GDPR and Google Analytics
By Spencer Mayes on May 20, 2018
With GDPR (General Data Protection Regulation) right around the corner (May 25, 2018), it’s time to talk about how GDPR will impact Google Analytics. What changes need to be made to your analytics account to be compliant and not lose important data after May 25th?
GDPR stands for General Data Protection Regulation. It is a group of regulations intended to give citizens of the European Union (EU) more control over how their personal information is used by companies and organizations online.
Why should you make sure Google Analytics is configured properly? Because fines for not being GDPR compliant are very high!
Lower level: Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher.
Upper level: Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.
Is GDPR Compliance Necessary?
If, like most US businesses, your company has a web presence (marketing* or sales) — or even if you run a location-independent survey that’s accessible to people in the EU — you may be subject to GDPR compliance.
*General global marketing doesn’t necessarily apply. For example, let’s say you’re a Texas-based company running a paid Facebook campaign (marketing a white-paper) and a man in Germany clicks on your advertisement and downloads your asset. GDPR likely won’t apply. BUT it absolutely would apply if that white-paper was titled “How Our Software Helps German Companies” and you have a dedicated landing page (with a .de domain suffix) for EU residents, and you accept euros and your advertisement is written in German.
If you’re targeting data subjects in an EU country, if you’re monitoring behavior of EU residents as they visit your site, or if you’re regularly doing business within the EU, you should be GDPR compliant. If you’re unsure, consult your legal team.
Regardless of where you company stands with GDPR there are some Google Analytics issues that will be created with the roll out of GDPR.
Data Retention Settings
Google recently released a data retention control feature. This feature allows you to manage how long Google stores user data on Google’ servers. The new default setting is 26 months, in the past there was no limit.
Retaining data may not seem that important on the surface, but Google has also stated that this setting does not affect most “standard reporting” based on aggregate data.
While Google spells out what reporting is NOT affected, it can be safe to assume that sampled data will be affected.
A lot of the Google Analytics magic happens with ad-hoc reports that use sampled data. This sample data lets you slice and dice and use secondary dimensions to better analyze and find insights on the traffic and visitors to your site. It is assumed that this type of reporting will be limited unless you set your retention policy to “Do Not Automatically Expire.” This setting means that Google Analytics will keep all user data unless someone specifically request deletion. (Google is going to provide a user deletion tool in the upcoming days that will let users delete their records.)
Looking at the GDPR Data collection policy, you can see that personal data may be kept for reasons of scientific or historical research. Analytics at its core, is historical research enabling companies to learn from past data of user behavior, and to make improvements in the present and future.
Analytics for Companies Impacted by GDPR
If you are a company that is affected by GDPR (General Data Protection Regulation) or you just want to play it safe, modifications of your analytics profile/account can be complicated.
Google Analytics is not GDPR compliant “out of the box” because it collects IP addresses from web visitors. Fortunately, you can anonymize IP addresses in Google Tag Manager by setting the field “anonymizeIp” to “true.” This will limit some geographic reporting; however, IP addresses don’t conclusively provide the most accurate locations of all users, in most cases.
Additionally, most Analytics profiles have custom feature options including Remarketing or Advertising Features. These features collect data and use the data for advertising purposes.
One short term option is to turn these features off, and see where the dust settles after GDPR is rolled out on the May 25, 2018.
The long term solution is to implement a cookie consent “opt-in,” preferably a “geo fenced” consent tool that only shows up for web visitors in GDPR countries. This consent should cover ALL cookies and personal data on the entire website, not just Google Analytics and is a much larger part of GDPR compliance strategy.