Analytics & Digital Marketing Tips

GDPR: Do I Really Need Consent for Google Analytics Tracking

GDPR: Do I Really Need Consent for Google Analytics Tracking

August 3, 2018           Google Analytics

Considering you are here, I assume you’ve heard about GDPR (General Data Protection Regulation). If the term ‘GDPR’ is new to you, read my other blog posts first:

The GDPR went into effect on May 25th, 2018 and protects EU citizen privacy. Now that we are past the deadline, you may be asking yourself if you really need to gain consent for Google Analytics tracking? After all, if you provide an opt-in consent for Google Analytics, you’ll quickly be missing a lot of data on your visitors.

 

As mentioned above, in February 2018, I wrote a blog post detailing “5 Actionable Steps to GDPR Compliance with Google Analytics.” The advice I gave on this blog post still applies and now that we are several months after GDPR has gone into effect, let’s revisit one of the least clear tips: gaining consent for Google Analytics tracking.

Google’s Direction on Consent

On the official Google Analytics support site, they’ve added guidance as it relates to user consent for Google Analytics by stating:

“When using Google Analytics Advertising Features, you must also comply with the European Union User Consent Policy.”

To my knowledge, this is the only mention of GDPR consent requirement by the Google Analytics team.

Clear Direction

This direction is quite clear. If you have enabled Advertising features in Google Analytics, then you need consent from the EU citizen first. Google defines ‘Advertising features’ as:google analytics logo

  • Remarketing with Google Analytics.
  • Google Display Network Impression Reporting.
  • Google Analytics Demographics and Interest Reporting.
  • Integrated services that require Google Analytics to collect data for advertising purposes, including the collection of data via advertising cookies and identifiers.

With the recent launch of Google Signals to enable Cross Device features in Google Analytics, this is also linked to being an ‘Advertising feature’ and you will need consent here too.

It would also seem that if you are NOT using advertising features with Google Analytics, then you do not need consent (more advice on that further below).

Why Else Might You Need Consent

In addition to Google’s statement about Advertising Feature usage, you should strongly consider gaining consent in the following situations:

  • Collection of a User ID.
  • Collection of any other pseudonymous identifiers.
  • Collection of detailed geographic data (postal code, latitude/longitude coordinates).

User ID & Other Pseudonymous Identifiers

It is against the Terms of Service in Google Analytics (standard and the paid 360 version) to collect any PII. The litmus test is generally that if the data set in Google 

image representing why else you might need consent using google analytics

Analytics alone can personally identify a visitor, then it is PII. What is not PII under Google’s terms would be pseudonymous identifiers such as numeric User ID. The Google Analytics support site provides advice on how you should encrypt an identifier that is based on PII by leveraging a minimum hashing requirement of SHA256.

Don’t confuse this with the definition of PII under the GDPR.  Under GDPR, PII is expanded to include direct or indirect identifiers, such as an IP Address (hence the recommendation to turn on IP Anonymization).

Under GDPR, PII is expanded to include direct or indirect identifiers, such as an IP Address.

Are You Sharing Data With Google?

There are data sharing settings in Google Analytics that promote sharing your data with Google to help improve its services and to allow account specialists to inspect your data for opportunities. I’ve not heard of any clients benefiting from this data sharing and under GDPR, I don’t recommend sharing your data. The benchmarking setting is completely anonymous (and thus likely safe in the lens of GDPR) and is the only one remotely beneficial to your organization.

Data Sharing Settings in Google Analytics

In ‘Account Settings’ of the Google Analytics admin area, there are several Data Sharing Settings that you should be aware of:

screen grab representing data sharing settings in google analytics for gdpr

How to Have Your Google Analytics Cake and Eat it Too

We’ve gone over a few areas where you may need consent to track data in Google Analytics. Unless you are in the camp of the most stringent interpretation of GDPR (specifically where any online identifier cookie, such as the GA Client ID, requires consent), then there is a method to consider. You can collect data in Google Analytics for your entire audience and then once opted in, expand your data collection as appropriate to include User ID and/or Remarketing data.

This method allows you to have data from all visitors to the site and then if the user opts in, you can include them in the ‘Advertising Features’ to enable remarketing, demographics, Google Signals, and other future features.

This is a win-win in my book as you are honoring the user’s privacy by not collecting anything that is PII or that can be used for behavioral ad targeting.

Designing a GDPR Compliant* Google Analytics Implementation

Recently, the Google Analytics team introduced a code feature to ‘Allow Ad Features’. This code setting is used to disable the beacons that fire to collect data for the advertising features. This setting will override the admin interface selection when the ad features are enabled.

Below is a method to follow for a GDPR compliant* Google Analytics implementation:

*Disclaimer: Consult your legal team before taking my advice

  • On your Google Analytics tag implementation, set the ‘allowAdFeatures’ to false if the user has not consented (default value should be false until you have consent).  In GTM, this is really simple to do via the More Settings -> Fields to Set option on the Google Analytics tag.  See Simo’s great post on how to ‘Allow And Block Advertising Features In Google Analytics’.
  • If the user has opted in, at that point, you should set the ‘allowAdFeatures’ to a true value so that Ad Feature beacons are sent.
  • Turn on the Anonymize IP feature via your Google Analytics code. Brian Clifton recently researched the impacts of AnonymizeIP and found no accuracy issues at the country level, but there was more of an impact at the city level. Assuming you have clear consent for this type of data collection, then you could set the AnonymizeIP value to true at that point.
  • In the Google Analytics Admin under Property –> Tracking Info –> Data Collection, turn on the advertising features you will be leveraging: Remarketing, Advertising Reporting Features, and/or Google Signals.

Sounds simple right?

The biggest effort is going to be building/implementing a consent management modal to allow the user to select their preferences. Once you have their preference stored in a cookie, then you can decide whether to set the ‘allowAdFeatures’ on the Google Analytics tag to true or not.

image designing a gdpr compliant google analytics implementation

Assuming your lawyers agree with the interpretation that Google themselves have been promoting, then this method will increase your confidence of compliance towards this regulation.

Your compliance with GDPR can help your brand avoid penalties and build trust.

Shouldn’t we all be advocates for our customers? We sure think so and we hope that brands are taking privacy more seriously for the benefit of their customers.

Ask Questions or Share Your Input

Do you have other tips or questions on how to implement GDPR with Google Analytics? We’d love to hear from you in our comments below and we promise to respond in a reasonable time period.

Disclaimer: I am not a lawyer and the information provided within this blog post is based on my own research and interpretation of the General Data Protection Regulation (GDPR) and e-Privacy Regulation. You are advised to seek legal counsel that specializes in the GDPR and e-Privacy Regulation to ensure that your organization conforms to these regulations. GDPR is complex and interpretations vary. If you have questions or suggested clarifications, please comment and provide sources, as appropriate.

 

  • Michael O`Toole

    Hey Joe

    just to be sure, I would turn on advertising features in Google Analytics and doa setup in GTM that when the user gives consent turn on allowAdFeatures. Does GA now that it doesnt fire Adfeatures before the consent?

    Thanks for clarifying and have a great day!

  • @lars_kops:disqus Great question! You would turn on the advertising features in the GA Admin interface and then you should set the allowAdFeatures field in the GA code to false until you have consent, at which point you can set it to true. You need to set this field before the pageview or any event fires. Let me know if this clarifies your question or if I can provide additional details.

  • Todd Weise

    Hey Joe, I’m not sure if I missed this in the article or not. But in the cases where your GA setup is very vanilla other than maybe some even tracking. If you’ve got those advertising features off, and essentially you’re letting GA fire off without an explicit “I agree” type button click. Do you think that the GA cookies should even be listed in the cookiesets that cover what is running? I hope that makes sense. I’m in the US (and more of a dev than a marketer), and have one client that is Swiss-based and currently we’ve got it so that GA doesn’t fire until the button in their footer is clicked, and of course numbers dropped tremendously earlier in the year. Just revisiting the topic as they are about to run an LinkedIn campaign, and I’ve been telling them that the metrics they’ll capture are going to be very unrealistic.

  • @Iodine74:disqus Thank you for your question. If your GA setup is just the basic snippet and you don’t have the advertising features enabled, I still recommend for the EU to turn on IP Anonymization (code change required) and you should still list GA in your privacy policy/cookie list. But, you probably don’t need consent under that scenario. I hope that helps!

 

Connect with Blast Analytics & Marketing