Your Website, Google Analytics, and GDPR: 4 Steps to Compliance
15 August 2018
Your Website, Google Analytics, and GDPR: 4 Steps to Compliance

In May 2018, GDPR introduced legal guidelines concerning the collection and processing of personally identifiable data by a website on its visitors. Many websites use Google Analytics (GA) to collect their visitors’ data for analytic purposes. This allows them to understand how visitors behave on their site and use this information to increase engagement. It also leads to compliance issues between Google Analytics and GDPR.

In this article, we explore 4 actionable steps you can take to help ensure your website collects analytic data in compliance with GDPR.

What is the relationship between GA and GDPR? Why Should You Care?

The relationship between GDPR and the way that Google Analytics (GA) collects data is complex. Websites can accidentally collect data in a way that is non-compliant with GDPR.

You have to make sure your website’s GA is configured with GDPR in mind or you may incur heavy penalties. The organisation responsible for enforcing the GDPR is the ICO. It has said,

“Failure to comply with the principles may leave you open to substantial fines…This could mean a fine of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.”

Three principles within GDPR are particularly important regarding GA. They are:

  1. The Right to be informed: your visitors have a right to know what information you are collecting and how you process it.
  2. Right to restrict processing: your visitors can choose what personal information you collect and how you process it.
  3. Right to erasure: your visitors have a right to have their personal data deleted from your records.

You must take the necessary steps to provide visitors with control over these rights. The following information will help you do this.

Step 1: Google Analytics and GDPR – Right to Be Informed, Right to Restrict Processing, & Seeking Consent

The first step is to ensure you request permission from your visitors to collect and analyse their personal data. People must explicitly opt-in to personal data collection.

If your CMS allows plugins, then GDPR Cookie Consent is a simple, elegant, and reliable option that can help you gain permission. Features include allowing visitors to opt-in to data collection and allowing them to select data processing options.

Cookie Consent has an upgrade option where you can create databases for advanced analytic purposes. Here, visitors are given a unique identification (that does not identify them personally). This allows you to track individual users so you can generate better analytic reports, but in a way that is GDPR compliant.

If you do not use CMS, or your CMS does not have a relevant plugin, then you (or your website designer) will have to create and add relevant consent forms yourself.

Gaining consent does not mean that your site is fully compliant with GDPR, but it is the first step in the process.

Step 2: Google Analytics and GDPR – Right to Erasure

Next, you must ensure that GA is retaining data appropriately. The GDPR does not expressly state how long you can retain data. Instead, it says,

You must not keep personal data for longer than you need it.

You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data.

You must set your GA “Data Retention Controls” so they align with GDPR Principles.  

This means restricting the length of time that Google keeps information on visitors to your site. To do this, use the process outlined below.

Step 1a: Login to your GA account. On the Home screen, navigate to “Admin”:

Step 2a: Navigate to “Tracking Info”:

Make sure you are navigating under the property heading, rather than your account heading.

Step 3a: Select “Data Retention”:
Dashboard of Google analytics with arrow pointing to data retention
Step 4a: This will take you to the next screen.

Image of the data retention screen in Google analytics

Here, you can complete the form as needed.

There are a few things to note:

First, the shortest length of time that you can retain data for is 14-months. Unless you have a valid reason for retaining your data longer, select “14 months”.

Second, you’ll notice GA says, “These controls do not affect most standard reporting, which is based on aggregated data.” Aggregated data is not personalised data; it cannot identify individuals. Therefore, aggregated data does not fall under the remit of the GDPR.

However, you may inadvertently be collecting data that can be cross-referenced in  a way that accidentally identifies individuals. This can happen if you use third-party analytics software (more on this below) or advanced analytics within GA (IP anonymisation can help here).

If you do, you may need to have your site audited by a GDPR specialist. If you don’t, then following the steps outlined in this blog should remove any personally identifiable data from your analytic packages.

Third, selecting the blue icon so it says “On” will restart the countdown on retention for each new event the visitor makes on your website. E.g., if they follow a link and you have retention set to 14-months, it will keep details of the click for 14-months, but discard information on previous events at their appointed time. If you select “Off”, it will delete all information 14-months after the first event. An “event” is any hit on your website.

Step 3: Google Analytics and GDPR – IP Anonymization

GDPR classifies IP addresses as personalised data. If you are using GA, and you want to remove personalised data, then you need to carry out IP anonymization.

If you’re somewhat savvy about the way GA collects data, you might assume that they don’t track IP addresses; after all, you can’t see IP addresses in any GA analytic reports…

…but, even though you don’t have access to your visitors IP address, Google does. They collect the IP of every visitor to your site (and strip the data in your reports). Enabling IP anonymization ensures that Google does not record your visitors’ IP addresses. Therefore, it can help to seal vulnerable gaps where you may be inadvertently collecting personal data. This is the safest option for compliance with GDPR.

IP anonymization is useful for those of you who do not want to risk issues with consent, even if you receive explicit consent. You will also need to use IP anonymization for visitors who do not consent (opt-in) to your personal data collection processes.

How to activate IP Anonymization

You need to change the code that your website uses to collect data for GA. You can find the HTML tracking code you currently use by navigating to the “Tracking Info” section in your GA account (see Steps 1a to 3a), but this time selecting “Tracking Code”:

Image of the tracking code in HTML

There are two ways to change the code in WordPress, depending on how you set up your account (If you use an alternative CMS, it should work in a similar manner. If you code your own site, you probably don’t need this article!).


First Way: If You Use the Google Analytics Plugin

Step 1b: On your dashboard, navigate to “Google Analytics”, select the “Advanced Settings” tab, and select the “Anonymise IPs while tracking” – change it to “On”.

An image of GA's wordpress plugin where the anonymise IP selection can be found


Second Way: If you add tracking codes manually to your CMS (WordPress example)

Step 1c: Navigate to “Appearance” then to “Editor”.

Image of the wordpress menu bar on the home screen with and arrow pointing to editor

Step 2c: On the right hand side, you’ll see a heading that says “Theme Footer” or “Footer”.

Select “Theme Footer” or “Footer”

It will take you to the part of the HTML where you insert the “Tracking Code” for your site. Note: I have obscured our site ID in the above image. Where the @@@@@ are, that would normally be a number and it is your site’s personal identification for your GA account:

Wordpress Google analytics tag

Step 3c: Edit your tracking code by adding a line of code that will anonymise visitor IP addresses.

This part of the code is

{ ‘anonymize_ip’:true }

You add it to line 96 after the semi colon following your site ID and close bracket, and before “</script>”. N.B. In your CMS, it is unlikely to be on the same line in your HTML editor as it is above, i.e. not necessarily line 96.

Next, change the semicolon to a comma and add a semi colon to the end of the new line. So, the line in your HTML editor should look like this:

gtag(‘config’, ‘UA-1@@@@@@@@@-1’), { ‘anonymize_ip’:true });

Your HTML code should now look like this:

Wordpress google tag with added code

Step 4c: Don’t forget to press “Update File”.

Step 4: Disable Third-Party Tracking Plugins That May Identify Users

Google’s data management policies mean that they do not track personalised data through the sales funnel.  However, some webmasters will have added third-party lead-tracking software to enable personalised data tracking. One example is “Convertible”.

Unless you understand exactly how to request consent for this type of tracking, you should disable it for now and seek the services of a GDPR specialist to help you use the plugin so it is GDPR compliant.

Conclusion

The key to understanding Google Analytics and GDPR is to understand that they are seeking to ensure a separation between people and their data.

For an in-depth understanding of GDPR compliance, consult the guidelines issued by the ICO. They have a useful Data Protection Self-Assessment Toolkit that you can use to assess your website for GDPR compliance.

Disclaimer: The legislation around GDPR is complex. The content of this article is for general information purposes only and does not constitute legal advice or give rise to a solicitor/client relationship. If you have doubts about GDPR compliance and data collection, legal advice should be sought from a GDPR specialist. Whilst we endeavour to ensure the information in this article is accurate, no guarantee, express or implied, is given to its accuracy and we do not accept liability for any error or omission. We shall not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising from the use of any material or suggestion contained in this article, or an action taken as a result of using this material.

0 Comments

Popular Blogs

  • Part 1: Ultimate Marketing Plan Template – The Executive Summary In this series of articles, we teach you how to create a marketing plan that will help you grow your business. Part 1: The Executive Summary
  • Our Exclusive Indie Beauty eBook with Croda is here! We're ecstatic that our new indie beauty ebook with ingredient supplier Croda is here and ready for download. We've teamed up with indie beauty arm of Croda to bring its audiences an 80-page indie beauty how-to guide. Delving into everything you need to know about working with contract manufacturers, the indie beauty ebook brings you ...
  • Part 4: Ultimate Marketing Plan – Pricing & Positioning In this series of articles, we look at the various sections you need to include in a marketing plan. In Part 3, we looked at the 'unique selling point', in part 4, we look at 'pricing & positioning'. Our aim with this series is to provide you with a comprehensive guide to help you create ...
  • What’s Happening in the Beauty Marketing Industry?
  • Why Good Communication Is Important for Your Business In this article, we are going to explore why communication strategies are important to business success. We will also consider what good communication is. Many of the world’s leading thinkers have argued that language shapes perception and that appears to be true – the language we use creates a particular influence in the mind of the ...

Contact Us Today 

Get Your Paws on Great Content Marketing and Communications

Share This