Lion Spirit Media Logo

Your Website, Google Analytics, and GDPR: 4 Steps to Compliance

Updated: 15 August 2018
Your Website, Google Analytics, and GDPR: 4 Steps to Compliance

In May 2018, GDPR introduced legal guidelines concerning the collection and processing of personally identifiable data by a website on its visitors. Many websites use Google Analytics (GA) to collect their visitors’ data for analytic purposes. This allows them to understand how visitors behave on their site and use this information to increase engagement. It also leads to compliance issues between Google Analytics and GDPR.

In this article, we explore 4 actionable steps you can take to help ensure your website collects analytic data in compliance with GDPR.

Table of Contents

What is the relationship between GA and GDPR? Why Should You Care?

The relationship between GDPR and the way that Google Analytics (GA) collects data is complex. Websites can accidentally collect data in a way that is non-compliant with GDPR.

You have to make sure your website’s GA is configured with GDPR in mind or you may incur heavy penalties. The organisation responsible for enforcing the GDPR is the ICO. It has said,

“Failure to comply with the principles may leave you open to substantial fines…This could mean a fine of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.”

Three principles within GDPR are particularly important regarding GA. They are:

  1. The Right to be informed: your visitors have a right to know what information you are collecting and how you process it.
  2. Right to restrict processing: your visitors can choose what personal information you collect and how you process it.
  3. Right to erasure: your visitors have a right to have their personal data deleted from your records.

You must take the necessary steps to provide visitors with control over these rights. The following information will help you do this.

Step 1: Google Analytics and GDPR – Right to Be Informed, Right to Restrict Processing, & Seeking Consent

The first step is to ensure you request permission from your visitors to collect and analyse their personal data. People must explicitly opt-in to personal data collection.

If your CMS allows plugins, then GDPR Cookie Consent is a simple, elegant, and reliable option that can help you gain permission. Features include allowing visitors to opt-in to data collection and allowing them to select data processing options.

Cookie Consent has an upgrade option where you can create databases for advanced analytic purposes. Here, visitors are given a unique identification (that does not identify them personally). This allows you to track individual users so you can generate better analytic reports, but in a way that is GDPR compliant.

If you do not use CMS, or your CMS does not have a relevant plugin, then you (or your website designer) will have to create and add relevant consent forms yourself.

Gaining consent does not mean that your site is fully compliant with GDPR, but it is the first step in the process.

Step 2: Google Analytics and GDPR – Right to Erasure

Next, you must ensure that GA is retaining data appropriately. The GDPR does not expressly state how long you can retain data. Instead, it says,

You must not keep personal data for longer than you need it.

You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data.

You must set your GA “Data Retention Controls” so they align with GDPR Principles.  

This means restricting the length of time that Google keeps information on visitors to your site. To do this, use the process outlined below.

Step 1a: Login to your GA account. On the Home screen, navigate to “Admin”:

Google Analytics home with arrow pointing to admin section

 
Step 2a: Navigate to “Tracking Info”:

Dashboard in GA about site property with arrow pointing to tracking info 1

Make sure you are navigating under the property heading, rather than your account heading.

Step 3a: Select “Data Retention”:
Dashboard of Google analytics with arrow pointing to data retention
Step 4a: This will take you to the next screen.

Image of the data retention screen in Google analytics

Here, you can complete the form as needed.

There are a few things to note:

First, the shortest length of time that you can retain data for is 14-months. Unless you have a valid reason for retaining your data longer, select “14 months”.

Second, you’ll notice GA says, “These controls do not affect most standard reporting, which is based on aggregated data.” Aggregated data is not personalised data; it cannot identify individuals. Therefore, aggregated data does not fall under the remit of the GDPR.

However, you may inadvertently be collecting data that can be cross-referenced in  a way that accidentally identifies individuals. This can happen if you use third-party analytics software (more on this below) or advanced analytics within GA (IP anonymisation can help here).

If you do, you may need to have your site audited by a GDPR specialist. If you don’t, then following the steps outlined in this blog should remove any personally identifiable data from your analytic packages.

Third, selecting the blue icon so it says “On” will restart the countdown on retention for each new event the visitor makes on your website. E.g., if they follow a link and you have retention set to 14-months, it will keep details of the click for 14-months, but discard information on previous events at their appointed time. If you select “Off”, it will delete all information 14-months after the first event. An “event” is any hit on your website.

Step 3: Google Analytics and GDPR – IP Anonymization

GDPR classifies IP addresses as personalised data. If you are using GA, and you want to remove personalised data, then you need to carry out IP anonymization.

If you’re somewhat savvy about the way GA collects data, you might assume that they don’t track IP addresses; after all, you can’t see IP addresses in any GA analytic reports…

…but, even though you don’t have access to your visitors IP address, Google does. They collect the IP of every visitor to your site (and strip the data in your reports). Enabling IP anonymization ensures that Google does not record your visitors’ IP addresses. Therefore, it can help to seal vulnerable gaps where you may be inadvertently collecting personal data. This is the safest option for compliance with GDPR.

IP anonymization is useful for those of you who do not want to risk issues with consent, even if you receive explicit consent. You will also need to use IP anonymization for visitors who do not consent (opt-in) to your personal data collection processes.

How to activate IP Anonymization

You need to change the code that your website uses to collect data for GA. You can find the HTML tracking code you currently use by navigating to the “Tracking Info” section in your GA account (see Steps 1a to 3a), but this time selecting “Tracking Code”:

Image of the tracking code in HTML

There are two ways to change the code in WordPress, depending on how you set up your account (If you use an alternative CMS, it should work in a similar manner. If you code your own site, you probably don’t need this article!).


First Way: If You Use the Google Analytics Plugin

Step 1b: On your dashboard, navigate to “Google Analytics”, select the “Advanced Settings” tab, and select the “Anonymise IPs while tracking” – change it to “On”.

An image of GA's wordpress plugin where the anonymise IP selection can be found


Second Way: If you add tracking codes manually to your CMS (WordPress example)

Step 1c: Navigate to “Appearance” then to “Editor”.

Image of the wordpress menu bar on the home screen with and arrow pointing to editor

Step 2c: On the right-hand side, you’ll see a heading that says “Theme Footer” or “Footer”.

Select “Theme Footer” or “Footer”

It will take you to the part of the HTML where you insert the “Tracking Code” for your site. Note: I have obscured our site ID in the above image. Where the @@@@@ are, that would normally be a number and it is your site’s personal identification for your GA account:

Wordpress Google analytics tag

Step 3c: Edit your tracking code by adding a line of code that will anonymise visitor IP addresses.

This part of the code is

{ ‘anonymize_ip’:true }

You add it to line 96 after the semi colon following your site ID and close bracket, and before “</script>”. N.B. In your CMS, it is unlikely to be on the same line in your HTML editor as it is above, i.e. not necessarily line 96.

Next, change the semicolon to a comma and add a semi colon to the end of the new line. So, the line in your HTML editor should look like this:

gtag(‘config’, ‘[email protected]@@@@@@@@-1’), { ‘anonymize_ip’:true });

Your HTML code should now look like this:

Wordpress google tag with added code

Step 4c: Don’t forget to press “Update File”.

Step 4: Disable Third-Party Tracking Plugins That May Identify Users

Google’s data management policies mean that they do not track personalised data through the sales funnel.  However, some webmasters will have added third-party lead-tracking software to enable personalised data tracking. 

Unless you understand exactly how to request consent for this type of tracking, you should disable it for now and seek the services of a GDPR specialist to help you use the plugin so it is GDPR compliant.

Conclusion

The key to understanding Google Analytics and GDPR is to understand that they are seeking to ensure a separation between people and their data.

For an in-depth understanding of GDPR compliance, consult the guidelines issued by the ICO. They have a useful Data Protection Self-Assessment Toolkit that you can use to assess your website for GDPR compliance.

Disclaimer: The legislation around GDPR is complex. The content of this article is for general information purposes only and does not constitute legal advice or give rise to a solicitor/client relationship. If you have doubts about GDPR compliance and data collection, legal advice should be sought from a GDPR specialist. Whilst we endeavour to ensure the information in this article is accurate, no guarantee, express or implied, is given to its accuracy and we do not accept liability for any error or omission. We shall not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising from the use of any material or suggestion contained in this article, or an action taken as a result of using this material.

Contact Us Today

Get Your Paws on Great Content Marketing and Communications

Like this content? Please share it using the buttons on the left and follow us on our Social Networks below ?

Join the discussion!

Let us know what you think about this post below!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Popular Blogs

Related Blogs

What is a SWOT Analysis (and how to do one)

What is a SWOT Analysis (and how to do one)

Sorry, this blog isn’t anything to do with military tactics! In the world of marketing, a SWOT analysis is one of the most common and powerful marketing tools a business can have – but it’s also one of the more unknown. It’s a way to evaluate your company, a project...

Our Exclusive Indie Beauty eBook with Croda is here!

Our Exclusive Indie Beauty eBook with Croda is here!

We're ecstatic that our new indie beauty ebook with ingredient supplier Croda is here and ready for download. We've teamed up with indie beauty arm of Croda to bring its audiences an 80-page indie beauty how-to guide. Delving into everything you need to know about...

Roaring Content Logo

Looking for Great Content for your website?

We created Roaring Content as a fixed price content solution for your web site.

We can write your blogs, web copy, and more!

Our blog post subscription service delivers content to you each month, our fixed price plans all include a bespoke content strategy and there is a solution for any budget.

Click Here to find out more

Need help with your Marketing?

At Lion Spirit Media we can help with your Digital Marketing.

From creating great bespoke content to your digital marketing strategy and SEO.

Send us an email or use the button below and we will get back to you.

Subscribe To Our Email Newsletter

Join our mailing list to receive an update on digital marketing news, exclusive offers, marketing tips, and updates from Lion Spirit Media.

We generally email once a month and promise not to send you any junk, you can unsubscribe at any time!

Thanks for Subscribing! Please check your email and click the link to confirm your subscription.

Pin It on Pinterest

Share This