0
CookiePro Blog May 8, 2020

Is Google Analytics GDPR Compliant?

Due to strict regulatory guidance by the General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR), there are many websites that risk non-compliance from their use of Google Analytics.

Learn about how these regulations may affect you as a website owner, and how you can continue to use Google Analytics to track visitors from the EU in a compliant way.

Google Analytics is used by over 30 million websites – many website owners are asking: Is Google Analytics GDPR compliant?

The answer is yes, but you must first take steps to ensure your use of tracking is compliant.

In this article, I’ll review the rules around GDPR, how Google Analytics is useful to website owners, and how you can continue to use Google Analytics to track visitors from the EU in a compliant way.


What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union regulation to regulate how organizations may obtain, use, and store the personal data of EU residents.  You can learn more about the GDPR in our overview here.

Who Does GDPR Apply To?

The GDPR applies to organizations operating within the EU that process data as well as organizations outside the EU that offer goods or services to individuals in the EU.

In other words, so long as you’re processing the data of EU citizens (even if you’re not headquartered or based out of the EU), the GDPR applies to you.

What Rights Are Given to EU Citizens?

  • The GDPR gives EU citizens the final say on how their data is used
  • The GDPR imposes tighter restrictions on how companies handle personally identifiable information (PII)
  • The GDPR gives users privacy rights by default and companies can store/use data only if consent has been granted

What is PII under GDPR?

Personally identifiable information (PII) is any data that can be used to identify a specific individual.  Examples include full name, email address, IP address, login IDs, etc.


What is Google Analytics?

Google Analytics is a free website analytics service offered by Google that collects anonymized data on site visitors and and reports traffic on your website.  It’s one of the most popular digital analytics software used by over 30 million websites – and for good reason.  Nowadays almost all businesses have an online presence through a website.  In order to monitor whether your business is achieving its purpose, you need to know the details of how visitors are getting to your site, how long they’re staying, what pages they’re visiting, and whether they’re completing goals based on events.

How is Google Analytics Helpful?

Data

With Google Analytics, you can uncover valuable information about your audience and their behavior to determine which channels drive the most traffic on your website.

Here are a few examples of data Google Analytics collects from visitors and how it can be used to optimize your website:

  • Age: Age is one of the best indicators of your audience and it can be used to help you optimize your website’s content, tone, imagery, and platforms to market on.  For example, if most of your audience is ages 45-54 you would probably want to target more Facebook ads, whereas if your audience is 18-24, Instagram may perform better.
  • Gender: Gender helps you to describe your audience, and it plays an important role in how your visitors communicate and engage online.
  • Interests: Google Analytics provides you with interest categories based on visitor’s behavior from other sites so you can optimize your website’s content in accordance with their interests.
  • Devices: Ensure your website is responsive based on the kind of devices visitors are using.
  • Location: Understanding where visitors come from helps you to formulate marketing and sales strategies according to the physical location of your target audiences.
  • Language: The language demographic lets you know what language visitors are using – this could help you prioritize which languages you need to translate content to.

PPC Advertising Optimization

Google Analytics tracking is useful for monitoring and optimizing PPC (pay-per-click) advertising.  PPC is a model of internet marketing where you pay a fee each time one of your ads is clicked.  Essentially, it’s a way of buying visits to your site, rather than attempting to “earn” those visits organically.

Search engine advertising is one of the most popular forms of PPC.  It allows you to bid for ad placement in a search engine’s sponsored links when someone searches for a keyword related to your business offering.

PPC ads are one of the most effective ways to reach new customers and grow your business.  However, it costs money – and sometimes a whole lot of money… we’re talking millions here.  Therefore, it’s important to determine how much traffic is coming from paid vs. organic to best optimize your PPC strategy.

How Does Google Analytics Collect Data?

So now that you know how important Google Analytics can be for your website, it’s also important to know how it’s tracking those visitors.  Once you add the Google Analytics script to your site – it starts recording user behavior and information about site visitors through cookies and hits.

Where does the data come from?

Google Analytics sources data from the following sources:

The HTTP Request and Browser/System Information of the user which contain details about the browser and device making the request, such as:

  1. Hostname: www.cookiepro.com vs. app.cookiepro.com vs. community.cookiepro.com
    1. Browser type: Safari vs. Chrome vs. Internet Explorer
    1. Referrer: Did I get sent here from Google or Facebook
    1. Language: My preferred language is Spanish

Google Analytics also sets and reads first-party browser cookies – or small text files – with a randomly-generated ClientID to obtain user session and ad campaign information.

How is that data sent to Google?

Once all the information is collected, it is compiled together and sent to the Google Analytics servers via a single-pixel GIF image request where it is then processed and visible in your Google Analytics account.

You can read more about how Google Analytics collects data here.


Google Analytics and GDPR

While Google Analytics doesn’t collect personally identifiable information like name or email, the GDPR defines PII to include persistent IDs such as ClientID, UserID, and IP Address – all of which are tracked and stored in Google Analytics.  Since you’re sharing your visitors’ PII with a third-party (GA), you must disclose this information and provide visitors with a choice to opt-in or opt-out of the collection and processing of their data.

What Has Google Done to Ensure GDPR Compliance?

Since GDPR came into effect, Google has made significant changes to the way Google Analytics works and the conditions users must follow in order to use the platform.  Some of the changes include:

  • Adding a feature to allow websites to delete the information of individual users if they make a deletion request. This is required under the GDPR’s “Right to Erasure.”
  • Introducing a feature to allow websites to control how long Analytics stores data. By default, this is set to 26 months, although users can modify the duration.
  • Restricting the processing of data for children under the GDPR age of consent.

In addition to these changes, Google has updated its EU User Consent Policy to reflect the new GDPR requirements. Google states that any website using Google products must:

  • Obtain valid consent to use cookies or other local storage where legally required.
  • Get consent to collect, share, and use personal data for the personalization of ads.
  • Retain records of consent.
  • Provide users with clear instructions about how to revoke consent.
  • Inform users which parties may collect, receive, or use the data collected from the Google product in use.

Google states that websites failing to conform to these standards may be banned or suspended from using its products.

Do I Need Consent From EU Residents for Google Analytics?

The safe answer is “yes”.  The GDPR is against websites sharing data with any 3rd party without consent.  By not collecting consent, site owners not only risk a fine from GDPR but also risk losing access to Google products.

What Steps Do I Need to Take?

The safest and most user-first approach to build trust with your website visitors is to use a consent management tool that requests consent prior to dropping cookies.

  1. Request Consent by displaying a cookie banner when a visitor first lands on your site in order to gain consent for the use of cookies. The banner should provide a simple explanation about what the cookies are used for and provide a way to opt-in or opt-out of the use of cookies.
    1. In order to have the greatest chance of staying compliant with GDPR and ePrivacy, websites should not drop cookies—other than those deemed strictly necessary—until after they have received permission to do so.
  2. Allow Users to Modify their Consent Preferences with a preference center that revokes their permission to store cookies.
    1. Revoking permission should be as easy to do as it was to give permission in the first place.
  3. Add a Cookie Policy to your website that clearly explains which cookies are in use and what the cookies do. The policy should be kept up-to-date and should be easy to understand, even by those without a technology background.
  4. Add a Data Subject Request Form to your website for visitors to request the deletion of their personal information.

In addition, you should take steps to control the information you send to Google Analytics.

  1. Don’t send PII to Google, including addresses, email address, etc.
  2. Enable IP Anonymization in Google Analytics as GDPR considers IP address as an online identifier.

How CookiePro Helps

CookiePro’s Website Scanning & Cookie Consent solution makes it simple to ensure your Google Analytics implementation is GDPR-compliant.

Cookie Consent Templates Geolocation Rules GDPR

Website Scanning & Cookie Categorization

Scan your Website to identify and auto-categorize all cookies and tracking technologies on your site.  CookiePro automatically categorizes cookies against Cookiepedia, the world’s largest database of over 19 million pre-categorized cookies

Dynamic Cookie Policy

Generate a Dynamic Cookie Policy that is auto-populated with the cookies found from your website scan.

Geolocation Rules

Create Geolocation Rules for regions, countries, and states to determine how cookies should load on your site based on the website visitor’s location.

Set rules to auto-block all cookies in the Analytics Category for anyone visiting from the EU, but auto-load all cookies in the Analytics Category for visitors from California.

Auto-Blocking 

Enable Auto-Blocking and publish the CookiePro script to your site to block cookies prior to consent based on your geolocation rules.

Need to make changes to your consent models, categorizations, or geolocation rules?  Did you add new cookies to your website?  No problem!  Make all changes within the CookiePro app and the changes will reflect in real-time on your website.  No code changes required.