We’re just 5 months out from GDPR enforcement. There’s a lot to do, and a lot we still have questions about.
A big one:
The short answer:
Well, no one knows for sure.
Sincerely: right now, cookies, anonymized tracking—a lot of it is about to change, in a very big way. But the “how” behind it all, isn’t quite finalized.
BUT wait—before you go. Before you dash away from this article thinking: “God, what a waste of a click”—we know what GDPR restricts (coming May 2018). And we have draft legislation on what likely could become the new ePrivacy Regulations legislation.
And that gives us a solid foundation for how you can start readying yourself for the big changes coming to analytics.
Remind me. GDPR. I care because…?
And fairness and transparency and a shift towards using and storing data responsibly.
But also, yeah—noncompliance with GDPR means big fines.
Of course, this doesn’t seem like anything new. Europe has always had rules about how one can process the data of its citizens. But they varied by country. And the last piece of union-wide data regulation legislation hadn’t been updated since the 1990s.
GDPR makes things clearer, and stricter and expands the legislative scope. Now, if you’re based in the EU, store data in the EU, or collect ANY personal data, from ANY EU citizens—you have to follow the new rules.
So let’s talk analytics compliance, shall we?
First off, some good news:
GDPR has a lot to say about consent and personal data. And it can mostly be distilled to this: if you’re going to use someone’s personal data—you have to ask, and they have to give you the “okay.”
(And they have to be able to redact that “okay. And the terms have to be given with clear language. And they have to be able to view the data that they gave you the “okay” about, and….that’s a process for another article).
Personal data now means any bit of data that you could use to identify or re-identify an individual.
So what does this have to do with Google Analytics?
Well ideally, you shouldn’t be storing personal data in GA anyway.
It’s against their terms of service.
That means your account should be clear of: usernames sent in page URLs, phone numbers captured from form completions, email addresses that can be used as custom identifiers in custom dimensions.
Zip codes, too, can be linked to specific users—when coupled with pages visited, and segmented down to small groups. Those should stay out of your custom dimensions as well.
Really, anything that can be clearly used to identify the “who” behind a data subject—even if it’s a hard puzzle to piece together, is personal data.
So your account. It’s clear of those?
Now, this is where it gets (potentially) tricky.
Some less good news:
There are a few potential fields in your Google Analytics, which aren’t considered “no-go”s for Google—but are definitely “personal data” as defined by GDPR.
- Long URLs (if you can use them to identify a specific user)
- IP Addresses
We’ll go through both of these, and discuss how you can make sure your bases are covered.
This, for most sites, isn’t too much a cause for concern. The only time you’d likely see your URL serve as a personal identifier is if they contain multiple user data inputs.
Sometimes you see these on forms. A user submits a form or survey, detailing, for example, their age, location, and gender. They get directed to a URL like this:
Then, in GA, this data can be linked with the user who visited that URL—and you can potentially pull out the “who” behind the “anonymous” input.
Luckily these are rare and pretty easy to manage.
Shortening any questionable links is your best bet for avoiding the issue altogether.
This one is a little more complicated. Anonymizing your IP addresses in programs like Google Analytics has long been best practice in countries with strict data protection laws (like Germany). Now, it’s key to keeping your analytics GDPR compliant.
The problem here arises from a technicality. Customer IP addresses are not stored in your GA database, and they’re not accessible to any client specifically. But—they can be accessed by a Google employee, and they do qualify as personal identifying information. So even if you don’t have access to your visitors IP addresses—you need to make sure they’re are anonymized.
Luckily, Google has a lot of documentation on this. And a handy plugin—which you should add to your tracking code, everywhere it exists onsite.
This _anonymizeIP function takes the user’s IP and masks it, setting the last few digits to zero. This process starts as soon as the data is received by the Google Analytics Collection Network—meaning that personal data is never stored.
A heads up: this might make your geographic reporting slightly less accurate. But it’s the price worth paying if you hope to avoid those hefty noncompliance fines.
A reminder about cookies:
If you’re in Europe (or visiting a European website)—you’ve likely seen the ubiquitous cookie popups.
That’s called a soft-opt in. It’s the “we told you, and you’re still browsing, so you consent” route to consent.
And according to GDPR—soft opt-ins are no longer on the table. Implied consent doesn’t count.
Consent needs to be affirmative, and unambiguous. If personal data is involved, users have to check that box, or click that button that says “I’m okay with this.”
So the cookie pop ups of the future might look a little more like this example, from ionetrust.com.
And only when someone says “Activate or I consent” do you get to start adding cookies.
According to GDPR, analytics cookies with identifiers ARE personal data. But all cookies are not created equal. It may be possible that some require user consent, whereas others do not. The particulars will be determined by the new ePrivacy Regulations—once they’re approved. For now, we have draft 15333, which has an exception for web analytics software.
“Cookies can also be a legitimate and useful tool, for example, in assessing the effectiveness of a delivered information society service, for example by helping to measure to the numbers of end-users visiting a website, certain pages of a website or the number of end-users of an application.”
Analytics programs like Google Analytics “assess the effectiveness of a delivered information society service.” but also are connected to many third-party systems to pass through data to other Google services and so while ePrivacy Regulations updates are still in draft right now, there’s a possibility consent will not be required for a cleaned up version of Google Analytics.
A quick note: if you’re using Google Analytics’ User ID feature—stop, and clear your data. Unique identifiers, like the User ID feature (which tracks individual users across devices and sessions)—are explicitly considered personal data, and not subject to this exception.
It also might be in your best interest to turn off Client ID—which is an optional tracking feature in Google Analytics. It, similar to IP addresses, anonymously tracks “browser instances”—to count recurring versus new site visitors.
To sum it up:
So keeping your analytics Google happy, and GDPR compliant, seem to go hand and hand.
To breathe easy though, we could all stand to anonymize our IPs, and double check our Long URLs. And keep GDPR in mind—throughout every phase of our user journey.
Google Analytics Support – Disabling Cookies
Analytics.js anonymizeIP Google help
GA.js anonymizeIP Google help
iOS anonymizeIP Google help
Android anonymizeIP Google help
- 25 Jan, 2018
- Posted by Mac Hasley
- 0 Comments