On May 25, 2018, the European Union regulations that govern general data protections known as GDPR go into effect. In order to comply with these regulations, Google Analytics has been making several changes to its policies and to the administration capabilities within the analytics platform. In this blog, Lane Terralever (LT) helps to answer the questions concerning how to make your website GDPR-compliant and the changes to Google Analytics.
- Is my business bound to the GDPR?
- How do I make my website GDPR-compliant?
- How often should I remove consumer data from Google Analytics?
A disclaimer here is that Lane Terralever is not a legal firm and does not provide legal advice. All of the information provided here is based on our research and interpretations of the regulations. Interpretations vary and you should seek advice from a legal counsel.
To stay current and informed on the GDPR and its complexities, I recommend following Joe Christopher’s Analytics Blog: http://www.blastam.com/blog/5-actionable-steps-gdpr-compliance-google-analytics
In the broadest definition, if you are using Google Analytics (GA) on your website, then GA is your data processor, and your company is the Data Controller. From the Analytics Blog referenced above, Joe provides five actionable steps toward compliance. As you follow along with Joe’s five steps, I would make a few changes to those steps, as detailed below.
LT provides a comprehensive audit that checks and identifies personal identifying information (PII) data collection, and also ensures that the data in your GA account is not affected by malicious bots or malware. The Data Integrity Scorecard (DIS) is the name of the audit we use for this audit, and I recommend requesting the audit once per quarter. I also have a code-level solution available that will stop any PII that your business may be collecting.
If you are doing business primarily in North America, or if you are doing business in both the European Union (EU) and North America, I would not block IP addresses as Joe suggests. GA does not reveal the IP in any report, but it is being used for tracking. In most of your advertising audience reports and location reports, the IP address is necessary, since these are critical metrics for analytics. The alternative I suggest is to use a separate View in GA for the EU. For the EU view only, you can add the filters to block the IP data. Within the other View(s), you can employ filters to block all traffic from the EU. See the images below for how these filters are configured. If you need assistance with these, contact your LT representative.
Figure 1: GA admin filter to exclude the EU from all data collection for a specific GA View.
Figure 2: GA admin filter to allow only data from the EU for the EU View.
In Joe’s blog, he leaves a critical question unanswered here: How often should user and event information be removed from the GA database? The initial reaction I get to this question from most clients is, “never.” This new setting, which GA is requiring you to select in the account settings, needs some clarification before I provide a suggested answer. When a consumer registers on your website for a unique login such as a shopping cart profile, or a student login, and this registration allows them to log in to your website with a username and password, GA assigns them a user ID with the consumer ID that your website assigns. When that consumer is logged in, the events that they complete on the site such as submitting a form, ordering a product, submitting a document, etc., are logged to that user ID. When you select to have the user information removed from GA, only the user ID and associated events are removed. All other data in GA remains and is still accessible, as usual. Also, if you select 14 months as the retention period, all user ID information will be removed after 14 months. However, the 14 months’ time is counted from the consumer’s last event. As an example, if a consumer has registered on your e-commerce website and has not made a purchase, add to cart, or performed any event while logged in to the website for 14 months, then all of that user ID and event history are removed. Otherwise, if the consumer has been actively using your e-commerce website for 14 months or longer, all of the user ID and events are retained in the database.
This is very much EU-regulated after the 25th of May. With that, it might be a good idea to have the popup, that Joe suggests here, triggered by IP. In this way, if the visitor is from the EU, the popup would be active; otherwise, the popup is never seen by the consumer.