The document provides guidance on complying with GDPR regulations when using Google Analytics. It recommends:
1. Auditing data to ensure no personally identifiable information is collected, enabling IP anonymization, and auditing pseudonymous identifiers.
2. Updating privacy policies to clearly explain what data is collected and how it will be used in accordance with GDPR requirements.
3. Building an opt-in/opt-out capability for collecting any pseudonymous identifiers or for behavioral profiling to obtain user consent as required by GDPR.
The document provides guidance on complying with GDPR regulations when using Google Analytics. It recommends:
1. Auditing data to ensure no personally identifiable information is collected, enabling IP anonymization, and auditing pseudonymous identifiers.
2. Updating privacy policies to clearly explain what data is collected and how it will be used in accordance with GDPR requirements.
3. Building an opt-in/opt-out capability for collecting any pseudonymous identifiers or for behavioral profiling to obtain user consent as required by GDPR.
The document provides guidance on complying with GDPR regulations when using Google Analytics. It recommends:
1. Auditing data to ensure no personally identifiable information is collected, enabling IP anonymization, and auditing pseudonymous identifiers.
2. Updating privacy policies to clearly explain what data is collected and how it will be used in accordance with GDPR requirements.
3. Building an opt-in/opt-out capability for collecting any pseudonymous identifiers or for behavioral profiling to obtain user consent as required by GDPR.
Information (PII) Hopefully this doesn’t come as a surprise, but collecting Personally Identifiable Information (PII) is against the Google Analytics Terms of Service. This is true both of Google Analytics Standard and the paid Google Analytics 360 solution. Whether you are confident or not, now is the time to audit your data collection to ensure that you are not transmitting PII. • Check your Page URLs, Page Titles, and other data dimensions to ensure that no PII is being collected. A common example of PII data collection is when you capture a Page URL that contains an “email= querystring” parameter. If this is the case, you are likely leaking PII to other marketing technologies in use on your site! • Ensure that any data entered into forms by Users, that is also collected by GA, does not contain PII. • Be aware that simply filtering out PII (via Google Analytics filters) is not sufficient; you must address this at the code-level to prevent the data from ever being sent to Google Analytics.
#2) Turn on IP Anonymization
Under the GDPR, an IP address is considered PII. Even though the IP address (by default) is never exposed in reporting, Google does use it to provide geo-location data. To be safe, we recommend turning on the IP Anonymization feature in Google Analytics. This requires a code change to enable. If you use Google Tag Manager, adjust your tag or Google Analytics Settings variable by clicking into More Settings -> Fields to Set and then add a new field named ‘anonymizeIp’ with a value of ‘true’.
If you don’t use Google Tag Manager (GTM), your tag
management system may have this setting exposed as an option, or you may need to edit the code directly. The result of this change is that Google will anonymize the IP address as soon as technically feasible by removing the last octet of the IP address (your IP becomes 123.123.123.0 — where the last portion/octet is replaced with a ‘0’). This will happen before storage and processing begins. “The full IP address is never written to the disk” when this features is enabled. The impact of this GDPR change on your data is that geographic reporting accuracy is slightly reduced.
The impact of this GDPR
change on your data is that geographic reporting accuracy is slightly reduced. Click & Tweet!
#3) Audit your Collection of Pseudonymous
Identifiers (hashed Emails, User IDs) Your Google Analytics implementation may already be using pseudonymous identifiers. This may include the following: • User ID — This should be an alphanumeric database identifier. This should never be plain-text PII such as email, username, etc. • Hashed/Encrypted Data such as Email Address — “Google has a minimum hashing requirement of SHA256 and strongly recommends the use of a salt, minimum 8 characters.” — Source. We do not recommend collecting data in this manner. • Transaction IDs — Technically, this is a pseudonymous identifier since when linked with another data source, it can lead to the identification of an individual. This ID should always be an alphanumeric database identifier. Under both GDPR and the Google Analytics Terms of Service, this appears to be an acceptable practice. But, this is where you are advised to ensure that your Privacy Policy is updated to reflect this data collection and purpose, as well as to gain explicit consent (via opt-in) from your users. In both cases, the language used needs to be clear (no technical or legal terms) and answer the questions of, “what data is collected?” and “how it will be used?” If you are familiar with the GDPR at this point, you may be asking yourself how you can reasonably honor a User’s request to be forgotten. This is tricky as Google Analytics does not (currently) provide a method for selective data deletion. From our point of view, you’ll likely need to delete the User ID from your CRM to satisfy this requirement, which will prevent the record in Google Analytics from being associated to a known individual. We do not have insight into Google’s plans, but perhaps they’ll offer a method of User ID/Client ID data deletion by the time GDPR goes into effect. (UPDATE: Thanks to Yehoshua Coren for letting us know that Google announced at Superweek that they will support User ID/Client ID data deletion.)
#4) Update your Privacy Policy
The most important update to your Privacy Policy under GDPR is that these notices need to be written in a way that is clear, understandable, and concise. As it always should have been, the intent of the Privacy Policy is to describe what you do in a clear manner and then, most importantly, your organization needs to follow through and do what it says. Your audience of the Privacy Policy is the end user (not lawyers). Per this eConsultancy article, you should consider the following questions when writing your privacy notice: • What information is being collected? • Who is collecting it? • How is it collected? • Why is it being collected? • How will it be used? • Who will it be shared with? • What will be the effect of this on the individuals concerned? • Is the intended use likely to cause individuals to object or complain?
#5) Build an Opt In/Out Capability
The big question on everyone’s mind is if they really need to get explicit consent for tracking. After all, this could be a substantial amount of work and could absolutely impact the participation of users in your Google Analytics data. The answer to this question is multi-pronged in that most likely you will, that it depends, and that you should seek legal counsel. Let’s dive into a few considerations to think through. If you are collecting User ID or other pseudonymous identifiers, you’ll need to gain consent from the user. As mentioned at the beginning of this blog post, this consent needs to be explicit (opt in). Gone are the days of the cookie notice stating that if you proceed to use the site, you consent — that is no longer considered consent. Instead, you’ll need to ask users for their permission clearly and most importantly, before Google Analytics executes. The most common approach to this that we’ve seen is to have an overlay modal on the page that asks the user for permission and then once granted, the page either reloads or the Google Analytics scripts (and other marketing technologies) proceed to execute. You may consider leveraging technologies such as Tealium’s Privacy Widget to achieve this technical objective. There are many other vendors to consider such as Evidon and TrustArc. See our Healthcare.gov Case Study from back in 2015 where we helped implement the US Government’s first website to offer consumers the ability to opt out of tracking and to honor the Do Not Track browser setting. This was achieved by using Tealium iQ’s Privacy Manager technology. If you are using Google Analytics data to collect UserID/Hashed PII or to assist in behavioral profiling or if you are using other advertising technologies, you’ll need to build an opt-in consent mechanism as well as functionality for your users to opt-out at any point. Since Google Analytics also records an online/cookie identifier called the GA Client ID, and because this is part of the core functionality of the product, you will likely need to offer the opt-in consent for all EU visitors to the site. This is a point that you’ll want to seek legal counsel on, but if you read the regulation, it specifically mentions that online identifiers (such as the GA Client ID) are considered personal data and thus it would be subject to this regulation. We’ve read other sources that indicate that there would be no need to offer consent if you aren’t collecting User ID or any other pseudonymized data in Google Analytics. There are requirements as part of GDPR to prove that consent has been given (audit trail). We recommend as part of the explicit action of affirmative consent, that you track/log this in Google Analytics as an event. You may also want to record this in your own database against the Google Analytics Client ID (and User ID if applicable).
Share Your Challenges
These five actionable steps towards Google Analytics GDPR compliance are a great way to help your organization either begin the conversation, or continue your efforts with new ideas that you may have missed. GDPR is a complex regulation and it is imperative that your organization develop the right roadmap towards becoming compliant. While the focus of this post is Google Analytics, these steps also apply towards other digital analytics and marketing vendors. Each organization is different and there are certainly more that you’ll need to do for compliance, so we’d love to hear about your challenges.
Google Analytics update – Data
retention control One of the product updates Google is introducing is data retention control. This feature will allow you to manage how long Google stores your user data on Google’s servers.
Data retention control will go into effect in
your account the same day GDPR launches, May 25th. However, you can adjust your data retention settings now. The setting you select will then activate on May 25th, 2018.
Source: Google Data Retention control settings The current default for data retention is 26 months. But you can select to retain your user data for a shorter or longer period.
***Important update: The default
data retention setting will cause you to lose data that’s critical to many advanced reporting features. Unless you adjust your setting, Google will purge user data from your account that was collected more than 26 months ago. This setting will take effect on May 25th, 2018. Your historical user data is essential to your ad-hoc reports. Ad-hoc reporting includes features like advanced segments and table filters. To keep your user data intact you can adjust your data retention setting to “Do not automatically expire.”
To learn more about how data
retention will affect your Google Analytics account, you can read our detailed post about this setting: Change Your Google Analytics Data Retention Setting, Or Lose Your Advanced Segments.
And, to learn about how GDPR
impacts data retention and tracking consent, you can refer to this post: GDPR Compliance with Google Analytics – Do You Need Cookie Consent? User deletion tool Google has also introduced a user deletion tool. This tool will allow you to remove users’ Client IDs, User IDs, or App Instance IDs from your analytics data. When a user opts out of tracking, you’ll use this tool to remove their data. We’ve talked about merging Client IDs, and User IDs for cross-device tracking in one of our past tutorials. We’ve also discussed synchronizing Client IDs for cross-domain tracking. The user deletion will help you undo this type of tracking. Google has done some back-end work for you My biggest concern with GDPR compliance has been the difficulty involved with implementation. The regulations will be burdensome for small online businesses and blogs, especially those who don’t have access to the raw data collected by analytics tools (i.e., everyone who uses Google Analytics). To remind you of the existing data protection tools available in GA, Google also used their recent email to remind us of all the settings that are already available in our accounts. Tools like: • Customizable cookie settings • Data sharing settings • Privacy controls • Data deletion on account termination • IP anonymization
Not everyone needs to use these tools,
but they are available to help you with GDPR compliance. You have opted-in automatically to these changes in Google Analytics The next part of Google’s email lets you know that you have opted into their data processing changes. Essentially, Google is making you aware of these compliance related changes. If you want to use their tools, your account is subject to those changes. You are responsible for data privacy compliance Google is taking on the majority of the compliance burden since our analytics data is stored on their servers. But they are also letting you know that you are responsible for the data you track in Google Analytics.
Google gives you the tools to track data
online. But it’s on you to use these tools appropriately. That means you need to understand how GDPR affects your measurement techniques. Your tracking and data retention policies and compliance will be up to your organization. And ignorance of GDPR won’t be an excuse for non- compliance. Stuff you ignored before that you might care about now The last part of Google’s email reminds us that they have a bunch of other products you probably haven’t been using. Stuff you ignored in the past, but might actually care about now. For instance – privacy.google.com/business. I’ve been using Google Analytics since it was in Beta, but I didn’t know that this existed. I’ll have to do some research on this one and provide an update on my findings. Let’s summarize what we know about Google Analytics and GDPR compliance 1. Google is giving you tools to become GDPR compliant with your Google Analytics data Google is going beyond the bare minimum. Through new and existing tools, Google is attempting to make GDPR compliance even easier for users. 2. New Google Analytics tools coming on May 25, 2018 Google’s new tools will be active just in time for the May 25th deadline. Not everything is live yet, but Google’s telling us these tools will be in place in time for GDPR. 3. It’s your responsibility to become GDPR compliant Even though Google’s processes your analytics data, you’re still responsible for how you use that data. 4. Google has lots of resources for you to learn more Google has put out a lot of information on how to observe GDPR. It’s important to self-educate, just like you’re doing right
now by reading this post .
Ignorance won’t be an excuse for noncompliance. 5. For the most part, it appears collecting analytics data is business as usual Although GDPR feels like a big deal, it’s not going to change how we operate all that much. If someone opts out of tracking, we need to follow the new requirements. But, for the 99% of users that don’t opt out, we don’t have to change how we use Google Analytics. 6. If someone opts-out from being tracked, you need to understand how to process this request If you are doing business from the EU, and someone opts-out of tracking, you need to know how to remove their data. Removing users isn’t something that’s been talked about much to date. Before GDPR, analytics was mostly focused on how to obtain user information, not how to delete it. I am considering putting out a follow-up video on how to remove users from Google Analytics once this tool is released. If you’d like to see a tutorial on deleting users, then leave a comment below. If we get enough comments, I’ll make sure we include this technique in a follow- up video. Finally… I have two big questions for you. How many of you will opt out of tracking? Are you interested in opting out of tracking as part of GDPR? Personally, I plan to continue to allow myself to be tracked. I think that cookies and analytics can improve the user experience in many ways. But, I also understand why users might want more anonymity. So, leave a comment about why you will or won’t opt out of tracking. I am curious to see how the community feels about this issue.