A Guide To Google Analytics and GDPR
If you use Google Analytics on your site, in accordance with GDPR, Google is your Data Processor and you are the Data Controller (since you are in control of what data is sent to Google Analytics for processing).
According to Article 24 of GDPR, it is the Data Controllers responsibility to:
“implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this regulation”.
Ultimately, you are responsible for ensuring that you collect data that is allowed in a manner that is in accordance with GDPR before it is processed by Google Analytics.
Personally Identifiable Information
According to GDPR, personal data is:
“...any information relating to an identified or identifiable natural person (‘data subject’).”
"..an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
In the context of Google Analytics, data that may be considered personal or PII (personally identifiable information) includes phone numbers, IP addresses, user names, email IDs. This is not an exhaustive list - if you have a question on whether another data point could be considered personal data, you should refer to your legal team.
Steps to ensure you are not collecting PII
1. Audit your Google Analytics Data for PII
Audit the data in your Google Analytics property (using the Raw View) to ensure that no PII is being collected via page titles, URLs or other dimensions. A common example is URLS with query strings that contain PII e.g. “firstname.lastname@example.org”. If you find that PII is finding it’s way into your reports, you must find out where this data is coming from and stop it at source (simply filtering out PII with a Google Analytics filter is not enough here - it should never make it to Google’s servers in the first place).
Turn on IP anonymissation
Under GDPR, an IP address is considered PII / personal data. Whilst Google Analytics does not report on IP addresses within your reports, it does track and store IP addresses of your site’s users in order to report on geo-location data.
Given your role as Data Controller, we recommend that, in order to be extra vigilant, you should use IP anonymisation to mask website visitors IP addresses before they are sent to Google Analytics. When you enable IP anonymisation, the last 3 digits of your web visitor’s IP address are automatically dripped before the data is sent to Google for processing.
NOTE: The impact of this is slightly less accurate geo location data within Google Analytics.
To enable IP anonymisation, you need to make a small tweak to your core Google Analytics code. There are a few ways to do this depending on your Google Analytics implementation. If you use Google Tag Manager then you simply add the anonymizeIP field in your Google Anlaytics tag or Google Analytics Settings variable and set the value to “true”.
3. Review User ID Tracking Implementation
If you have enabled User ID tracking, you should review it to ensure that the data point you are using as a User ID is not personally identifiable. It should be an alphanumeric identifier and never be plain text e.g. email, phone number or username.
4. Review Transaction IDs
If you have e-commerce tracking set up, your transaction IDs should be alphanumeric database identifiers and should not be able to be used to identify specific users, even in combination with other data points.
Explicit Consent For Data Collection
According to Recital 40 of GDPR:
“In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis…”
Article 6 states 5 other justifications other than obtained consent:
- Performance of a contract;
- Compliance with a legal obligation;
- Necessary to protect the vital interests of a person;
- Necessary for the performance of a task carried out in the public interest; or
- In the legitimate interests of company/organisation (except where those interests are overridden by the interests or rights and freedoms of the data subject).
Article 4 (11) of GDPR defines consent as follows:
“‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
So now that we have a definition for “consent”, the question when it comes to Google Analytics tracking is - do you need explicit consent from users to collect their data. The answer, unfortunately, is not clear cut.
Google Analytics at its most basic uses an 1st party cookie identifier called the Google Analytics Client ID - this is an unavoidable part of how Google Analytics works. GDPR specifically notes “online identifier” within the scope of its definition of “personal data”.
There have been many arguments made against the need for opt-in consent when it come to the Google Analytics Client ID specifically - much of it based on the excerpt below from the European Commission’s ePrivacy Regulation proposal back in 2017:
Ultimately, however, the ePrivacy Regulation is still being negotiated in the European Commission and we are unlikely to see the final legislation any time soon. Therefore, whether explicit opt in is required for the setting of this Google Analytics Client ID cookie is a decision for your legal team based on their interpretation of the GDPR regulations.
Aspects of Google Analytics tracking that definitely need opt-in consent:
Besides the uncertainty around the Google Analytics client ID cookie however, there are optional features of Google Analytics tracking that definitely require opt-in consent if implemented.
3rd party DoubleClick Cookies
If Google Analytics Advertising Features have been enabled in Google Analytics (this setting needs to be enabled for things like Demographics and Interests reports, remarketing and DCM integration) then a 3rd party cookie has been enabled which shares information with organisations other than your own.
Google’s own official advice to those who use these features is to request explicit consent.
So in such a case, you have 3 options:
- Ask for explicit consent before enabling ANY Google Analytics tracking (safest option - assumes that all Google Analytics tracking including the Client ID cookie require opt-in consent).
- Turn off Google Analytics Advertising Features (and lose the associated features like Demographics and Interests reports) and leave the standard Google Analytics Client ID outside of the scope of the opt-in functionality (assumes that the Google Analytics Client ID cookie does not require opt-in but 3rd party cookies do require opt-in).
- Configure your Google Analytics tags via Google Tag Manager so that the Advertising Features are only enabled dependant on specific opt-in, whilst the standard Google Analytics Client ID remains outside of the scope of the opt-in functionality.
User ID Tracking
If you configured User ID tracking, you need to acquire explicit consent from users to track their activities across devices. In terms of configuration, if you use Google Tag Manager, you can follow a similar process described above (in Option 3 of our Advertising Features choices above) to only enable User ID tracking after consent has been granted, whilst the standard Google Analytics Client ID remains outside of the scope of the opt-in functionality.
Opt-in Solutions / Cookie Consent Banner Solutions
I’ve spoken a lot about cookie consent banners and opt-in functionality, in particular the necessity (depending your legal view of Google Analytics and GDPR) of blocking / allowing scripts or specific parts of scripts depending on whether a user has “opted in” for that particular type of tracking.
So it is clear that in order to comply with GDPR we are likely to need some form of opt-in functionality (e.g a cookie consent banner) which asks users to decide on whether they want to opt-in or remain opted-out from certain types of cookies being set during their visit, then once those choices have been submitted, allows only the relevant scripts (and specific parts of scripts) to be executed. The solution must also allow users to change their preferences at any time during their visit.
In the context of Google Analytics (I am only talking about Google Analytics cookies here, not any other cookies that may be set by scripts via GTM or via a site’s code) both CookieBot and OneTrust Cookie Pro meet these criteria and are worth your consideration.
- Which Google Analytics features have been implemented (Google Analytics Client ID cookie, 3rd party cookie for Google Analytics Advertising features, User ID tracking, etc.)
- How you and 3rd parties use 1st party cookies (e.g Google Analytics Client ID) and 3rd party cookies (e.g DoubleClick cookie for Google Analytics Advertising Features)
- How users can opt out from having their data tracked by any or all of these cookies and features