Assuming your lawyers agree with the interpretation that Google themselves have been promoting, then this method will increase your confidence of compliance towards this regulation.
Your compliance with GDPR can help your brand avoid penalties and build trust.
Shouldn’t we all be advocates for our customers? We sure think so and we hope that brands are taking privacy more seriously for the benefit of their customers.
Ask Questions or Share Your Input
Do you have other tips or questions on how to implement GDPR with Google Analytics? We’d love to hear from you in our comments below and we promise to respond in a reasonable time period.
Disclaimer: I am not a lawyer and the information provided within this blog post is based on my own research and interpretation of the General Data Protection Regulation (GDPR) and e-Privacy Regulation. You are advised to seek legal counsel that specializes in the GDPR and e-Privacy Regulation to ensure that your organization conforms to these regulations. GDPR is complex and interpretations vary. If you have questions or suggested clarifications, please comment and provide sources, as appropriate.