Is Google Analytics GDPR Compliant?

Google Analytics and GDPR

|

14. March 2018

 | 

As we get closer to 25 May, the deadline for the new EU data regulations (GDPR), more and more questions are being raised. One of these questions is how Google Analytics measures up to these new regulations. (If you are not familiar with the content of GDPR, here are useful summaries of what GDPR is and how it will impact digital marketing.)

So Why Is Google Analytics Affected by GDPR?

Well, according to recital 30 of GDPR:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.
This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. 

As Google Analytics relies on cookie identifiers to track both sessions and users, any website which makes use of Google Analytics and can be accessed by European citizens should be GDPR compliant.

Why Is this an Issue? We Already Have Cookie Banners!

One of the primary aspects of GDPR is an increase in the rights of the data-subject (your website user). This includes but is not limited to:

  • The right to withdraw consent at any time
  • The right to inspect stored data
  • The right to correct stored data
  • The right to be forgotten (have the data deleted)
  • The right to receive the data in a portable format

As you have probably realized, many of these tasks are currently impossible in Google Analytics. For example, you are not able to delete or correct data that has been collected in your Google Analytics property. Similarly, allowing everyone to inspect the data that has been collected for each of their sessions would currently be difficult.

Does This Mean Google Analytics Is not GDPR Compliant?

No, well at least, not yet. This is, however, a multi-sided affair.

Firstly, as there is no precedent, it is at the moment not sure how GDPR will be implemented and whether these data rights will be enforced for the data that is collected in Google Analytics.

On the other side, Google is working on a feature to allow for the deletion of data. Google has also added a Data Processing Agreement specifically for GDPR, which suggests that they are taking this seriously and are looking to be compliant by the time it comes into effect.

Additionally, there are still questions around the impact of Google having their servers in the United States. GDPR states that personal data may not leave the EU unless the country to which data is sent is deemed to have similarly stringent data privacy laws. The United States as a whole do not have data privacy laws that are in line with GDPR.  However, as Google Analytics adopted the EU-U.S. Privacy Shield Framework in August 2016, at this point in time, it is seen as abiding by privacy laws that are in line with GDPR.

Finally, and most importantly there is the question of whether explicit consent is required for website analytics. Again, as it stands, it appears that you would not need an explicit opt-in for GA. This could still be changed and it would have a massive effect on all web analytics tools if it does.

What Should I Do in the Meantime?

The main thing that we advise is keeping a close eye on all GDPR developments. In this uncertain time leading up to the deadline, and in the months following 25 May, many of these questions will be answered. To help keep on top of these developments, sign up to our newsletter here.

This being said, there are also a couple of changes that you can make to your Google Analytics setup, to ensure that you moving in the right direction.

  • Setup IP anonymization, this only requires one line to be added to your Google Analytics code.
  • Update your privacy policy to include the fact that you use Google Analytics (and all other tracking tools).
  • Give users the ability to opt out of tracking, if you are unable to add an opt-out plugin, at the very least direct users to a page informing them how to opt out at a browser level.
  • Log into your Google Analytics account and sign the Google Data Processing Amendment. This is found at the bottom of your account settings.
  • Make sure that there is no personal data that is being accidentally captured in Google Analytics. For example, email addresses in query parameters or social security numbers in a custom dimension. This is first of all against the Google Analytics terms and services and secondly, it would need to be included in your privacy policy.

At this point in time, it is our opinion that Google Analytics will meet the required GDPR criteria before the deadline. Nevertheless, there are plenty of other tools that in all likelihood will not.

If you would like a full audit of which of your marketing tools are GDPR compliant and which might find you on the wrong side of these new laws, please fill out the contact request on our GDPR compliance site here.

If you have any more questions about Google Analytics and GDPR compliance, please leave a comment or send me an e-mail.

 

Add comment