Skip to content

How GDPR Forever Impacts Your Google Analytics Account

POST CATEGORIES

Analytics, Digital Commerce

May 1, 2018

The European Union’s General Data Protection Regulation—or GDPR—will forever impact the way we deal with data. It affects you and how you configure your Google Analytics (GA) account. Read on and find out how.

By Carley Cousineau, UX Analyst

Yes, “forever” sounds dramatic, but it is true. The EU’s GDPR will undeniably impact your GA account—and it’s enforceable by law as of May 25, 2018.

If that statement is starting to make your head spin, allow me to back up a bit. And begin with a little background and context:

I recently received a notice from Google Analytics.

On that same day, I happened to have a phone conversation with a friendly client who had been listening to all the recent fuss on the news about Facebook and Cambridge Analytica. I mentioned that data protection issues have certainly been around for a long time, and that I’d had some direct experience with it that very day.

We started a conversation. He had questions. I had answers. And it sparked the idea for this blog post. Here’s my recollection of some of the highlights we covered in his Q and my A session:

What the heck is GDPR anyway? Isn’t that something to do with Germany?

LOL! I believe you’re thinking GDR—as in the German Democratic Republic. I’m talking about GDPR—as in General Data Protection Regulation. Yes, they’re both associated with the EU, but the similarity ends there.

OK, I thought you were going to say it stood for Gol Darn Privacy Rights! So what’s GDPR all about?

Well, it certainly is about privacy and personal data. Under GDPR, which was introduced two years ago and goes into full force on May 25th of this year, the definition of personal data has been expanded and clarified. It now includes IP addresses, cookie identifiers and GPS locations. And don’t play dumb on cookies. I know you’re familiar with them!

What are you saying? Have you seen photos of me recently? I’m trying to cut back… So is this GDPR going to require consent from people for personal data that falls within this expanded definition?

Exactly. Explicit consent and transparency is now required. What that means is that site visitor inactivity or pre-checked boxes are no longer considered consent—if they ever really were. Citizens of the EU have the right to be forgotten and personal data must be erased upon request.

I’d like to forget some people—and wouldn’t mind being forgotten myself sometimes… But to be serious for a second, why is this European legislation of interest or importance to me if we’re doing little to zero business in the EU?

If you provide products or services to anyone located in the European Union—or any citizen of the EU, regardless of where they’re located—then you will need to comply with the regulations. Otherwise, your business may be subject to some hefty fines—up to 4% of your worldwide revenue, or 20 million Euros!

OK, now you have my attention. So what about all our existing data? Will the company be forced to give up any of that data?

Only if you do nothing. In that case, Google Analytics (the free version, anyway) will erase data that is older than 26 months.

Will it be now be harder for our company to access our historical data?

No. You can set your own thresholds in your Google Analytics account settings. Thresholds—the notice refers specifically to the free version of GA—are 14, 26, 38, and 50 months. There is also an option to have your data not automatically expire.

Will it now be harder to get new data from users?

You will need explicit consent from citizens of the EU (at the very least) to collect web analytics data. You will also need to update your privacy policy to let users know what data you are collecting, what it will be used for, if and how it will be shared, and so on.

Well, I’m glad you’re taking care of this. So what’s the bottom line, the takeaway on all this when it comes to our Google Analytics account?
 
It’s not really an onerous undertaking to be compliant. You just need to be on top of it. I won’t get into the details here, but there are five top things that should be looked at:

One: Audit your data for PII—that’s Personally Identifiable Information.

Mmmm, pie! So what else is on the menu?

Two: You shouldn’t have any PII to begin with, as it’s against the Google Analytics terms of service. It’s easy enough to check, if you know what you’re doing.

Three: You also need to turn on IP anonymization. This means geographic reporting accuracy is going to be slightly reduced under GDPR.You need to audit your collection of what’s called Pseudonymous Identifiers—things like hashed emails and user IDs.

Four: You need to update your privacy policy—and have it written in a way that’s clear, understandable and concise.

Five: And you need to build an opt-in/opt-out capability. So it’s goodbye to the idea of, say, a notice that states if you proceed to use the site, you consent to the use of cookies. That’s no longer considered consent.

Cool. A top-five list, right? So… what are your top-five desert island albums? OK, you don’t have to answer that right now. I gotta roll. All that talk of cookies has made me hungry. Glad you’re on top of this!
 
Right. Well, I only mentioned cookies twice...but have one for me. And thanks. We’ll talk again soon. Bye!

Related Articles

Using storytelling to discover data

September 17, 2013

Elegant data visualizations are not the final stage of the data-discovery process. Rather, a discovery application should be seen as a story-telling medium that enhances the business user’s experience.

Read More

Something BIG in Energy Productivity is here!

April 14, 2021

There is no doubt that the world is going green and adopting more sustainable practices… Compounding this is a global imperative for digitization of production.

Read More
bring oracle endeca atg together

Bringing Endeca Into ATG: Why Should I? And How?

May 9, 2013

While the Oracle Commerce solution includes both Endeca Commerce and ATG Web Commerce, exactly how the two are meant to be combined has been a lingering question.

Read More