Google Analytics Tracking and GDPR – Do You Need Consent?
Google Analytics – The Most Popular Web Analytics Toolset
Most organizations are now tapping into Google Analytics analytics’s power to track and improve their business goals. However, the explosion of web analytics is associated with a host of legalization. In this article, we will look at the General Data Protection Regulation (GDPR), and how your analytics strategy plays into that. If you’ve not come across the GDPR, it may help to read an overview of the regulation. We focus specifically on using Google Analytics, which is among the most popular tools for web analytics.
What is GDPR compliance?
The GDPR came into force on the 25th of May 2018. It extended the Data Protection Act, providing further data privacy rights to citizens in the EU. It is now vital in many jurisdictions to obtain consent to use the tracking features provided by Google Analytics. This means that best practice is to ask web-visitors to opt-in as per the regulations. Unfortunately, this does mean that you’ll likely miss out on capturing data from your visitors, as not all will decide to opt-in.Now let’s look at gaining consent for using tracking features in Google Analytics. The official Google Analytics support webpage specifically notes: “When using Google Analytics Advertising Features, you must also comply with the European Union User Consent Policy.”This resource assists users to comply with GDPR and CCPA when implementing Google’s Analytics services.
Are you interested in taking your analytics capabilities to the next level? Get in touch with e-CENS and use data to transform your business.
Interpreting Google’s Requirement for a Compliant Implementation of Google Analytics
In interpreting Google’s statement, it is clear that if your organization has enabled the Advertising Features in Google Analytics, you will most likely need consent from EU citizens. However, you may be wondering how Google defines ‘Advertising Features’, and we will take a closer look at this. Advertising Features can include any of the following:
If you are using Analytics Demographics as well as Interest Reporting
When remarketing is used within Google Analytics
If you use Google Display Network Impression Reporting
Any integrated services that might require Google Analytics to retrieve data for advertising – which includes any data that might be fetched through advertising cookies and identifiers.
Google Signals to enable Cross Device features will also require consent.
However, it must be noted that if you don’t use any Advertising Features alongside Google Analytics, then there is no need for consent, and you can browse the advice on this below.
Other Reasons Why Consent May be Required
As well as taking into account Google’s recommendations around consent and Advertising Features, you might also wish to gain consent in these scenarios:
When you collect geographic data
If you collect any pseudonymous identifiers
Collection of User IDs
Pseudonymous Identifiers and User IDs
If personally-identifiable information (PII) is collected, then this will go against Google Analytics’s Terms of Service. It is important to note that the data is classed as PII if it can identify a visitor. However, it must be noted that pseudonymous identifiers such as User IDs do not count as PII. You can also browse the Google Analytics support website, which provides information on how to encrypt PII by utilizing the SHA256 hashing requirement. Under GDPR, personally identifiable information includes both direct identifiers and indirect identifiers such as IP addresses, so you should implement IP anonymization.
Google and Data Sharing
Google might sometimes ask you to share your analytics data so that it can improve its services and may also provide access to your account to specialists who might look for data opportunities. We don’t recommend that you share your data as you are unlikely to benefit from it. It also raises concerns around your own compliance with GDPR, so this is not a recommended option. However, the benchmarking settings are anonymous and are actually beneficial to your organization. They are likely to be compliant with GDPR. In your analytics dashboard, we recommend navigating to ‘Account Settings’ in the admin area and carefully exploring all of the options and being aware of them.
Our Tips for Using Google Analytics Going Forward
This post has provided an introduction and overview of areas that might need user consent when using tracking features in Google Analytics. It is common practice to collect data in Google Analytics for your whole audience. To comply with GDPR, it is advisable to implement ‘Advertising Features’ for those users that opt-in – which will enable remarketing, demographics, Google Signals, as well as a host of other interesting features. The legislative environment is in constant evolution, so we recommend keeping up-to-date with developments around the world.
Disclaimer – Declaration of interest
We are not impartial observers of the impact of legislation on our customer’s regulatory environment. Here at e-CENS, we are analytics specialists, offering expertise in selecting and tailoring our client’s analytics solutions. If you are ready to take a deep dive into Google Analytics, contact us. We support the end-to-end cycle of implementing Google Analytics, through to your consumer targeting – while ensuring that you are compliant in your regulatory environments, whether global or local.
Certified in analytics technologies and methodologies and media stack, Sunil has over 14 years of experience in analytics, customer insights, business intelligence, and conversion rate optimization in web and mobile for a range of industries, such as retail, healthcare, media, finance, transportation, and hospitality.