May 1, 2018
The European Union’s General Data Protection Regulation—or GDPR—will forever impact the way we deal with data. It affects you and how you configure your Google Analytics (GA) account. Read on and find out how.
By Carley Cousineau, UX Analyst
Yes, “forever” sounds dramatic, but it is true. The EU’s GDPR will undeniably impact your GA account—and it’s enforceable by law as of May 25, 2018.
If that statement is starting to make your head spin, allow me to back up a bit. And begin with a little background and context:
I recently received a notice from Google Analytics.
On that same day, I happened to have a phone conversation with a friendly client who had been listening to all the recent fuss on the news about Facebook and Cambridge Analytica. I mentioned that data protection issues have certainly been around for a long time, and that I’d had some direct experience with it that very day.
We started a conversation. He had questions. I had answers. And it sparked the idea for this blog post. Here’s my recollection of some of the highlights we covered in his Q and my A session:
What the heck is GDPR anyway? Isn’t that something to do with Germany?
LOL! I believe you’re thinking GDR—as in the German Democratic Republic. I’m talking about GDPR—as in General Data Protection Regulation. Yes, they’re both associated with the EU, but the similarity ends there.
OK, I thought you were going to say it stood for Gol Darn Privacy Rights! So what’s GDPR all about?
Well, it certainly is about privacy and personal data. Under GDPR, which was introduced two years ago and goes into full force on May 25th of this year, the definition of personal data has been expanded and clarified. It now includes IP addresses, cookie identifiers and GPS locations. And don’t play dumb on cookies. I know you’re familiar with them!
What are you saying? Have you seen photos of me recently? I’m trying to cut back… So is this GDPR going to require consent from people for personal data that falls within this expanded definition?
Exactly. Explicit consent and transparency is now required. What that means is that site visitor inactivity or pre-checked boxes are no longer considered consent—if they ever really were. Citizens of the EU have the right to be forgotten and personal data must be erased upon request.
I’d like to forget some people—and wouldn’t mind being forgotten myself sometimes… But to be serious for a second, why is this European legislation of interest or importance to me if we’re doing little to zero business in the EU?
If you provide products or services to anyone located in the European Union—or any citizen of the EU, regardless of where they’re located—then you will need to comply with the regulations. Otherwise, your business may be subject to some hefty fines—up to 4% of your worldwide revenue, or 20 million Euros!
OK, now you have my attention. So what about all our existing data? Will the company be forced to give up any of that data?
Only if you do nothing. In that case, Google Analytics (the free version, anyway) will erase data that is older than 26 months.
Will it be now be harder for our company to access our historical data?
No. You can set your own thresholds in your Google Analytics account settings. Thresholds—the notice refers specifically to the free version of GA—are 14, 26, 38, and 50 months. There is also an option to have your data not automatically expire.
Will it now be harder to get new data from users?
Well, I’m glad you’re taking care of this. So what’s the bottom line, the takeaway on all this when it comes to our Google Analytics account?
It’s not really an onerous undertaking to be compliant. You just need to be on top of it. I won’t get into the details here, but there are five top things that should be looked at:
One: Audit your data for PII—that’s Personally Identifiable Information.
Mmmm, pie! So what else is on the menu?
Two: You shouldn’t have any PII to begin with, as it’s against the Google Analytics terms of service. It’s easy enough to check, if you know what you’re doing.
Three: You also need to turn on IP anonymization. This means geographic reporting accuracy is going to be slightly reduced under GDPR.You need to audit your collection of what’s called Pseudonymous Identifiers—things like hashed emails and user IDs.
Cool. A top-five list, right? So… what are your top-five desert island albums? OK, you don’t have to answer that right now. I gotta roll. All that talk of cookies has made me hungry. Glad you’re on top of this!
Right. Well, I only mentioned cookies twice...but have one for me. And thanks. We’ll talk again soon. Bye!
Quality assurance is about more than just checking lines of code. It’s also about ensuring that the application executes every business requirement properly.Read More
It doesn’t matter if your company is large or small, in a B2C market or a B2B one, if you have an e-commerce site with a product catalog, you must keep its search function finely tuned.Read More