Google Analytics and GDPR
Last Updated: May 8, 2020
Due to strict regulatory guidance by the General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR), there are many websites that may risk non-compliance from their use of Google Analytics.
Learn more about how these regulations may affect you as a website owner, and how you can continue using Google Analytics to track visitors from the EU in a compliant way.
Google Analytics, GDPR, and ePrivacy
Google Analytics is Google’s website analytics tool that provides insights about the demographics of visitors coming to your website, how they’re getting to your website, and how they’re interacting with your website. Essentially, Google Analytics is a data processing tool.
The EU’s ePrivacy directive states that websites need to gain consent from the user for all cookies other than the ones that are strictly necessary for the site to work. Meanwhile, GDPR lays out the requirements for what constitutes valid consent.
Websites don’t need analytics software to function. Therefore, they need user permission to drop Google Analytics cookies.
Additionally, the ePrivacy Regulation is expected to be finalized at some point in 2019. These regulations will update the scope of the ePrivacy Directive and complement GDPR’s rules on personal data by focusing on the privacy implications of electronic communications.
The ePrivacy Regulation may allow cookies for website analytics, even if the website owner doesn’t gain consent first. However, this is unlikely to be the case for third-party tools such as Google Analytics.
None of this means website owners should not use Google Analytics. Google has done a lot of work to ensure its service works within the new regulations. This means staying compliant shouldn’t be a problem as long as websites put in place compliant processes.
What has Google done to ensure GDPR compliance?
Since GDPR came into effect, Google has done a lot of work to make sure Google Analytics is compliant. The company has made changes both to the way Google Analytics works and in the conditions users have to follow to use Google Analytics.
The changes Google has made to Analytics to ensure GDPR compliance include:
- Analytics now has a feature that allows websites to delete the information of individual users if they make a deletion request. This is required under the GDPR’s “Right to erasure.”
- Google introduced a feature that lets websites control how long Analytics stores data. By default, this is set to 26 months, although users can shorten this or turn the feature off.
- Google will restrict the processing of data for children under the GDPR age of consent.
As well as these changes, Google has updated it’s EU user consent policy to reflect the new GDPR requirements. The policy relates to all Google products, including Google Analytics. Google states that any website using Google products must:
- Get consent to collect, share, and use personal data for the personalization of ads.
- Websites must retain records of this consent.
- They must provide users with clear instructions about how to revoke consent.
- Websites must tell users which parties may collect, receive, or use the data collected due to the Google product in use.
Google states that websites failing to conform to these standards may be banned or suspended from using the Google product.
How Can I ensure my use of Google Analytics is GDPR compliant?
Website owners that use Google Analytics and have visitors from the EU, must gain consent to drop the cookies required by this service
Should they not do this, site owners would not only be at risk of a fine from GDPR, but would also be at risk of losing access to Google Analytics. Steps website owners need to take include:
- Provide a way for users of your website to revoke their permission to store cookies. Revoking permission should be as easy to do as it was to give permission in the first place.
- Have a form that allows users to request the deletion of personal information.
In addition, website owners should take steps to control the information they are sending to Google. For example:
- Website owners have to ensure they are not accidentally sending any personally identifiable information to Google, including addresses, email address, etc. If this is happening, they will have to take steps to stop it.
- GDPR considers IP addresses as online identifiers. Because of this, you should turn on IP anonymization. Website owners can do this using the Google Analytics Tag Manager
CookiePro can help your use of Google Analytics be GDPR and ePrivacy compliant
- A cookie checker that scans your website for cookies and lets you know exactly which cookies your site uses.
- The ability to easily set up a banner and capture consent for cookies. The banner can be customized based on a template.
- The ability to customize the cookie consent depending on whether the user is based in the E.U. or outside.