A few days ago, I asked myself, “what do I need to do for my Google Analytics data for GDPR?”
I felt so lost about what to actually implement to make my clients analytics GDPR compliant. And Google’s emails about GDPR didn’t give much answer on the topic either (to my dismay). However, the act of googling gave me something to actually implement.
First off, these are what steps I have taken for my own website and our clients, in terms of GDPR compliance for Google Analytics (GA). So, a disclaimer is due, I don’t know all the answers. These are the steps I’ve taken with our clients. C’est tout.
Why aren’t Google doing this GDPR-thing for us?
Well, they are in a way. By using Google Analytics, Google is our data processor. However, we are the data controller, as we have and are using Google Analytics. Both the data processor and the data controller need to be GDPR compliant, so it is our responsibility as the data controller (being the account owner) to make sure we are compliant. Google can only make sure for themselves and their handling of data, being the data processor, are GDPR compliant. That is all. So buckle up, and take the GDPR ride to compliance.
Okay. So what steps did you take?
Glad you asked.
The steps
- Audit data for Personally Identifiable Information (PII)
- GA cookies — Have explicit consent to track — Opt-In/Out Capability
- Set your data retention
- Enable IP anonymization
- Disable advertising (display) features
- Contact with Lawyers
- Update your Privacy Policy
- Add Contact Information in GA and accept the Data Processing Amendment
- Audit data for Personally Identifiable Information (PII)
- GA cookies — Have explicit consent to track — Opt-In/Out Capability
- Set your data retention
- Enable IP anonymization
- Disable advertising (display) features
- Contact with Lawyers
- Update your Privacy Policy
- Add Contact Information in GA and accept the Data Processing Amendment
1. Audit Data for Personally Identifiable Information (PII)
GDPR in a teeny tiny nutshell — make sure you don’t store personally identifiable information (PII). This is an important one. As a data analyst using GA, you might be familiar with the fact that sending PII to Google’s servers has been against the Terms of Use for quite some time. However, data can come in in various ways, e.g. with URLs. So you need to audit the data you collect on your website.
In Behaviour Report -> Site Content -> All Pages and here check so that you don’t have any query strings with PII. Such as ?email or email addresses in the form of @ by searching for these in the search box. Also search for other PII’s such as name (first name, surname etc). These are classic query strings in for example forms on the website.
Also check your Custom dimensions if the site has such, so that they don’t send PII.
Why not just add a filter inside GA and filter PII out?
Extra points! But sadly, as the filter is applied after the data is stored on Google’s servers, this is not a solution as you don’t want to (and shouldn’t!) transmit any PII to Google’s servers. That is why you need to properly audit your data.
What to do if I have PII?
Identify the leak and talk to the developers to try to find a solution to solve it.
A rumor around town is that one apparently can do filters in GTM so the data filters out before it sends to GA servers. Haven’t done this myself though. Might be worth checking in!
2. GA cookies — Have explicit consent to track — Opt-In/Out Capability
If you wish to be on the safe side (who doesn’t) perhaps you should consider installing a cookie consent form on your website. This as to be compliant with GDPR you need explicit consent to track users. This means a pop-up where the user can read about GA and a button (which of course isn’t ticked in already) to ask for the user’s consent. Only with the consent given should you track the user. This could, of course, mean rules etc. inside GTM or in your implementation of GA.
Basically, we can’t just install the GA code on our website anymore. We need consent to track people. Read more about this in ‘5 actionable steps to take for GDPR compliance’ or watch Julian’s video, links are below.
As it is so hard to say anything about GDPR before an actual legal judgment have been done, there are discussions about the importance of only tracking users when they explicitly have given their consent. Because how would that happen practically? An pop-up overlay that demands your choice of being tracked or not? This would of course limit the amount of analysis we can do in the future. So, this step is sort of within a gray area before an actual legal judgement has been made. Eager to find out though!
3. Set your data retention
Admin -> Property — Tracking info -> Data retention
Here you change for how long you wish to store user data until it gets deleted. This is something that I have consulted with a lawyer for our clients so that we can motivate why we keep data for that specific period of time. Google has set this standard to 26 months, but this is something you need to consider for your business and something that should align with — and even better written within — the privacy policy.
4. Enable IP anonymization
In GDPR, IP addresses are a PII. Therefore we need to implement IP anonymization. This is something that can be done either in the code or if you have GA implemented through Google Tag Manager. Either way, GA will change the last digits of the IP address to zero, resulting in a slightly less precise geographical location of your visitors than before. But hey, you still have the functionality and are more GDPR compliant. Success. If you have GA implemented through GTM, go to your PageView All Pages Tag -> More Settings -> Fields to Set -> anonymizeIp within Field Name and set the Value to true. Voilà.
5. Disable advertising (display) features
As remarketing features consist of a collection of data, usually third-party data, the safest way is to turn these off completely in GA. You do this in Admin->Property->Tracking info->Data Collection-> and switch Remarketing and Advertising Reporting Features to Off. If you have an old implementation of GA you might need to take this away within the GA code snippet, or add allowdisplayfeatures to false (see Julian’s video for further details).
I haven’t heard anything else, so these features will be off for our clients until I have information that says otherwise.
FYI: Google soon or now(?!) have a user deletion tool, which enables individual data deletion. Which is great!
6. Contact Lawyers
I have taken contact with my clients’ lawyers and legal person(s) at the company, to have a discussion about GDPR compliance and implement it according to the specific client.
7. Update your Privacy Policy
Some have stated that GDPR is 80% Privacy Policy. I don’t wish to state that, because frankly, I am no lawyer. Either way, you need to update your privacy policy to be transparent with how you collect data, what data it is and for what reasons you collect it (and much more). To be GDPR compliant, this also needs to be written in a concise and clear way, so that everyone understands it. No fancy lawyer-talk here. Sorry.
8. Add Contact Information in GA and accept the Data Processing Amendment
Admin->Account->Account Settings->Data Processing Amendment accept it, and add contact information under the “Manage DPA Details”
Epilogue
So, that is it. These are the steps I’ve taken with my clients to make sure GDPR compliance for what I am in charge of, namely the web analytics tools such as GA. Hope reading this has given you new insights or crystallized existing ones, this sure would have helped me lots a day ago.
Would love to discuss this further, so if you have any links and thoughts, do write and send them over! I’m super curious.
If you liked this article and are curious (like me, what will I write next??) for more, feel free to give me a clap and a follow. And thank yourself for being hungry for knowledge.
Here are the sources and recommended reading:
5 Actionable Steps for GDPR Compliance with Google Analytics:
http://www.blastam.com/blog/5-actionable-steps-gdpr-compliance-google-analytics
The amazing Julian Juenemann from Measureschool on GDPR and GA:
https://www.youtube.com/watch?v=8UedbL4tFHc
Vicky Dallas on Tools and Widgets to To Manage Cookie Consent: https://medium.com/gdprstories/tools-widgets-to-manage-cookie-consent-346a00dc1dff