Google analytics

#1) Audit Your Data for Personally Identifiable

Information (PII)
Hopefully this doesn’t come as a surprise, but
collecting Personally Identifiable Information (PII) is against
the Google Analytics Terms of Service.
This is true both of Google Analytics Standard and the paid
Google Analytics 360 solution. Whether you are confident or
not, now is the time to audit your data collection to ensure
that you are not transmitting PII.
• Check your Page URLs, Page Titles, and other data
dimensions to ensure that no PII is being collected. A
common example of PII data collection is when you
capture a Page URL that contains an “email=
querystring” parameter. If this is the case, you are
likely leaking PII to other marketing technologies in use
on your site!
• Ensure that any data entered into forms by Users, that is
also collected by GA, does not contain PII.
• Be aware that simply filtering out PII (via Google Analytics
filters) is not sufficient; you must address this at the
code-level to prevent the data from ever being sent to
Google Analytics.

#2) Turn on IP Anonymization

Under the GDPR, an IP address is considered PII. Even
though the IP address (by default) is never exposed in
reporting, Google does use it to provide geo-location data.
To be safe, we recommend turning on the IP Anonymization
feature in Google Analytics. This requires a code change to
enable. If you use Google Tag Manager, adjust your tag or
Google Analytics Settings variable by clicking into More
Settings -> Fields to Set and then add a new field named
‘anonymizeIp’ with a value of ‘true’.

If you don’t use Google Tag Manager (GTM), your tag

management system may have this setting exposed as an
option, or you may need to edit the code directly.
The result of this change is that Google will anonymize the
IP address as soon as technically feasible by removing the
last octet of the IP address (your IP becomes 123.123.123.0
— where the last portion/octet is replaced with a ‘0’). This
will happen before storage and processing begins. “The full
IP address is never written to the disk” when this features
is enabled.
The impact of this GDPR change on your data is that
geographic reporting accuracy is slightly reduced.

The impact of this GDPR

change on your data is that
geographic reporting
accuracy is slightly
reduced.
Click & Tweet!

#3) Audit your Collection of Pseudonymous

Identifiers (hashed Emails, User IDs)
Your Google Analytics implementation may already be using
pseudonymous identifiers. This may include the following:
• User ID — This should be an alphanumeric database
identifier. This should never be plain-text PII such as
email, username, etc.
• Hashed/Encrypted Data such as Email Address — “Google
has a minimum hashing requirement of SHA256 and
strongly recommends the use of a salt, minimum 8
characters.” — Source. We do not recommend
collecting data in this manner.
• Transaction IDs — Technically, this is a pseudonymous
 identifier since when linked with another data source, it
can lead to the identification of an individual. This ID
should always be an alphanumeric database identifier.
Under both GDPR and the Google Analytics Terms of
Service, this appears to be an acceptable practice. But, this
is where you are advised to ensure that your Privacy Policy
is updated to reflect this data collection and purpose, as
well as to gain explicit consent (via opt-in) from your users.
In both cases, the language used needs to be clear (no
technical or legal terms) and answer the questions of, “what
data is collected?” and “how it will be used?”
If you are familiar with the GDPR at this point, you may be
asking yourself how you can reasonably honor a User’s
request to be forgotten.
This is tricky as Google Analytics does not (currently)
provide a method for selective data deletion. From our point
of view, you’ll likely need to delete the User ID from your
CRM to satisfy this requirement, which will prevent the
record in Google Analytics from being associated to a known
individual. We do not have insight into Google’s plans, but
perhaps they’ll offer a method of User ID/Client ID data
deletion by the time GDPR goes into effect. (UPDATE:
Thanks to Yehoshua Coren for letting us know that Google
announced at Superweek that they will support User
ID/Client ID data deletion.)

#4) Update your Privacy Policy

The most important update to your Privacy Policy under
GDPR is that these notices need to be written in a way that
is clear, understandable, and concise.
As it always should have been, the intent of the Privacy
Policy is to describe what you do in a clear manner and
then, most importantly, your organization needs to follow
through and do what it says. Your audience of the Privacy
Policy is the end user (not lawyers).
Per this eConsultancy article, you should consider the
following questions when writing your privacy notice:
• What information is being collected?
• Who is collecting it?
• How is it collected?
• Why is it being collected?
• How will it be used?
• Who will it be shared with?
• What will be the effect of this on the individuals
concerned?
• Is the intended use likely to cause individuals to object or
complain?

#5) Build an Opt In/Out Capability

The big question on everyone’s mind is if they really need to
get explicit consent for tracking. After all, this could be a
substantial amount of work and could absolutely impact the
participation of users in your Google Analytics data. The
answer to this question is multi-pronged in that most likely
you will, that it depends, and that you should seek legal
counsel.
Let’s dive into a few considerations to think through.
If you are collecting User ID or other pseudonymous
identifiers, you’ll need to gain consent from the user. As
mentioned at the beginning of this blog post, this consent
needs to be explicit (opt in). Gone are the days of the cookie
notice stating that if you proceed to use the site, you
consent — that is no longer considered consent. Instead,
you’ll need to ask users for their permission clearly and
most importantly, before Google Analytics executes.
The most common approach to this that we’ve seen is to
have an overlay modal on the page that asks the user for
permission and then once granted, the page either reloads
or the Google Analytics scripts (and other marketing
technologies) proceed to execute.
You may consider leveraging technologies such as Tealium’s
Privacy Widget to achieve this technical objective. There are
many other vendors to consider such as Evidon and
TrustArc.
See our Healthcare.gov Case Study from back in 2015
where we helped implement the US Government’s first
website to offer consumers the ability to opt out of tracking
and to honor the Do Not Track browser setting. This was
achieved by using Tealium iQ’s Privacy Manager technology.
If you are using Google Analytics data to collect
UserID/Hashed PII or to assist in behavioral profiling or if
you are using other advertising technologies, you’ll need to
build an opt-in consent mechanism as well as functionality
for your users to opt-out at any point.
Since Google Analytics also records an online/cookie
identifier called the GA Client ID, and because this is part of
the core functionality of the product, you will likely need to
offer the opt-in consent for all EU visitors to the site. This is
a point that you’ll want to seek legal counsel on, but if you
read the regulation, it specifically mentions that online
identifiers (such as the GA Client ID) are considered
personal data and thus it would be subject to this regulation.
We’ve read other sources that indicate that there would be
no need to offer consent if you aren’t collecting User ID or
any other pseudonymized data in Google Analytics.
There are requirements as part of GDPR to prove that
consent has been given (audit trail). We recommend as part
of the explicit action of affirmative consent, that you
track/log this in Google Analytics as an event. You may also
want to record this in your own database against the Google
Analytics Client ID (and User ID if applicable).

Share Your Challenges

These five actionable steps towards Google Analytics GDPR
compliance are a great way to help your organization either
begin the conversation, or continue your efforts with new
ideas that you may have missed. GDPR is a complex
regulation and it is imperative that your organization
develop the right roadmap towards becoming compliant.
While the focus of this post is Google Analytics, these steps
also apply towards other digital analytics and marketing
vendors. Each organization is different and there are
certainly more that you’ll need to do for compliance, so we’d
love to hear about your challenges.

Google Analytics update – Data

retention control
One of the product updates Google is
introducing is data retention control. This
feature will allow you to manage how long
Google stores your user data on Google’s
servers.

Data retention control will go into effect in

your account the same day GDPR
launches, May 25th.
However, you can adjust your data
retention settings now. The setting you
select will then activate on May 25th,
2018.

Source: Google
Data Retention control settings
The current default for data retention is
26 months. But you can select to retain
your user data for a shorter or longer
period.

***Important update: The default

data retention setting will cause
you to lose data that’s critical to
many advanced reporting
features. Unless you adjust your
setting, Google will purge user
data from your account that was
collected more than 26 months
ago. This setting will take effect
on May 25th, 2018.
Your historical user data is
essential to your ad-hoc reports.
Ad-hoc reporting includes
features like advanced segments
and table filters. To keep your
user data intact you can adjust
your data retention setting to
“Do not automatically expire.”

To learn more about how data

retention will affect your Google
Analytics account, you can read
our detailed post about this
setting: Change Your Google
Analytics Data Retention
Setting, Or Lose Your Advanced
Segments.

And, to learn about how GDPR

impacts data retention and
tracking consent, you can refer
to this post: GDPR Compliance
with Google Analytics – Do You
Need Cookie Consent?
User deletion tool
Google has also introduced a user
deletion tool. This tool will allow you to
remove users’ Client IDs, User IDs, or App
Instance IDs from your analytics data.
When a user opts out of tracking, you’ll
use this tool to remove their data.
We’ve talked about merging Client IDs,
and User IDs for cross-device tracking in
one of our past tutorials. We’ve also
discussed synchronizing Client IDs for
cross-domain tracking. The user deletion
will help you undo this type of tracking.
Google has done some back-end
work for you
My biggest concern with GDPR
compliance has been the difficulty
involved with implementation. The
regulations will be burdensome for small
online businesses and blogs, especially
those who don’t have access to the raw
data collected by analytics tools (i.e.,
everyone who uses Google Analytics).
To remind you of the existing data
protection tools available in GA, Google
also used their recent email to remind us
of all the settings that are already
available in our accounts.
Tools like:
• Customizable cookie settings
• Data sharing settings
• Privacy controls
• Data deletion on account termination
• IP anonymization

Not everyone needs to use these tools,

but they are available to help you with
GDPR compliance.
You have opted-in automatically
to these changes in Google
Analytics
The next part of Google’s email lets you
know that you have opted into their data
processing changes. Essentially, Google is
making you aware of these compliance
related changes. If you want to use their
tools, your account is subject to those
changes.
You are responsible for data
privacy compliance
Google is taking on the majority of the
compliance burden since our analytics
data is stored on their servers.
But they are also letting you know that
you are responsible for the data you track
in Google Analytics.

Google gives you the tools to track data

online. But it’s on you to use these tools
appropriately.
That means you need to understand how
GDPR affects your measurement
techniques. Your tracking and data
retention policies and compliance will be
up to your organization. And ignorance of
GDPR won’t be an excuse for non-
compliance.
Stuff you ignored before that you
might care about now
The last part of Google’s email reminds us
that they have a bunch of other products
you probably haven’t been using. Stuff you
ignored in the past, but might actually
care about now.
For instance –
privacy.google.com/business. I’ve been
using Google Analytics since it was in
Beta, but I didn’t know that this existed.
I’ll have to do some research on this one
and provide an update on my findings.
Let’s summarize what we know
about Google Analytics and
GDPR compliance
1. Google is giving you tools to
become GDPR compliant with your
Google Analytics data
Google is going beyond the bare minimum.
Through new and existing tools, Google is
attempting to make GDPR compliance
even easier for users.
2. New Google Analytics tools coming
on May 25, 2018
Google’s new tools will be active just in
time for the May 25th deadline. Not
everything is live yet, but Google’s telling
us these tools will be in place in time for
GDPR.
3. It’s your responsibility to become
GDPR compliant
Even though Google’s processes your
analytics data, you’re still responsible for
how you use that data.
4. Google has lots of resources for
you to learn more
Google has put out a lot of information on
how to observe GDPR. It’s important to
self-educate, just like you’re doing right

now by reading this post .

Ignorance won’t be an excuse for
noncompliance.
5. For the most part, it appears
collecting analytics data is business
as usual
Although GDPR feels like a big deal, it’s
not going to change how we operate all
that much. If someone opts out of
tracking, we need to follow the new
requirements. But, for the 99% of users
that don’t opt out, we don’t have to
change how we use Google Analytics.
6. If someone opts-out from being
tracked, you need to understand how
to process this request
If you are doing business from the EU, and
someone opts-out of tracking, you need to
know how to remove their data.
Removing users isn’t something that’s
been talked about much to date. Before
GDPR, analytics was mostly focused on
how to obtain user information, not how to
delete it.
I am considering putting out a follow-up
video on how to remove users from Google
Analytics once this tool is released. If
you’d like to see a tutorial on deleting
users, then leave a comment below. If we
get enough comments, I’ll make sure we
include this technique in a follow-
up video.
Finally… I have two big questions for you.
How many of you will opt out of
tracking?
Are you interested in opting out of
tracking as part of GDPR? Personally, I
plan to continue to allow myself to be
tracked. I think that cookies and analytics
can improve the user experience in many
ways. But, I also understand why users
might want more anonymity.
So, leave a comment about why you will
or won’t opt out of tracking. I am curious
to see how the community feels about this
issue.