GDPR and Google Analytics

GDPR and Google Analytics – What Should I Do?

What Is GDPR?

The General Data Protection Regulation (GDPR) is a data protection policy that puts customers/individuals in control of the data organisations has about them.  This European Union (EU) data privacy regulation comes into full effect on 25th May 2018, with the aim of uniting data privacy regulations across the EU.

Although GDPR is an EU regulation, it will impact any international companies outside of the EU who are doing business with EU natives and organisations. The UK’s impending exit from the European Union will not affect its compliance with GDPR. Find out more about how to prepare your business for GDPR.

What will GDPR Impact?

The new General Data Protection Regulations will impose uncompromising requirements on how businesses collect, store and use consumer data. Organisations will need evidence of explicit consent for the data they have collected, and users (the consumer) will have the right to full deletion of their data – this must be funded by the data collecting entity (the business).

It is important to remember that May 25th 2018 is when GDPR will come into full force. This is not a deadline for businesses to become completely compliant. According to AlienVault and Cyber Security Insiders, only 7% of organisations will be in complete adherence to GDPR by 25th May 2018 and 60% of businesses will not be fully compliant by this date.

GDPR Main Points

  • GDPR’s definition of ‘Personal Data’ now includes IP addresses, cookie identifiers, and GPS locations.
  • Organisations will now need explicit consent for storing any form of personal data. This includes but is not limited to; email address, DOB and name.
  • Inactivity and pre-checked boxes are no longer considered as consent.  
  • You can collect personal data if there is a lawful reason behind obtaining it.
  • People living in the EU will  have the right to have their personal data completely erased upon their request.

What does GDPR mean for Google Analytics?

Under Recital 26 of EU GDPR Privacy Regulation, ‘Personal Data’ takes on a much broader meaning. Personal Data now includes any data that you can identify a person with.  This includes data that has undergone pseudonymisation, cookies and IP addresses.

It is a breach in Google Analytics User Agreement to share any form of “personally identifiable” data.  When you use Google Analytics, you are allowing Google to access your website’s data, and Google Analytics is giving you data in the semblance of reports. You also collect user names of individuals, IP addresses and email addresses for users who log onto your website.  Alongside this, creating custom reports and combining data sets may also enable a user to be identified.

You might even be outsourcing your Google Analytics and relying on a Digital Marketing Agency to manage your account, therefore sharing ‘identifiable data’ that you’ve collected. But what does that all mean? Here are five things you need to know about Google Analytics and GDPR.

Make Sure your GA Consent Process is GDPR Compliant

Google Analytics, Google AdWords and many other third party processes that help your business rely on the collection of personal data. (You can only collect this personal data if you have a lawful basis behind it.) Right now businesses are reliant on the individuals’ consent – this is where GDPR comes in. You need to ensure your consent process is compliant – there’s a strong chance it isn’t because the criteria for the collection of personal data has become much more restricted. Whilst Google will be doing everything they can on their part to make sure they are GDPR compliant, it doesn’t mean you are free of any responsibility. You are solely responsible for your Google Analytics account – if you do not have a GDPR compliant policy when you’re using Google Analytics, your Google Analytics access will be terminated.

You need to set up clear limits for using your Google Analytics account.  This must include:

  • How you will be monitoring the use of personal data
  • How you will be stopping the use of personal data
  • Exactly who is involved in the data processing activity

If you have a lawful reason for obtaining and processing the personal data that’s needed for Google Analytics, and you wish to continue using an individual’s consent, you need to make sure that the way you obtain and interpret their consent is compliant with GDPR.

I want to Keep Using Google Analytics – What Should I Do?

One of the main aspects of GDPR is transparency and clarity on the data you are collecting. This means that you need to be really clear in terms of the data you hold, the data you plan to collect and what you are going to do with the data you are collecting.

You also need to cleanse your database of any data you are storing just in case you might need it. If you cannot justify keeping the data, then it is time for you to permanently delete it.

What GDPR Compliant GDPR Features will Google Analytics be Implementing?

Data Retention Control

Google Analytics will be implementing a Data Retention Control feature, allowing you to manage how long your user data is stored in Google’s servers. The current default data retention period for Google’s servers is 26 months, but you now have the opportunity to change this to a much shorter or longer time frame. The time frame should be made clear in your GDPR Consent Process. This will be launched on the same day GDPR will come into effect (May 25th incase you forgot).  

Loss of Important Data

As of May 25th Google will delete user data from Google Analytics Accounts that was collected more than 26 months ago. This means that data will be lost that is crucial for many of GA’s advanced reporting features. You must adjust your settings in order to prevent this.

For many businesses, their historical data is critical for their ad-hoc reporting. Should you wish to use these advanced filters, you must adjust your data retention settings to “Do not automatically expire” and make it very clear in your GDPR Consent Process that you have done this.

User Deletion Tool

Google Analytics new User Deletion Tool allows you to delete the following: Client IDs, User IDs, or App Instance IDs from your analytics data. If a user opts out of your GDPR Consent Process this is the tool you will use to wipe their data. This tool will also help you undo cross-domain and cross-device tracking.

You are responsible for your data privacy compliance

The good news is that Google Analytics users have automatically opted into these data process changes. A lot of the compliance burden for the analytics data has been taken on by Google, but you are still responsible for gathering and tracking  user’s data. Moving forward, you need to ensure that your tracking and data retention policies are complaint – in this instance, ignorance is not an excuse for non-compliance. However, should Google Analytics collect data we have not consented to or verified then businesses should not be held accountable.

Disclaimer: We’re not lawyers – we’ve based based this blog on our own research and our interpretation of the GDPR and Google Analytic’s User Agreement policies.