Google Analytics and GDPR: What Marketers Need to Know
Google Analytics is a tool that many companies use to monitor their website traffic and marketing channels online. The straightforward nature of Google Analytics installation and cookie-based tracking has made the platform a favorite for many agencies and companies. Google Analytics has great integration with AdWords, building retargeting lists, and custom audiences for better insights and segmentation. However, with the new European Union (EU) regulations about data privacy, Google Analytics, and privacy laws, what we are used to as online advertisers now might soon be called the “good old days.”
What is GDPR Compliance?
The General Data Protection Regulation (GDPR) is a data privacy regulation imposed by the EU that goes into effect on May 25, 2018. The purpose of GDPR is to consolidate privacy regulation in the EU and give customers and individuals control over their information.
For companies that violate the regulation, fines will be imposed. Penalties can be €20 million or between two and four percent of worldwide revenue. Even United States companies that aren’t located in the EU can be subject to these same penalties if they provide goods or services to EU citizens. This is scary news for many business owners, which means that companies in the U.S. need to understand how to become compliant with GDPR law.
In fact, we suggest any company doing business with any of the 28 members of the EU audit their own data collection practices and make sure they are compliant by May 25th. The consequences for non-compliance is still yet to be determined but could cause trouble—especially if someone from the EU happens upon their website—and the website doesn’t comply with the new law.
The regulation states that:
“…generic advertising written for U.S. customers is not covered by the GDPR, but if the marketing is done in the language of an EU country and there are references to EU users, the webpage needs to follow GDPR rules.”
What does this mean?
Unfortunately, there is a lot of conflicting information out there about what the GDPR rules really mean for businesses, as well as what they mean for marketers. While misinformation is everywhere, it is important that you do your own research and consult with a lawyer to ensure that you are complying with these new regulations. The EU GDPR website has all the details you need to know about the upcoming rules changes.
For the ultimate resource, the 88-page GDPR law that was enacted on April 4, 2016, can be found here:
Redefining Personal Identifiable Information (PII)
Beyond the regulatory policies, GDPR defined what constitutes personal identifiable information (PII). Under this regulation, the meaning of personal data has expanded to include IP addresses, cookie identifiers, and GPS locations which has historically been collected as aggregate data for email and remarketing campaigns – but not historically thought of as “personal” because it lacks the name, address, phone, and photo characteristics that one might normally consider.
This is no doubt a game changer for not just marketing but also the way people use the internet. If people have to opt-in to cookies and location data every time they visit a webpage, the UX experience on the entire internet is going to suffer drastically.
Such a reach may also open up several companies who (unknowingly) think they are GDPR compliant but are not. The new regulation states that EU citizens have the right to have their information erased upon their request and forgotten by companies.
GDPR & Google Analytics
Once the GDPR goes into effect, if you use Google Analytics, then Google is known as your Data Processor and your organization is the Data Controller, because the script you put on your website actually controls the data (firing cookies) that is sent to Google Analytics.
Last but least, Google started sending out GDPR emails to Google Analytics users letting them know where they are at with meeting the new EU standards. You can view the letter we got below. The action item at the end shows us that Google is taking this very seriously and we echo the same advice as they give:
Action: Even if you are not based in the EEA, please consider together with your legal department or advisors, whether your business will be in scope of the GDPR when using Google Analytics and Analytics 360 and review/accept the updated data processing terms as well as define your path for compliance with the EU User Consent Policy.
Google has sent out this email letter to all Google Analytics accounts to help users prepare for the upcoming changes that need to be made. Google has also pledged that it is committed to meeting the standards the GDPR has in place, and they plan to do that by monitoring updated compliance terms and making appropriate changes. As the weeks and months unfold I’m sure we will hear more about Google’s roll in GDPR compliance.
What Can You do to Help Become GDPR complaint?
- Audit Data for Personally Identifiable Information
Gathering Personally Identifiable Information, also known as PII, is against Google’s Terms of Service. Before the GDPR rolls out, you will want to ensure that you aren’t collecting or transmitting PII. To do this, you can:
- Check Page URLs, Page Titles, and other data dimensions for PII collection.
- Make sure that data entered into forms by users that will be collected by Google Analytics doesn’t contain PII.
One of the simpler ideas for US companies operating locally would be to just reject traffic from EU countries because they are no part of the business model and just a liability. As long as you are only focused on US-based (or non-EU) countries you might be able to avoid the EU altogether.
- Turn on IP Anonymization feature in Google Tag Manager
IP addresses will be considered PII under GDPR, and even though IP addresses aren’t used in Analytics reporting, they are used for geolocation data. You should turn on the IP Anonymization feature in Google Tag Manager (GTM) to be sure that you are in compliance. Do this by going into the More Settings area. In More Settings, go to Fields to Set, and then add in a new field called ‘anonymizeIp’ with a value of ‘true.’
For more information on this, Google has a help topic on this feature here:
- Create the Ability for Users to Opt In or Out
This is likely the hardest one to tackle because it involves new technology code and processes which US guidelines historically don’t meet. I’m sure many SMG’s in the EU are freaking out right now about the added cost simply to give more data controls to end users who likely will never care or try to adjust them.
Under these new guidelines, companies need to be careful about getting explicit consent for tracking a user’s data. Even if you are collecting pseudonymous identifiers, you need to get consent from the user. Speaking to your legal counsel will be your best bet for deciding if an opt-in capability is necessary for the data you are collecting.
At Rank Fuse Interactive, we recommend that all businesses seek legal counsel to learn about how to become compliant with these new data gathering regulations. With about a month left before these rules are enacted, many U.S. companies are scrambling to figure out what “compliance” means for their organization. With every business having unique data and EU relationships, only legal representation and not marketing agencies like us should be consulting on what’s best for you. Be sure that you get all of your updates done by May 25, 2018, to avoid any potential breaches of the regulation.