Google Analytics and GDPR

Google Analytics is a web analytics tool from Google. It collects information such as cookies, IP addresses, and client identifiers. Millions of website owners use the service to track their website traffic. Since June 2018, Analytics is part of the Google Marketing Platform.

Since Google Analytics collects information that can be used to identify a person, you must make sure that it is complying with the General Data Protection Regulation (GDPR).

Let’s look at how GDPR affects your use of Google Analytics and how to comply with the law.

What is GDPR?

GDPR is a data protection law introduced by the EU parliament for the EU citizens. Any organization or individual, based in the EU or not, must abide by the law if they use the data of people from the EU member states. It aims to strengthen the data privacy and rights of the EU residents. Here are some of the key points from the Regulation:

  • Processing of personal data should be on lawful bases.
  • Obtain explicit consent, wherever relevant, from the users before processing, and the request should be in clear and plain language.
  • Honor the rights of users and make it easy for them to exercise it.
  • Adopt Privacy by Design approach by ensuring security before the processing begins.
  • Notify the supervisory authority and the affected users about data breaches within 72 hours.
  • Failure to comply will result in fines, with the maximum being €2 million or 4% of your annual global turnover, whichever is higher.

Read this guide to GDPR for more information.

GDPR affects websites in the same way as other resources. May be more since it is not an easy task to track your visitors who may be from any part of the world. A website originated in the US may find itself facing GDPR challenges if it gets traffic from the EEA (European Economic Area). 

Google is not a stranger to GDPR penalization. On 21 January 2019, France’s CNIL fined Google €50 million for failing to get valid consent from the users for personalized ads. The company has made several changes to its policy and settings to combat this.

Google Analytics and GDPR Compliance

Before delving into it, note that if you are using Analytics, you - the website owner - are the Data Controller. Google is your Data Processor. Google collects and processes the data on behalf of you. You decide ‘why’ and ‘how’ the data should be processed. Google has made several changes to be compliant. However, as the data controller, you must ensure that your usage of Google Analytics complies with GDPR.

Let's have a look at some of the measures taken by Google and the measures you need to take to comply with GDPR.

What Google Did

Google updated its terms and conditions, policies, and settings to be committed to GDPR. Some of the important contractual and product changes are:

Data Processing Terms

Updated Data Processing Terms acts as the data processor agreement. The updated contract is available in your account settings. Here is a detail Google provides in the agreement about the type of data Analytics collects:

Screenshot from Google Analytics Data Processor Terms

EU User Consent Policy

The updated EU User Consent Policy states that you must seek explicit consent from the users to use cookies or to collect, share, and use their personal data. You must keep a record of the consent granted by them and instruct them clearly about revoking their consent whenever they wish to. Google required you to accept the updated policy to continue using the analytics service.

Data Deletion

You can now delete the data of users upon their request. If you have shared the data with any third-party, then Google advises you to remove it from there first. Read more here.

Data Retention

You can now control how long the data is stored before the Google Analytics automatically deletes them. The default setting is 26 months. You can also choose ‘Do not automatically expire’. Read more here.

So, these are some of the changes that Google adopted to align Analytics with the Regulation. Additionally, Google’s privacy policy explains in detail what information they collect, why they collect it, and how you can update, manage, export, and delete it.

What You Should Do

Google Analytics has done its part (mostly), now it's up to you to be certain if you have! Let's see how:

Data Auditing

Audit the data that is collected by your website. Check whether any of the pages on your website are transmitting PII (Personally Identifiable Information). Google mandates that you cannot send PII to them. According to Google, "Google interprets PII as information that could be used on its own to directly identify, contact, or precisely locate an individual." This includes email addresses, mailing addresses, phone numbers, location, full names, etc.

Read the best practices to avoid sending PII to Google Analytics here.

IP Anonymization

Google excludes IP addresses from PII. However, under GDPR, they are interpreted as personal data. Hence, it is crucial to be careful while collecting user IP addresses. Google Analytics collects IP addresses to report on the geolocation of the visiting users. However, it does not report on the IP addresses of the visitors. To avoid any risk of GDPR violation, anonymize the IP, i.e., alter the address before sending the data to Analytics to process. There are two ways to implement this feature:

  • Add the following code to your Analytics tracking code:

ga('set', 'anonymizeIp', true);

  • Turn on IP anonymization in your Google Tag Manager. Follow the steps:

Edit the tag -> More Settings -> Fields to set -> Add a field -> set Field Name as ‘anonymizeIp’ and its Valuetrue

After anonymizing the IP, Google Analytics sets the last octet of the IPV4 Ip addresses and the last 80 bits of the IPV6 IP addresses to zeroes. For example, an IPV4 address 121.314.31.144 changes to 121.314.32.0.

Pseudonymize User Data

You may not use PII on Google Analytics. However, you can use alphanumeric database identifiers. You can share properly encrypted user data. Google has a minimum hashing requirement of SHA256 and recommends the use of salt, a minimum of 8 characters. However, even Google agrees that it may not be the best practice.

Update Privacy Policy

Your privacy policy should reflect the following information in a clear and plain language:

  • What information is collected
  • Who is collecting this information
  • How is this information used
  • Who will this information be shared with
  • How you protect the information
  • How to correct any inaccuracy in this information
  • Contact information

You can refer to CookieYes privacy policy.

Opt-in and Opt-out Option

Get explicit consent from the users through an active opt-in method before the Analytics collects and processes their data. For example, you can no longer ‘assume’ the users have agreed to use their data by proceeding to use the site. Such consent is invalid. Cookie banners should explicitly and clearly state the type of cookies the site will be loading on the page and their purpose. Users should have the option to accept and deny them as they wish or settings to change their preferences. Here is an example of CookieYes' cookie settings: 

CookieYes Cookie Settings

Any changes will reload the page, and Google Analytics will execute accordingly.

CookieYes will help you in making your website GDPR compliant. There are fully customizable cookie banners suitable for different types of consent, and you can block scripts to implement prior consent. It also records the consents obtained. Sign up for a free account and find out how!

Apart from all this, other existing features from Google will also help you in managing user data:

Also, it would be wise to have the right systems to ensure transparency and accountability. Like mentioned earlier, you must explain to your users the types of data you collect and the purpose. You must have the necessary measures to prove your compliance with GDPR to the respective authorities and your users if need be.

To Conclude

Google may have adopted a lot of changes since the GDPR, but it still faces many challenges. Actions like storing data over remote server locations, sharing data with other Google products (this is a default option in data sharing settings), etc. may not be ideal considering how serious GDPR is about data privacy. As the data controller, you need to clear up any ambiguity from your side and try to stay on the right side of the law.

 

Disclaimer: This article should NOT be treated as legal advice. The purpose of this article is to provide general information only. For any legal advice, please contact a lawyer specialized in GDPR.