1. What is the GDPR and how does it affect my website?
The General Data Protection Regulation is a EU law that sets out strict requirements on how data of EU citizens may be handled.
It is enforced on 25 May 2018 and affects companies, organisations, and websites large and small, that handle personal data of users from the EU. This applies to businesses working in the EU and/or with a user base based in the EU.
For website owners, the regulation means that you have to go through all of your personal data processing activities and make sure that they comply.
With the enforcement of the GDPR, you have to revise what data you are gathering, whether you really need this data and why, and how you are keeping it secure.
What is considered “personal data” in the GDPR?
The issue for website owners when it comes to using tools such as analytics, is the broad definition of personal data in the GDPR:
Not only IP addresses, contact information and sensitive data (such as medical and financial records) are personal, but also any data which can identify someone “directly or indirectly” using “all means reasonably likely to be used”.
This includes pseudonymous data, online identifiers, and cookies, which, as the GDPR states, can be combined with other data to create “profiles of the natural persons and identify them”.
What personal data does Google Analytics collect?
According to their Google Ads Data Protection Terms: Service Information, Google Analytics collects the following types of personal data:
- online identifiers, including cookie identifiers
- internet protocol addresses and device identifiers
- client identifiers
“We collect information to provide better services to all of our users – from figuring out basic stuff like which language you speak, to more complex things like which ads you’ll find most useful, the people who matter most to you online, or which YouTube videos you might like.”
According to the GDPR’s definition of personal data described above, the tracking of user behaviour and profiling is only compliant with the EU-regulations when the website obtains prior consent from the visitor, i.e. blocking Analytics until the visitor has opted in.
Google’s recent email about GDPR
Google recently sent out an email to all their analytics admins about GDPR.
The purpose of this email was to introduce product updates that will help us get ready for data privacy compliance.
2. What is Google Analytics doing in preparation for the GDPR enforcement?
On their blog, Google in Europe, Google has been sharing information about how they are preparing to meet the requirements of the GDPR since August 2017.
During the spring 2018, they have regularly released updates about their work to become GDPR compliant: they have updated their EU User Consent Policy, made changes to their contract terms, and made changes to their products in order to meet the requirements.
To comply, and support their customers' compliance with GDPR, Google is:
- Making some changes across the network of publisher sites on which your ads may appear—enabling publishers to show non-personalised ads and to select which third parties measure and serve ads for EEA users on their sites and apps.
- Taking steps to limit the processing of personal information for children under the GDPR Age of Consent in individual member states.
- They have introduced granular data retention controls that allow you to manage how long your user and event data is held on their servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select.
- They are in the process of launching a new user deletion tool that allows you to manage the deletion of all data associated with an individual user (e.g. site visitor) from your Google Analytics and/or Analytics 360 properties. This new automated tool will work based on any of the common identifiers sent to Analytics Client ID (i.e. standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase).
- Exploring consent solutions for publishers, including working with industry groups like IAB Europe.
Google Analytics update – Data retention control
One of the product updates Google is introducing is data retention control. This feature will allow you to manage how long Google stores your user data on Google’s servers.
Data retention control will go into effect in your account the same day GDPR launches, May 25th.
However, you can adjust your data retention settings now. The setting you select will then activate on May 25th, 2018.
Data Retention control settings
The current default for data retention is 26 months, but you can select to retain your user data for a shorter or longer period.
User deletion tool
Google has also introduced a user deletion tool. This tool will allow you to remove users’ Client IDs, User IDs, or App Instance IDs from your analytics data. When a user opts out of tracking, you’ll use this tool to remove their data.
3. How to prepare your Google Analytics setup for GDPR
(Websites doing businesses in Europe or with a user base based in the EU)
1. Control how you are transmitting personal data to Google
It is not sufficient to filter out personal data via the Google Analytics filters. The transmission must be stopped on code-level to prevent the data from ever being sent to Google Analytics. Check your page url’s, page titles and other dimensions to ensure that no personal data is being collected. A common example of personal data collection is when you capture a page url that contains an “email= querystring” -parameter. If this is the case, it is likely that you are leaking personal data to other marketing technologies in use on your site!
2. Turn on IP Anonymization
The IP address is personal data according to the definition in the GDPR. IP addresses are by default never exposed in reporting, but Google uses them to provide geolocation data. Therefore, it is a good idea to turn on the IP anonymisation feature in Google Analytics. This change will slightly reduce the geographic reporting accuracy of your Google Analytics account.
To turn on anonymisation, you must make a change in the code.
If you use Google Tag Manager, adjust your tag or Google Analytics Settings variable by clicking into More Settings → Fields to Set and then add a new field named ‘anonymizeIp’ with a value of ‘true’. If you don’t use Google Tag Manager, your tag management system may have this setting exposed as an option, or you may need to edit the code directly.
Once implemented, Google will anonymise the IP address as soon as technically feasible by removing the last octet of the IP address before any storage or processing begins (your IP becomes 220.127.116.11 — where the last portion/octet is replaced with a ‘0’). Once this feature is enabled, the full IP address will never be written to the disk, according to Google.
3. Go through the collection of Pseudonymous Identifiers in your Google Analytics
Your Google Analytics implementation may already be using pseudonymous identifiers. These may include the following:
- User ID: Control that the user IDs are alphanumeric database identifiers, and not data written in plain text such as emails, usernames, etc.
- Hashed/Encrypted data, such as email addresses: Check, if you can do without hashed or encrypted data. Google has a minimum hashing requirement of SHA256. However, it is recommended to avoid collecting data in this manner.
- Transaction IDs: Transaction IDs are technically pseudonymous identifiers, since, when linked with another data source, it can lead to the identification of an individual. Make sure that this ID is an alphanumeric database identifier.
4. Steps to make your website’s use of Google Analytics etc. compliant
- is specific and up-to-date at all times,
- is written in a plain and understandable language,
- provides clear instructions on how one may opt in and out of one’s data being collected.
2. Implement a GDPR compliant cookie consent
- Obtained prior to the setting of the cookies on the user’s browser (strictly necessary cookies are excepted from this rule)
- Given on the basis of clear and specific information about what the consent is given to
- Based on a true choice. The user must be able to opt out of all but the strictly necessary cookies and still use the site.
- Retrievable. The user must have access to their settings and make changes to what cookies they want to accept and reject.
- Kept as documentation that the consent has been given.
5. What does all this mean to Australian businesses?
GDPR doesn’t apply to Australia. However, Australia is likely to get its own GDPR in the following months. So, for now, you only have to define your user and data retention timeframes before the 25th of May 2018 (“Do not automatically expire” is recommended for now).
These settings are found under “Admin > Tracking Info > Data Retention”