Logo Logo
Cookiebot

 

The General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR) affect how you as a website owner may use Google Analytics to track your visitors from the EU.

 

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

Google Analytics is by far the most popular tool for website owners to gain insight into how their site is being used.

But is it compliant with the GDPR? Can you keep on using it and comply with the regulation, and what does it take?

In this article, we give an introduction to Google Analytics, to the GDPR, and to what the legal requirements actually mean for your website and its use of cookies, online tracking and tools.

Find out what Google is doing in preparation for the GDPR, what changes you should implement to your Google Analytics account, and how you can make your website’s use of Google Analytics compliant.

Scroll to Checklist 1 if you want to skip the introductions and get down to business right away.

What is Google Analytics?


Google Analytics is Google’s powerful and widely used traffic analytics tool that allows website owners to get deep and real time insight into how their site is being used, how much, and by whom.

How do users find your website, how do they move around on it, how long do they stay for, and where do they go from there?

As such, Google Analytics is essentially a user data processing tool.

What is the GDPR and how does it affect my website?


The General Data Protection Regulation is a EU law that sets out strict requirements on how data of EU citizens may be handled.

It is enforced on 25 May 2018 and affects companies, organizations and websites large and small, that handle personal data of users from the EU.

For website owners, the regulation means that you have to go through all of your personal data processing activities and make sure that they comply.

Typically, data processing activities on websites are one of two types:

  1. on the one hand, contact forms, email subscriptions and the like, where the personal data is explicitly requested and submitted directly by the user,
  2. and cookies and online tracking on the other.

With the enforcement of the GDPR, you have to go through both, and revise what data you are gathering, whether you really need this data and why, and how you are keeping it secure.

The problem with cookies in the GDPR

Due to their multiple uses, cookies are often the tricky part of ensuring compliance with the regulation.

Cookies serve a range of different purposes from functionality and performance, over statistics, to targeted marketing.

Some are necessary for the website to work, and some are not. Some enhance the user experience, some serve for monitoring and user profiling, and some do both.

Some are set by the website itself, while the majority are of third party provenance, typically set by embedded third party plug-ins.

On top of that, cookies on websites tend to change, meaning that getting an overview once and for all will not suffice.

In general terms, though, cookies do track users’ actions and are therefore subject to the GDPR.

The regulation affects your use of cookies and online tracking, your cookie policy and privacy policy, and the manner in which you obtain consent from your users for setting the cookies.

Plugins, embedded content, and tools in use on your website all set cookies.

As a website owner, you are responsible for all of the data processing activities going on on your website, of first party and third party provenance unheeded.

What is considered “personal data” in the GDPR?

The issue for website owners when it comes to using tools such as analytics, is the broad definition of personal data in the GDPR:

Not only IP addresses, contact information and sensitive data such as medical and financial records are personal, but also any data which can identify someone “directly or indirectly” using “all means reasonably likely to be used”.

This includes pseudonymous data, online identifiers and cookies which, as the GDPR states, can be combined with other data to create “profiles of the natural persons and identify them”.

What personal data does Google Analytics collect?

Google Analytics works by means of tracking code that is added to the pages of your website. Every user is registered with a unique ID, so that Google Analytics can provide you with insight into how many unique visitors there are to the site, for example, and how many users return.

With Google Analytics, one can survey how often any single user has visited the website, what pages they visited, for how long they stayed and how they interacted with the site.

Combined with their enormous statistical data on internet users, Google Analytics can provide very precise information on what segments your website attracts according to demographics such as age, gender, professional and private interests, geographical location etc.

An accurate overview of what data Google Analytics actually tracks is difficult to get hold of, as it is constantly developing and improving, and Google does not provide transparency about their methods.

According to their Google Ads Data Protection Terms: Service Information, Google Analytics collects the following types of personal data: 

To get a general picture of what data Google is gathering, you may take a look at Google's privacy policy:

"We collect information to provide better services to all of our users – from figuring out basic stuff like which language you speak, to more complex things like which ads you’ll find most useful, the people who matter most to you online, or which YouTube videos you might like.

We collect information in two ways:

1. Information you give us.
For example, many of our services require you to sign up for a Google Account. When you do, we’ll ask for personal information, like your name, email address, telephone number or credit card. If you want to take full advantage of the sharing features we offer, we might also ask you to create a publicly visible Google Profile, which may include your name and photo.

2. Information we get from your use of our services.
We collect information about the services that you use and how you use them, like when you watch a video on YouTube, visit a website that uses our advertising services, or you view and interact with our ads and content." 

According to the GDPR’s definition of personal data described above, the tracking of user behaviour and profiling is only compliant with the EU-regulations when the website obtains prior consent from the visitor, i.e. blocking Analytics until the visitor has opted in.

So, what is Google Analytics doing in preparation for the GDPR enforcement?


On their blog, Google in Europe, Google has been sharing information about how they are preparing to meet the requirements of the GDPR since August 2017.

During the spring 2018, they have regularly released updates about their work to become GDPR compliant: they have updated their EU User Consent Policy, made changes to their contract terms, and made changes to their products in order to meet the requirements:

Updated EU User Consent Policy

In accordance to their advertising features policy, both Google Analytics and Analytics 360 customers using advertising features must comply with Google’s EU User Consent Policy.Google's EU User Consent Policy is being updated to reflect the legal requirements of the GDPR.

It sets out website owners responsibilities for making disclosures to, and obtaining consents from end users in the European Economic Area (henceforth EEA).

For example, under that policy, advertisers will be required to obtain consent from users for the collection of data for personalized ads (e.g. remarketing tags to build audience lists) and for the use of cookies where legally required (e.g. conversion tags).

The policy is incorporated into the contracts for most Google ads and measurement products globally.

Contract changes

Google has been rolling out updates to their contracts for many products since August 2017, reflecting their status as either a processor or a controller under the GDPR (see full classification of Googles Ads products).

The new GDPR terms supplement your contract with Google and will come into force on 25 May 2018.

In both Google Analytics and Analytics 360, Google operates as a processor of personal data that is handled in the service.

Product changes

To comply, and support their customers compliance with GDPR, Google is:

Find out more

See privacy.google.com/businesses to learn more about Google’s data privacy policies and approach, as well as their data processing terms and data controller terms.

What YOU should do

However, all of these steps unheeded, as the owner of the website, you are the responsible party for the personal data of your visitors that is being handled on your site.

See this useful article on how to prepare your use of Google Analytics for the GDPR.

To prepare your use of Google Analytics for the GDPR, there are basically two things you should do:

  1. Make changes in your Google Analytics account settings
  2. Make sure that your website’s use of Google Analytics and other tools is compliant.

Checklist 1: Steps to make your Google Analytics GDPR compliant


1. Control how you are transmitting personal data to Google

It is not sufficient to filter out personal data via the Google Analytics filters.

The transmission must be stopped on code-level to prevent the data from ever being sent to Google Analytics.

Check your page url’s, page titles and other dimensions. Ensure that no personal data is being collected.

A common example of personal data collection is when you capture a page url that contains an “email= querystring” -parameter.

If this is the case, it is likely that you are leaking personal data to other marketing technologies in use on your site!

2. Turn on IP Anonymization

The IP address is personal data according to the definition in the GDPR. IP addresses are by default never exposed in reporting, but Google uses them to provide geolocation data.

Therefore, it is a good idea to turn on the IP anonymization feature in Google Analytics.

This change will slightly reduce the geographic reporting accuracy of your Google Analytics account.

To turn on anonymization, you must make a change in the code.

If you use Google Tag Manager, adjust your tag or Google Analytics Settings variable by clicking into More Settings -> Fields to Set and then add a new field named ‘anonymizeIp’ with a value of ‘true’.

If you don’t use Google Tag Manager, your tag management system may have this setting exposed as an option, or you may need to edit the code directly.

Once implemented, Google will anonymize the IP address as soon as technically feasible by removing the last octet of the IP address before any storage or processing begins (your IP becomes 123.123.123.0 — where the last portion/octet is replaced with a ‘0’). Once this features is enabled, the full IP address is never written to the disk according to Google.

3. Go through the collection of Pseudonymous Identifiers in your Google Analytics

Your Google Analytics implementation may already be using pseudonymous identifiers. These may include the following:

User ID: Control that the user IDs are alphanumeric database identifiers, and not data written in plain text such as emails, usernames etc.

Hashed/Encrypted data such as email address:  Check, if you can do without hashed or encrypted data. Google has a minimum hashing requirement of SHA256. However, it is recommended to avoid collecting data in this manner.

Transaction IDs : Transaction IDs are technically pseudonymous identifiers, since when linked with another data source, it can lead to the identification of an individual. Make sure that this ID is an alphanumeric database identifier.

Checklist 2: Steps to make your website’s use of Google Analytics etc. compliant


1. Provide transparency about the data processing on your site in your privacy policy and / or cookie policy

Make sure that the actual data processing that is going on on your website is clearly stated, for example in your privacy policy. It is a requirement of the GDPR, that the information on the data collection…

Read more about the requirements and how to comply in our article Privacy policy.

Do you have a proper cookie policy in place? The cookie policy should be accessible for your users, and outline what cookies are in use, what purpose they serve, and how one may opt in and out of them.

It doesn’t matter whether your cookie policy is an independent document or integrated in your privacy policy, as long as the information is easily accessible for your users.

Read more about the requirements for the cookie policy and how to comply with them.

With Cookiebot, the monthly report of the scan of your website can be published as an integrated part of your privacy policy and cookie policy.

That way, your information to your users is always specific and up to date with the actual data processing going on, no matter how your tools and cookies change.

Also, the declaration automatically provides the mandatory options of changing and revoking consent.

2. Implement a GDPR compliant cookie consent

Getting a proper consent to the use of cookies from your visitors is a crucial part of rendering your website compliant with the GDPR. In order to be compliant, the consent has to be…

Read more in our article about cookie consents and the GDPR.

Cookiebot is one of the few cookie consent solutions that does all of that.

You can’t control Google. But by implementing Cookiebot, you can make your website’s use of cookies and online tracking GDPR compliant.

Resources


GDPR Report: GDPR and Google Analytics
Digital Third Coast: How does Google Analytics actually work?
Shivarweb: What does Google Analytics do?
Google developers guide: Google Analytics cookie usage on websites
Stackoverflow: What data is collected by Google Analytics (by default)
Google's Privacy policy
Medium: Google Analytics and GDPR Compliance
Google Ads Data Protection Terms: Service Information
GOOGLE IN EUROPE Getting ready for Europe’s new data protection rules
Googles EU User Consent Policy
Full classification of Googles Ads products

Make your website’s use of cookies and online tracking GDPR/ePR compliant today

Try for free