Google Analytics and GDPRLast Updated: October 16, 2019
Google Analytics is a hugely popular website analytics tool. Estimates suggest it is used by between 30 and 50 million sites.
This is a lot of people who risk falling foul of GDPR and the upcoming ePrivacy regulations if they don’t take precautions to ensure their use of the service is compliant.
In this article, we’ll take an in-depth look at what websites that use Google Analytics have to do to stay on the right side of the regulations.
Google Analytics, GDPR, and ePrivacy
Google Analytics collects data about how people use websites in a variety of ways. These include cookies, IP addresses, and device identifiers.
The EU’s ePrivacy directive states that websites need to gain consent from the user for all cookies other than the ones that are strictly necessary for the site to work. Meanwhile, GDPR lays out the requirements for what constitutes valid consent.
Websites don’t need analytics software to function. Therefore, they need user permission to drop Google Analytics cookies.
Additionally, the ePrivacy Regulation is expected to be finalized at some point in 2019. These regulations will update the scope of the ePrivacy Directive and complement GDPR’s rules on personal data by focusing on the privacy implications of electronic communications.
The ePrivacy Regulation may allow cookies for website analytics, even if the website owner doesn’t gain consent first. However, this is unlikely to be the case for third-party tools such as Google Analytics.
None of this means website owners should not use Google Analytics. Google has done a lot of work to ensure its service works within the new regulations. This means staying compliant shouldn’t be a problem as long as websites put in place compliant processes.
What has Google done to ensure GDPR compliance?
Since GDPR came into effect, Google has done a lot of work to make sure Google Analytics is compliant. The company has made changes both to the way Google Analytics works and in the conditions users have to follow to use Google Analytics.
The changes Google has made to Analytics to ensure GDPR compliance include:
- Analytics now has a feature that allows websites to delete the information of individual users if they make a deletion request. This is required under the GDPR’s “Right to erasure.”
- Google introduced a feature that lets websites control how long Analytics stores data. By default, this is set to 26 months, although users can shorten this or turn the feature off.
- Google will restrict the processing of data for children under the GDPR age of consent.
As well as these changes, Google has updated it’s EU user consent policy to reflect the new GDPR requirements. The policy relates to all Google products, including Google Analytics. Google states that any website using Google products must:
- Get consent to collect, share, and use personal data for the personalization of ads.
- Websites must retain records of this consent.
- They must provide users with clear instructions about how to revoke consent.
- Websites must tell users which parties may collect, receive, or use the data collected due to the Google product in use.
Google states that websites failing to conform to these standards may be banned or suspended from using the Google product.
How Can I ensure my use of Google Analytics is GDPR compliant?
Website owners that use Google Analytics and have visitors from the EU, must gain consent to drop the cookies required by this service
Should they not do this, site owners would not only be at risk of a fine from GDPR, but would also be at risk of losing access to Google Analytics. Steps website owners need to take include:
- Provide a way for users of your website to revoke their permission to store cookies. Revoking permission should be as easy to do as it was to give permission in the first place.
- Have a form that allows users to request the deletion of personal information.
In addition, website owners should take steps to control the information they are sending to Google. For example:
- Website owners have to ensure they are not accidentally sending any personally identifiable information to Google, including addresses, email address, etc. If this is happening, they will have to take steps to stop it.
- GDPR considers IP addresses as online identifiers. Because of this, you should turn on IP anonymization. Website owners can do this using the Google Analytics Tag Manager
CookiePro can help your use of Google Analytics be GDPR and ePrivacy compliant
- A cookie checker that scans your website for cookies and lets you know exactly which cookies your site uses.
- The ability to easily set up a banner and capture consent for cookies. The banner can be customized based on a template.
- The ability to customize the cookie consent depending on whether the user is based in the E.U. or outside.