The GDPR (General Data Protection Regulation) that went into effect on May 25, 2018, has many implications for people in and outside of the EU. Many companies operate across borders and must alter their policies to reflect the new regulations. Google Analytics is one of the many programs that is affected by these new laws. If you use Google Analytics for your business, stay tuned to see how new regulations affect you and the steps you can take to become GDPR compliant while using Google Analytics.
GDPR went into effect on May 25, 2018, in order to protect user data in the EU. This means that personal data cannot be harvested and used to target specific users. Companies and websites found guilty of this will be subject to a fine of €20 million or 4% of worldwide revenue.
GDPR has effects even outside the EU if you provide goods or services to any EU citizens.
The reason analytics tools are particularly affected by GDPR is because the definition of “personal data” has expanded to include IP addresses, cookie identifiers, and GPS location. Although this data could technically be nonspecific, it could be used in conjunction with other methods to identify users.
Websites have to be transparent about what data they would be receiving from a user, and the consent has to obtained actively. All EU users now have a right to request that their personal data be erased and therefore forgotten by a website.
Basically, laws regarding data and tracking are changing, and it is important to make sure your website is GDPR compliant.
While Google Analytics does not technically collect personal data, the new definition under GDPR means that a lot of their tracking can be considered to be in violation. If you want to continue having access to the same data you were offered before through Google Analytics, you will have to provide a notice to your visitors and gain explicit permission.
Data processing is changing, so new data processing agreements, or DPAs, need to emerge.
While GDPR is affecting what data can be gathered from users, it also affects data retention. Now, users have the opportunity to request that their data be deleted, and companies must comply. This means that Google Analytics will soon be coming out with a new tool to facilitate the process of deleting user data.
The changing nature of analytics means that programs that can target people based on their prior searches are also affected. While Google can control data processing of its search, YouTube, and Gmail features, individual websites are responsible for obtaining consent for third-party applications such as Adwords, AdMob, etc.
Google is proposing that they will begin using non-personalized ads for people who refuse to have their data tracked.
Overall, Google Analytics can technically still be used as long as data is being used purely for tracking website performance. Data cannot be used, however, for commercial purposes such as user profiling, targeting ads, etc.
Most people are intimidated by the hefty fines proposed for violations. If you are concerned about whether or not your website is compliant with GDPR, you can seek out a lawyer for help. Here are some steps you can take on your own to make your website align with GDPR:
1) Filter Your Current Data
While Google Analytics agreements always prohibited collection of personally identifiable information (PII), this transition into new data processing agreements could be a great time to go through your existing data. Some things to look out for during this process:
Google Analytics offers filters to filter out PII, but that is not enough to be compliant. You must program your website to not collect the information in the first place and send it to Google Analytics.
2) IP Anonymization
IP addresses are now considered PII since they can be used for geo-location data. Google Analytics offers an IP anonymization option, and it requires that you make changes to your website code.
The feature functions by removing the last octet of an IP address before it is stored and processed. This will reduce the accuracy of any geographic data reporting, but it is necessary to become GDPR compliant.
3) Pseudonym Identifiers and Updating Privacy Policies
Through Google Analytics, you already had the option of using pseudonym identifiers. These are:
4) Allow people to opt in or out
If you are planning on collecting information beyond what is permissible through GDPR, you have to gain explicit consent. Unlike the notices that pop up notifying people about cookies, newer consent practices involve more active measures.
Some of the most common ways this has been implemented is through a notification that asks for permission and then reloads the page if permission is granted. There are also other widgets you can download that would install these pop-ups for you.
If you are using your Google Analytics to generate user profiles or targeted advertisements, you must give users the option to opt out.
Every time you do get consent from a user, make sure to use Google Analytics to track it as an event so you can prove your GDPR compliance.
GDPR may seem intimidating, but you can take your own steps to ensure you are being GDPR compliant.