Under the EU and UK’s General Data Protection Regulation (GDPR) laws, all businesses and organisations are required to follow strict rules in collecting, processing and sharing personal data. This includes the collection of website user data through software such as Adobe, Open Web or Google Analytics. So how can you ensure that your website is GDPR-compliant?
Does Google Analytics collect ‘personal data’?
In short, yes. Google Analytics collects data by running JavaScript tags on your website to set cookies on a user’s browser. (Cookies are small files stored by the browser that record user activity, including recent website visits and sometimes login information.) These cookies harvest personal, even sensitive, data that is then sent to Analytics. Under UK law, personal data is described as any information that relates to an ‘identified or identifiable individual’ (ICO, 2021) and this is where using Google Analytics for visitor and behaviour profiling enters dark territory.
So-called ‘identifiable data’ collected by Analytics includes IP addresses, ID numbers, location data, and some cookie identifiers. Even if the information only indirectly identifies an individual or additional information is needed to identify them, it may still be classed as identifiable. Profiling – the collection and combination of personal data to create data sets or segments – is the foundation of online advertising but, under EU and UK law, your website users have a right NOT to be profiled.
The right to data privacy is why it is so important to consider data protection principles when using any website analytics software. Not only is obtaining user consent law, but it is also vital in encouraging trust and confidence in your business.
Do you need user consent to run Google Analytics?
Under UK and EU GDPR, website owners are required to ask for and obtain explicit consent to run a cookie or tracker that processes personal data. By default, Google Analytics is NOT GDPR-compliant. There are a number of features you can switch off to make your use of the software less risky but ultimately explicit end-user consent is the safest route to follow if you’re looking to avoid potential fines and reputation damage.
Google Analytics Advertising Features
If you want to enable advertising features in Google Analytics, the legislation is clear cut: you need to obtain consent from the user before collecting any data. As Google explains, advertising features include:
- Remarketing with Google Analytics
- Google Display Network Impression Reporting
- Google Analytics Demographics and Interest Reporting
- Integrated services that require Google Analytics to collect data for advertising purposes, including the collection of data via advertising cookies and identifiers
(https://support.google.com/analytics/answer/2700409)
In addition, if you have enabled any of these features, you must explain in your privacy policy how you use this data, what identifiers are used, and how users can opt out.
Sharing Data with Google
When you set up your Google Analytics account, you are asked to choose data sharing settings that allow Google to optimise its services and account specialists to inspect your data (see below). These are not advisable under GDPR and probably don’t benefit your business either. The benchmarking setting is anonymous and may be beneficial, but otherwise opt-out of any data sharing settings on the platform.
You can update your settings at any time by going to Admin > Account Settings > Data Sharing Settings.
You should also consider gaining consent for:
- Collection of a User ID.
- Collection of any other pseudonymous identifiers (such as IP Addresses).
- Collection of detailed geographic data (city, postal code, latitude/longitude coordinates).
How can you ensure your Google Analytics is GDPR-compliant?
The easiest way to ensure total compliance with data protection laws is to implement a Consent Management Platform (CMP) on your website. This can be integrated with Google Analytics, Google Tag Manager and any other software or plugins you use that place cookies on a user’s browser. An effective CMP will:
- Ask for and obtain end-user consent for all Google Analytics cookies on your website, usually by displaying a cookie notice as a pop-up or banner. It is important that the user is able to EASILY opt-out of cookies and not automatically opted in (see an example cookie notice below).
- Only activate Google Analytics tracking when the user has given explicit consent
- Provide a transparent cookie policy listing all cookies in use on the website, including Google Analytics. This enables the user to make an informed decision about enabling cookies.
- Keep a record of user consent and automatically notify returning users if there has been an update in the cookie policy since their last visit.
Will this mean the ‘death’ of usable analytics data?
Many organisations are reluctant to seek user consent for Google Analytics tracking because of the potential negative effect on data collection. What if all website users opt-out of implementing statistics tracking, will this mean no usable data in Analytics? How will decisions be made with no data? The truth is, marketers are already experiencing the effects of cookie blocking, Do Not Track requests and user opt-outs.
In the past, cookies have allowed the implementation of ad retargeting and behavioural advertising, displaying ads to those who have visited a website previously or have displayed preferences that indicate they may be more likely to convert to a sale. At the Google I/O event in California in April 2019, the Silicon Valley giant announced its intentions to update privacy controls in its Chrome browser in a move some commentators described as the “cookie apocalypse”. The update allowed users to see and delete cookies on their browser, as well as choosing to automatically delete them after a certain time.
More recently, Apple’s iOS 14.5 update offered iPhone users the option to block all tracking on apps such as Facebook and Instagram, leaving no way for the app owner or its advertisers to track user behaviour. For marketers, the amount of available user data to effectively retarget products or services to people who have already visited their site has been decimated, in some cases shutting down an entire revenue stream.
For marketers and advertisers, it is important that we do not see the “cookie apocalypse” as a death sentence. There are many tried and tested approaches to reaching and engaging consumers and we should see this as an opportunity to work with our website users to find the best way forward for both parties. A few considerations are:
- Firstly, while data-driven decision making remains fundamental to marketing, no data is perfect. There will always be inherent biases and inaccuracies in any data you collect, and it will always be necessary to test and retest channel performance as you make these decisions.
- If you encourage trust and credibility as an organisation, as well as on your website itself, a large proportion of your users will opt-in to analytics tracking. We recently conducted a small study on the users of an insurance client’s website over one month. During this time, over two-thirds of users opted into Google Analytics tracking (see below).
- Once you have implemented a Consent Management Platform, ideally with records of consent or some form of opt-in measurement, monitor what percentage of your users are opting into Analytics tracking. Is there a way you can improve this? Does the platform offer A/B testing with two or more banner variants? Does previous research suggest that your users respond better to pop-ups or banners in certain positions? After all, there is no reason you can’t aim for a 100% opt-in.
*Here, the ‘No Choice’ option relates to users who have not interacted with the cookie notice. We have since implemented a ‘soft cookie wall’ so that users have to interact before they can use the site.
Customer-centric marketing is effective marketing
Gone are the days of indiscriminate email marketing and questionable purchasing of customer data. Effective marketing is about placing customer needs and wishes at the heart of the organisation, and this means respecting their preferences when it comes to what we do with their personal data. Being proactive about how you manage user data on your website is one of many ways to build trust and credibility in your brand and create competitive advantage that secures success for years to come. If organisations see consent management as an opportunity, rather than a threat, they are more likely to be resilient to future changes in the way we do business online.
If you’re unsure about your website’s compliance or need a second opinion, feel free to contact Kariba on 01423 593020.