How to Be GDPR Compliant with Google Analytics


By

Google Analytics is by far the most popular tool for collecting analytical data. It tells you how many people are visiting your website, what they do, how long they stay, and so forth.

However, collecting personal data also means that you have a duty to comply with various data protection laws. This raises the question: ‘Am I compliant by using Google Analytics and do I need to do some additional steps to be compliant?’

Privacy laws vary from country to country; hence there is no simple answer to this question. Google takes measures to ensure compliance with the General Data Protection Regulation of the EU (GDPR) and other international data protection laws. But this only means that they are compliant. It does not mean that you are compliant as well. You will most likely have to take some actions to adjust your practices and become compliant with the laws.

What Data Does Google Analytics Collect?

You can use Google Analytics by installing a piece of code on your website. This code identifies every single visitor who comes to your website and tracks their behavior. According to the Google Ads Data Protection Terms: Service Information, then it collects the following data:

  • Online identifiers, including cookie identifiers
  • Internet protocol addresses and device identifiers
  • Clients identifiers

In their privacy policy, Google also explains what data they collect and how they do it. They collect the following:

Information that you create or provide to them. This includes the information you provide to them by using their services, such as name, email address, phone number, and content that you create or upload while using Google services.

Information about your use of their services. This includes three types of information:

1. Information about the apps, browsers, and devices you use. For that purpose, they collect unique identifiers, information about your device and browser, IP address, crash reports, and others.

2. Information about your activity. This includes data on the terms you search, purchase activity, videos watched, interaction with ads, browsing history, people with whom you share content, and most important – activity on websites and apps that use their services, such as Google Analytics.

3. Your location information, such as IP address, GPS, sensor data from your device (like accelerometer to understand your speed), and information about things near your device (such as Wi-Fi spots).

 

What Do Privacy Laws Say About Collecting This Information?

From a legal perspective, the use of Google Analytics was an issue before the enforcement of the GDPR came alive. The EU ePrivacy Directive requires obtaining a prior consent for marketing purposes. It means that all this time you needed a prior consent to retarget your website visitors from the EU with Google ads.

However, it was the introduction of the GDPR that shook things up. If the GDPR applies to your website, then you have to comply with its requirements regarding the use of data collection services like Google Analytics.

The main difference between the GDPR and every other privacy law is the broader definition of personal data. What the GDPR considers to be personal data, other laws do not. Aside from basic data such as name, phone number, home address, and email address, according to the GDPR personal data includes IP address and cookie ID. Does it mean that you need prior consent for tracking data using Google Analytics? It depends. The answer follows further in the article.

Do I Need to Comply With the GDPR?

You have to comply if:

  • You are based in any of the EU countries
  • You have visitors from any of the EU countries

The GDPR applies to you if you meet any of these two requirements. If you are based outside the EU, it applies only to your interactions with EU visitors.

Many people assume that Google takes care of GDPR compliance and it frees them from thinking about it. While it is truth that Google does take measures toward compliance, the GDPR applies to the data you use, no matter how you obtained it. If you collect and use any type of personal data, you have to do it in accordance with the law even if the tools you use are compliant.

Who is the data controller?

Google Analytics collects data for you, therefore they are data processor according to the GDPR. The data is in your hands and you can use it, which makes you a data controller. GDPR requires both the data controller and the data processor to comply with its rules. It means that relying on Google’s compliance is not enough. You have to be GDPR compliant yourself. That leads us to the important question when it comes to using tracking services like Google Analytics: ‘Do you have to ask for prior consent before using tracking cookies?’

Do I Need Prior Consent For Using Google Analytics?

The need to get prior consent from website visitors before tracking their data with Google Analytics depends on whether you will use that data for advertising or not.

If you use the data for advertising purposes, including remarketing or demographics and interests reporting, then you have to obtain prior consent before injecting cookies in your users’ computers to get the data you need. This duty applies to you only for your EU visitors, or if you are based in the EU, for all of your visitors.

However, if you use the data only for tracking the number of visits, where your visits come from, average time your visitors stay on your site, and so on, you can use Google Analytics without obtaining prior consent, but only if you make a few tweaks in the settings (more advice on that below).

According to the Policy Requirements For Google Analytics Advertising Features, when you use the Google Analytics advertising features you have to comply with the EU user consent policy, which obliges you to obtain end users’ valid consent to:

  • The use of cookies or other local storage where legally required
  • Collect, share, and use personal data for personalization of ads

The policies do not mention anything about collecting and using data for non-advertising purposes, which implies that you may not need one.

Moreover, you have to ask for consent only if none of the other five grounds for processing personal data applies. One of them is legitimate interest of a private-sector organization when the data collecting and processing doesn’t outweigh the negative effects on individual rights and freedoms. While it is not clear yet if European authorities consider this as a ground for the use of Google Analytics without obtaining prior consent, it strongly implies so.

How to Make Your Google Analytic Account GDPR Compliant?

It is important to note that implementation of the GDPR is still new for everyone, including EU authorities, therefore you can’t be 100% sure. If we had enough case law, it would eliminate all the guessing, but we don’t. However, you can make your website and your Google Analytics accounts GDPR compliant.

To move your GA account towards GDPR compliance, consider the following actions:

1. Turn on the Anonymize IP feature to avoid collecting IP addresses, which is considered personal data under GDPR. Turning on this feature means that you don’t collect IP addresses of your visitors. Google Analytics will still let you know about the number of visitors on your site, but without collecting their personal data. You have to update your Google Analytics script with the Anonymize IP function:
 

 

2. Avoid Leaking Data to Google. They don’t want your visitors’ data because they need to stay compliant, hence using their service obliges you to avoid sending users’ data to them. You can do this by:

  • Intervening at URLs before sending them to Google Analytics
  • Removing user-entered information (usually in search boxes and form fields) before sending it to GA
  • Don’t pass fine-grained (less than square mile) geolocation information to them
  • Use you Adsense account according to the Best Practices to Avoid Sending PII
  • Encrypt the personal data you send to Google, but only if it meet the standards. The minimum hashing requirement is SHA256, with strong recommendation to use salt of at least 8 characters.

3. Set the Allow Ad Features feature to false and keep it like that until you get consent. This should let you track the number of visitors, how long they stay on the website, what they read, and other non-advertising-intended data without consent.

 

4. Disable the Remarketing and Advertising Reporting Features if you don’t need it. Go in in Tracking Info → Data Collection, and turn off the toggles. If you do need the Remarketing and Advertising Reporting Features and keep the toggles turned on, you have ask for a prior consent.


5.
Do not link your Google Adwords account to the Google Analytics account, unless you need it.

6. Set the retention data period in accordance to your privacy policy. As an effort to comply with the GDPR, Google introduced new data retention settings. Now you can choose for how long you want to keep the data before being deleted automatically. If with the privacy policy you have told your visitors that you’ll keep their data for 50 months, then set the retention period at 50 months. Do not hold data that you don’t need anymore.

 

7. Limit the Data Sharing Settings only to those you really need. Unless you are an Analytics 360 user, you likely do not need any of the features.

To make your website GDPR compliant, update your privacy policy and ask for consent every time you collect personal data with Google Analytics for advertising purposes.

The simplest way to get an up-to-date privacy policy is by using an online privacy policy generator. It will allow you to be transparent with your users about the data you collect and use. You’ll also need a GDPR-compliant cookie banner to ask for consent. For both, you can use the ones provided by Secure Privacy.

The Takeaways

GDPR makes the use of Google Analytics and other analytical tools somewhat more complicated. You didn’t have to worry about being compliant with the privacy laws while using this tool in the past, but now that has changed.

Using Google Analytics is still in the grey area in the EU, mostly because no one is sure whether you need to ask for prior consent or not. If you rely solely on the opinion of Google and their legal team, then you need it when you collect data intended for advertising purposes. The rest is a matter of interpretation of the GDPR.

Disclaimer:  This website contains general information about legal matters. This article is for informational purposes only.  The information is not advice, and should not be treated as such. Talk to your lawyer before applying any of the advice listed in the article.