Is Google Analytics compliant with the EU’s General Data Protection Regulation (GDPR)?
That’s the question that 29.3 million GA users have been asking themselves since the GDPR came into force on May 25, 2018.
In this post, I’ll look at Google Analytics and GDPR and what Google is doing to make their analytics tool GDPR compliant. I’ll also provide tips to make your use of Google Analytics compliant.
What Is GDPR?
GDPR stands for General Data Protection Regulation. It’s an EU law that’s designed to strengthen the rights of the EU residents and citizens regarding how their data is collected, processed, stored, or utilized.
The EU approved this law in April 2016 to replace the previous Data Protection Directive.
The new regulation applies to any company inside and outside of Europe that does business in the EU or collects personal data from EU residents or citizens.
Failure to comply with this regulation could trigger hefty penalties and fines of up to EUR20 million.
What Changes Has GDPR Introduced?
Now that GDPR has come into force, what changes should we expect to see?
Privacy By Design: Under GDPR, data protection and privacy must be included in every data system regardless of its size.
Consent: Organizations will no longer be able to collect, use, or sell data without the consent of the subject.
Right to Access: Data subjects will have a right to access their data whenever they want and know how it’s being used.
Right to Be Forgotten: Data subjects can now ask data controllers or processors to delete personal data from their systems.
Right to Receive Personal Data: Users have the right to receive the personal data that they’ve provided to a controller whenever they want.
Data Protection Officers: The regulation states that every organization should hire or outsource a DPO who’ll monitor activities related to data processing.
These are just a few of the significant changes under the GDPR. They’re meant to enhance data privacy and give increased control over personal data.
Google Analytics and GDPR: Is Google Analytics GDPR Compliant?
Google emailed Google Analytics users of the steps they’ve taken to make it GDPR compliant. Let’s take a look.
Google added data retention controls into Google Analytics to allow site owners to determine how long their data will be stored on the company’s servers. Now that GDPR is in effect, GA will automatically “forget” (delete) data older than the retention period you selected.
Google also plans to introduce a user deletion API that will enable a data subject to delete all their associated personal data.
Google reminded GA users to take advantage of the existing data protection tools available on Google Analytics such as customizable cookie setting, data sharing settings, IP anonymization, privacy controls, and data deletion upon account termination.
Google has also updated its contractual terms for GA. According to the updates, the company will act as the processor of the personal data that is stored or handled by their services.
Updated EU User Consent Policy
Google is taking on the majority of the GDPR compliance burden since analytics data is stored on their servers. But they’re letting the GA users know that the company is responsible for the data collected during the Google Analytics process.
In the latest email to partners, the tech giant stated that it’s working on a solution that will provide anonymized and non-personalized ads in situations where user consent cannot be obtained.
This allows advertisers and site owners to continue serving ads without prior user consent.
Tips to Comply with the GDPR When Using Google Analytics
1. Audit Your Data for PII
Collecting Personal Identifiable Information (PII) is against GA terms of service which is why should audit the data you have and ensure you don’t send PII to GA.
2. Turn on the IP Anonymization Tool
Under the new regulation, an IP address is regarded as personal data.
To ensure IP addresses are not collected by Google Analytics, turn on the IP anonymization tool in the GA.
The impact of this change is that it’ll reduce the accuracy of Google Analytics geographic reporting slightly.
3. Audit Your Pseudonymous Identifiers
Your GA may be using pseudonymous identifiers which may include:
- Hashed or Encrypted data
- User ID
- Transaction IDs
It’s also necessary to inform your users how you’ll use the data in language that is easy to understand.
Avoid technical or legal terms and answer the following questions:
- What data is being collected?
- Who’s collecting it?
- Why is it collected?
- How is it collected?
- How will it be stored and for how long?
- How will it be used?
- Can it be deleted?
You should also include the information on how the data will affect the individual concerned.
5. Build an Opt-In or Out Capability
If your GA is collecting data, you’ll be required to get prior consent from users.
A site that has an opt-in or out capability will make your request for consent explicit and also make it easy for you to prove that consent has been given.
6. Make Use of the New Data Retention Controls
The new data retention controls will help you to manage your data efficiently and make your site GDPR compliant.
Google has added new features and tools that promise to make Google Analytics GDPR compliant. However, you should never forget that you’re responsible for the data your Google Analytics collects. Make sure everything you do with the data comply with the GDPR.
If you’re in need of digital marketing solutions or would like to learn more about Google Analytic, you can get in touch with us here.