Being compliant with the new EU General Data Protection Regulations (GDPR) means you should review some of the marketing tools you are most likely using daily, including Google Analytics. GDPR has had a considerable impact on Google Analytics since April 2018. In order to continue to use this service while meeting GDPR requirements, you will need to make some adjustments.
The GDPR rules apply to any entity that sells products or services to EU data subjects, or holds or processes the personal data of any data subject residing in the EU. Basically, if people from the EU can visit your site, or you sell goods/services to people in the EU, GDPR applies to you.
The Impact of GDPR on Website Tracking
Google Analytics is a common tool that allows you to track and analyze user traffic and behavior on your site. Google Analytics collects a wealth of anonymized useful information and is used heavily by digital marketers and website owners. Google Analytics obtains its information by tracking data or — in GDPR language — by processing data.
There are three types of data: numerical identifiers (like cookies), internet protocol addresses (IP address) and devices with customer identifiers. However, most of these data are considered by law as personal data within the meaning of Article 4 of the GDPR:
....any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
In other words, Google Analytics performs personal data processing. But the new regulation on the protection of personal data is clear: any processing of personal data is illegal (with exceptions) if it is carried out without the consent of the person concerned. In this case, the visitor to your site. Put simply, you are required to block all use of Google Analytics before obtaining the consent of your users.
What Can You Do to Be Compliant?
To make your use of Google Analytics compliant with GDPR, you should take several steps:
- Audit the data transmitted to Google: beyond the filters offered by Google Analytics you may require additional customization to your website and Google Analytics account. We recommend having an audit performed by a company expert in this type of work.
- Set up an anonymization system: the IP address is considered by law to be personal data. To limit the risks, it is advisable to implement the IP anonymization feature in Google Analytics.
- Review the credentials used by your Google Analytics implementation.
In addition to the points above, do not forget to configure your implementation with the following steps, as described by Google:
- Accept the Data Processing Agreement or DPA: this agreement states that Google Analytics makes the necessary arrangements to comply with the requirements of the GDPR, but that you still remain solely responsible for the data you collect;
- Add information about the legal entities responsible for data protection in your organization: your contact, the contact of your Data Protection Officer and EU Representative [Optional];
- Configure the data retention period and the Google Analytics markers: this step is quite technical since it may require the modification of the tag used or the development of a pop-in page (tag manager) from which you can manage the permissions of cookies used by your site.
The EU is taking the new GDPR rules seriously in terms of compliance. There have been multiple fines issued already to European companies. While most companies will never reach the size of Google — and the EU has long targeted the largest companies in order to set an example — these instances highlight the importance of maintaining GDPR compliance.