Practical actions to get your Google Analytics ready for GDPR
Nick Comber, Senior Technical Analytics Executive at Mezzo Labs, provides some handy guidelines on how to make sure your Google Analytics setup is compliant for when the GDPR comes into effect on 25 May 2018.
Nick is a web analytics expert, not a lawyer. This blog post is intended to provide some practical suggestions which may help with some elements of the GDPR but does not provide any legal advice.
The GDPR (General Data Protection Regulation), is a major upcoming regulation, designed to give EU citizens control over their personal data, and to unify data regulation across the EU. It was adopted in April 2016 and becomes enforceable on 25 May 2018. We wrote a more detailed post on the meaning of GDPR last year, which you can view here.
Sometimes it seems that all people ever talk about at the moment is GDPR, and I am sure that as a web analyst you are probably getting some frantic questions from those responsible for GDPR in your organisation about what data your website is capturing and how to ensure that it is GDPR compliant. This post will hopefully be helpful to you in answering just that, providing some tips for those of you using Google Analytics on how you might go about achieving compliance.
So what has GDPR got to do with Google Analytics?
The General Data Protection Regulation (GDPR) was created in order to strengthen data protection for all EU citizens. Essentially, it will broadly govern what data businesses can collect and how they store and use it. Most pertinently, the regulation will place restrictions on the collection and usage of personally identifiable information (PII) without explicit user consent, which has in any case been against Google Analytics’ terms of service since before the GDPR was created. So, is the GDPR relevant to the data GA collects from your site?
The short answer is maybe! The GDPR’s definition of PII includes, for example, pseudonymous data. This is data that has been processed to render it no longer directly identifying, but not completely anonymous either – examples would include alphanumeric user IDs used as database identifiers, hashed email addresses and even transaction IDs.
Basically, any data that can directly or indirectly identify a human being is, as far as the GDPR is concerned, personally identifiable. That includes pseudonymous data, online identifiers, cookies and even data sets that can be combined together with data you hold outside of GA to potentially identify an individual. So, there is much more to consider when looking to get your GA in compliance with the GDPR than just making sure no raw PII is being passed.
What actions are Google taking regarding GDPR?
If you use Google Analytics, then Google is your data processor and your organisation is the data controller, since you control which data is sent to Google Analytics. As such, whilst your organisation has responsibilities in terms of GDPR, so does Google – and they are making various changes around their Analytics offering to ensure that compliance is achieved from their side.
Aside from policy updates, Google are also making some technical updates within GA itself as part of this. The most interesting of these centres around a key part of the GDPR’s guidelines – the “right to be forgotten” – which is a user’s right to, upon request, have an organisation delete any and all data they have stored about them. Google announced earlier this year that this will be supported in Google Analytics, and in time for the enforcement date they will offer a solution to enable deletion of data on a User ID / Client ID level (ie. an individual basis), which is great news and will certainly make things easier for organisations using Google Analytics to also comply to the regulations.
You can find more how Google are working towards being compliant for GDPR on their website here.
Whilst Google are taking care of their responsibilities pertaining to GDPR, it’s important that your organisation is also ready for when the regulations come into force later this month. Remember that the data passing into Google Analytics is owned by you, so you’ll need to make sure that this is compliant to the new rules. In the next section, we’ll provide some guidance to help you do just that.
What actions do you need to take regarding GDPR?
I think that there are two important areas to consider when looking to get your Google Analytics GDPR compliant – personal data and consent. We’ll cover them separately in this section providing guidance for each aspect, but bear in mind that the actions for each are linked in that they both work towards achieving GDPR compliance.
- Undertake a data audit – Be clear yourself about the data you hold within GA, what you intend to collect and how you are going to use it. In particular, investigate any reports and data feeds which potentially contain PII (eg. user IDs, URL parameters, user-entered data, geolocation etc). It’s important to know what data you are utilising that falls under the GDPR, as this will form the basis for any changes / updates you make both on-site and to GA in order to comply.
- Mitigate usage of PII – After completing a data audit, you should have a clearer idea of the PII you require and use, and that which you don’t, so this is a great opportunity to “clean” your GA account in terms of removing dimensions / events that you don’t really need. You can also use some of GA’s features to help mitigating PII usage, for example by turning on their IP anonymisation feature within your account.
- Set your data retention period – One of the new features in Google Analytics relating to GDPR is the ability to set a data retention period, which is the amount of time before user-level and event-level data within your GA will automatically be deleted. You can set this to be as short as 14 months, all the way up to 50 months, or even never. Once you have defined a data retention policy for your organisation, make sure this is reflected within Google Analytics to ensure that there is no user data being kept longer than it should be.
- Include opt in and opt out functionality – As part of the GDPR, you’ll need to ensure that all users for whom you are collecting and using data have actively consented to you doing so. Similarly, you’ll need to give all consenting users the option to opt out of data collection at any time. This has been quite an interesting issue to follow where GDPR is concerned, and there are several conflicting views as to how exactly this might be achieved. The solution I have seen most commonly suggested is to develop an on-site widget that allows users to check a box to consent to data collection on a category by category basis (eg. ‘Analytics’, ‘Marketing/Social’ etc).
- Consent tracking – As a follow up to the last point, the GDPR requires you to be able to prove that consent has been given for data collection on an individual basis, so you’ll need an audit log to show clearly when users opt in to data collection. As such, within Google Analytics it may be a good idea to track this using an event. By firing an event upon opt in which passes a pseudonymised User ID, or even GA Client ID, you can very quickly and easily have available a clear audit trail showing who has opted in and when.
The GDPR is a very broad set of regulations, covering all aspects of data privacy and protection within the EU. As such, applying it to a specific discipline, even to a specific product in Google Analytics, can be difficult and can leave many things open to interpretation.