Five Steps to GDPR Compliance with Google Analytics

Five Steps to GDPR Compliance with Google Analytics


GDPR is the General Data Protection Regulation legislation that has been adopted by the EU and will take effect on May 25th, 2018. GDPR is going to have the single biggest impact on small businesses in the UK and will be the biggest change to data legislation since the Data Protection Act 1998.

 

Under GDPR law, data protection is broken up into 6 principles. These principles involve lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality. Under the new legislation, if you use Google Analytics to track and report on your web data, Google is your Data Processor. Your organisation will act as the Data Controller since you control what data is sent to and received by Google Analytics.

 

Acting as your Data Processor, Google have legal obligations to conform to the EU GDPR. According to Google’s Privacy Compliance website, they are “working hard to prepare for the EU’s General Data Protection Regulation.” It is almost certain that Google Analytics will be fully GDPR compliant by May 25, 2018, when the legislation takes full effect. As a responsible Data Processor, Google must be able to provide a data processing agreement that business analytics owners will need to accept.

 

Surprisingly, although GDPR is so impactful and with penalties that can be devastating, less than half of businesses have a strategy in place to ensure safe operation within the legislation.

You can find out more about how GDPR affects your business here. 


How can I ensure I am GDPR compliant with Google Analytics?

Step 1: Audit your data for Personal Identifiable Information


Collecting Personally Identifiable Information (PII) is prohibited against the Google Analytics terms of service and is only accepted by the GDPR with user consent.

·        Check your URLs, Page Titles, and all your data dimensions to ensure that no PII is being collected. A common example of PII data collection is when you capture a Page URL that contains an “email= querystring” query. If this is the case, you are likely leaking PII to other marketing tools. 

·         Ensure that data entered into user forms that is also collected by GA, does not contain PII.

·         Simply filtering out PII (via Google Analytics filters) is not sufficient as part of this legislation; you must be able to address this issue at the code-level to prevent any data from being sent to Google Analytics.

Step 2 : Turn on IP Anonymization

Personally Identifiable Information also includes IP Addresses. In Google Analytics, the IP address is automatically collected even if it is not exposed in reporting but used to provide geo-location data. The impact of the GDPR change in your Google Analytic data is that geographic reporting accuracy is slightly reduced.

To prevent Google Analytics collecting IP Addresses, we recommend turning on the IP Anonymization feature in your Google Analytics. Once changed, this requires a change in code to enable. If you are using Google Tag Manager, you can adjust your tag or Google Analytics Settings by clicking More Settings -> Fields to Set and then add a new field named ‘anonymizeIp’ with a value of ‘true’. 

If you don’t use Google Tag Manager, you may already have this setting exposed as an option in your tag management system, or you may need to edit the code directly.


Step 3 : Audit your database of Pseudonymous Identifiers (hashed Emails, User IDs)

Pseudonymization is the separation of data from direct identifiers so that linkage to a person’s identity is not possible without additional information that is held separately. Pseudonymization may significantly reduce the risks associated with data processing. For this reason, GDPR creates incentives for data controllers to pseudonymize any data that they collect. Although pseudonymous data is not exempt, the GDPR relaxes requirements on controllers that use the technique.

·         User ID — This should be an alphanumeric database identifier and should never be plain-text personal information such as email, username, etc.

·         Hashed or encrypted Data such as email addresses — “Google has a minimum hashing requirement of SHA256 and strongly recommends the use of a salt, minimum 8 characters.” 

·         Transaction IDs — This is a pseudonymous identifier source. When the information is linked with another data source, it can lead to the identification of an individual. This ID should always be an alphanumeric database identifier.

 

Under both The GDPR Regulations and the Google Analytics Terms of Service, this appears to be acceptable. However, you are also advised to ensure that your Privacy Policy is updated to reflect this change. You will also need to gain explicit permissions for opt-in information from your users. This language must be clear (Without any technical or legal terms) and state exactly how data will be used.

 

 A user’s request to be forgotten can be tricky. Google Analytics currently does not provide methods for selective data deletion. In this event, we recommend that you delete the User ID from your CRM. This will then prevent any Google Analytics record being associated to an individual. However, Google are currently aiming to offer a method of User/Client ID data deletion by the 25th May.

 

Step 4: Update your Privacy Policy

The most important change you should implement in your Privacy Policy is making sure that your information is written clearly and concise, in a manner that is understandable. The intent of your Privacy Policy is to describe what you do in a clear manner and how you ensure a user’s privacy. The audience of your Privacy Policy is always your user. Your policy should always include:

  • The information you are collecting

  • Who is collecting the information

  • How the information is being collected

  • Why the information is being collected

  • How the information will be used

  • Who the information will be shared with

  • What will be the effect of this on the individual? 
    ·
  • Is the intended use of the information likely to cause individuals to object?

Step 5 : Build an Opt In and Out Capability

One question we’re getting asked is if websites really will need explicit consent for tracking. Unfortunately, you most likely will need this or seek legal counsel. 

If you are collecting Personal Identifiable Information or other pseudonymous identifiers, you will need to gain consent from the user. This consent must be explicit and the user must have chosen to opt-in. It is not an option anymore for users to agree to your cookie policy by continuing to use your website, but rather the user has to be asked for permission. A common approach to this consent is  an overlay modal on the page that asks the user for permission. Once granted, the page either reloads, or allows Google Analytics to script and proceed to execute.

 

If your business uses Google Analytics data to collect User ID/Hashed PII or to assist in behavioural profiling, you will need to build an opt-in consent mechanism and functionality for your users to be able to opt-out at any time.  Because Google Analytics records a cookie identifier called the Client ID, you will need to offer the opt-in consent for any users in the EU. If you read the GDPR regulation, it specifically mentions that online identifiers (Client ID) are considered personal data, meaning this information is subject to GDPR. If you aren’t collecting User ID or any pseudonymized data, you will not need consent.

 

As as part of GDPR, it is a requirement to prove that consent has been given via an audit trail. As part of the explicit action of affirmative consent, we recommend that you track/log this data in Google Analytics as an event. You may also want to record this in your own database against the Google Analytics User and Client ID.

What is Ascensor doing about GDPR?

As both a data processor and data controller, we are taking our GDPR obligations very seriously. We are currently working towards obtaining ISO27001, this is the framework of procedures and policies that includes physical, technical and legal controls for governing information security, including GDPR. 

From our website design and development services, including where we build databases to store customer data, right to our email marketing automation solutions where we use Infusionsoft to provide professional double-opted in communications on behalf of clients, we have the systems in place to ensure we keep our clients compliant with GDPR.


If you are not yet ready for GDPR and you are unsure if your website offers you the protection that you need for compliance then we can support you, get in touch today!

Was this post helpful? Help others by sharing it