INFO LINE: 06 1 614 CLICK
 

5 Google Analytics steps for GDPR compliance | Weboptim

What is GDPR and why should you care?
The General Data Protection Regulation (GDPR) is the European Union's data protection law, which comes into force on 25 May 2018. It aims to consolidate data protection rules in the EU.

Some important information regarding GDPR

- If an organisation fails to comply, it could face a financial penalty of up to €20 million, or 4% of global revenue.
- You must comply even if you are not physically present in the EU but provide goods or services to EU citizens.
- The definition of personal data is extensive, including IP addresses, cookie identifiers and GPS location.
- Clear consent and transparency are required: this means that inactivity and pre-ticked checkboxes do not constitute consent.
- EU citizens have the right to have their data erased, and it must be erased on request.
- The GDPR creates an opportunity to build trust and highlight your brand.

 

europe-3256079_640
 

 

Google Analytics: the data processor

If we use Google Analytics, Google is our data processor. We are the data controller, as we can control what data we send to Google Analytics.

 

 

Steps:

1. Check your Personally Identifiable Information (PII)

Hopefully this is not surprising, but the collection of personally identifiable information is against the terms and conditions of Google Analytics.
This is true for both the free Google Analytics Standard and the paid Google Analytics 360. Whether we knew it or not, now is the time to make sure that we do not transmit personally identifiable information.

 

  • We check the URLs, addresses and other data dimensions of pages to ensure that no personally identifiable information is collected. A common example of PII data collection is where the URL contains a fixed "email = querystring" parameter.
  • We make sure that the data provided by users on the forms, which Analytics also collects, does not contain personally identifiable information.
  • Remember that simply filtering PII data is not sufficient, it must be managed at a code level to prevent personal data from entering Google Analytics.

 

2. Turn on IP anonymisation

The GDPR considers IP addresses to be personal data. Even though the IP address is (by default) never shown in the reporting, Google uses it to provide geolocation data.

For security reasons, it is recommended that you enable the IP anonymisation feature of Google Analytics. This requires a code change.

 

If you use Google Tag Manager, add the tag to your Google Analytics settings.
Open the variable, click on the more options button and add the following as a new field: name: anonymizeIp value: true

 

tag manager ip anonim
 

 

If you are not using Google Address Manager, you may need to modify the code directly.
The following extra line should be included: ga('set', 'anonymizeIp', true);

 

This change will result in Google anonymizing the IP address, which can technically be done by removing the last octet of the IP address (for example, the IP address will be 123.123.13.0). This is done before the data is stored and processed. The full IP address will never be entered into the system if this feature is enabled.
The effect of this is that the accuracy of geographical reporting is slightly reduced.

 

3. Check the collection of pseudo IDs (hashed emails, user ID)

We may use pseudonymous, pseudo identifiers when implementing Google Analytics. This may include the following:

  • User ID: user ID - this must be an alphanumeric database identifier; never plain text, e.g. username
  • Encrypted data, such as an email address: Google has a minimum hash and it is highly recommended to use a chain of at least 8 characters.
  • Transaction IDs: technically, this is a pseudo identifier, as it can lead to the identification of the individual when combined with other data sources. This identifier should always be an alphanumeric database identifier.

This seems to be acceptable practice under the GDPR and the Google Analytics Terms and Conditions. But it is recommended to ensure that the Privacy Policy is updated to reflect the purpose of data collection and that explicit consent is obtained from users. In either case, the information provided to users should be clear and answer the questions "what data we collect" and "how we use that data".

 

4. Update your privacy policy

According to the GDPR, updating the privacy policy is one of the most important tasks and must always be communicated to users in a clear, understandable and concise manner.
As it always has been, the purpose of a privacy policy is to describe what we collect and, most importantly, what an organization must follow and do as it says here. The audience for a privacy policy is the end user (not the lawyer).

 

When writing a privacy notice, the following questions should be taken into account:

  • what information do we collect?
  • who collects them?
  • how do you collect?
  • why do you collect?
  • how will you use it?
  • who do you share it with?
  • what impact will it have on those affected?
  • will the individual object to the proposed use?

 

gdpr regulation
 

5. Create opt in/out options

The big question on everyone's mind is whether we really need explicit consent. After all, this can be a significant amount of work and can have an absolute impact on user participation.

 

Let's think about it!

If we collect user identifiers or other pseudo identifiers, the user must give his or her consent. As mentioned above, consent must be explicit (opt in). Gone are the days of cookie ads indicating that if you continue to use the site, you are consenting - this is no longer consent. Instead, users should be clearly asked. The most common approach is to have a pop-up window on the page when logging in that asks for the user's permission, and if they give it, the page will reload or Google Analytics scripts will be run.

 

If user ID data is collected or used for behavioural profiling or other advertising technology, an opt-in consent mechanism must be established.

 

Google Analytics also records a cookie identifier called the GA client identifier and, as this is a core feature of the product, Analytics is likely to offer opt-in permission to all EU visitors. These online identifiers are considered personal data and are therefore subject to regulation.
As part of the GDPR, there are requirements to provide proof of consent (audit trail). We recommend that you track consent in Google Analytics as an individual event.

 

 

 

Summary

These five action steps are a great way to ensure that your Google Analytics account or website is GDPR compliant. The GDPR is a complex set of regulations and it is essential that your organisation has a plan in place to achieve compliance.

 

 

 

Source: http://www.blastam.com/blog/5-actionable-steps-gdpr-compliance-google-analytics

 

 

Did you like the article? You can share it here!


References
Please contact
for a quote!