Analytics & Marketing Insights

GDPR: Do I Really Need Consent for Google Analytics Tracking

GDPR: Do I Really Need Consent for Google Analytics Tracking

August 3, 2018           Google Analytics

Considering you are here, I assume you’ve heard about GDPR (General Data Protection Regulation). If the term ‘GDPR’ is new to you, read my other blog posts first:

The GDPR went into effect on May 25th, 2018 and protects EU citizen* the privacy of all individuals residing in the EEA (European Economic Area). Now that we are past the deadline, you may be asking yourself if you really need to gain consent for Google Analytics tracking? After all, if you provide an opt-in consent for Google Analytics, you’ll quickly be missing a lot of data on your visitors.

*Thank you Aurélie Pols for pointing out the difference between EU citizenship and residency as well as providing additional feedback on this blog post.

 

As mentioned above, in February 2018, I wrote a blog post detailing “5 Actionable Steps to GDPR Compliance with Google Analytics.” The advice I gave on this blog post still applies and now that we are several months after GDPR has gone into effect, let’s revisit one of the least clear tips: gaining consent for Google Analytics tracking.

Google’s Direction on Consent

On the official Google Analytics support site, they’ve added guidance as it relates to user consent for Google Analytics by stating:

“When using Google Analytics Advertising Features, you must also comply with the European Union User Consent Policy.”

To my knowledge, this is the only mention of GDPR consent requirement by the Google Analytics team.

Clear Direction

This direction is quite clear. If you have enabled Advertising features in Google Analytics, then you need consent from the EU citizen first. Google defines ‘Advertising features’ as:google analytics logo

  • Remarketing with Google Analytics.
  • Google Display Network Impression Reporting.
  • Google Analytics Demographics and Interest Reporting.
  • Integrated services that require Google Analytics to collect data for advertising purposes, including the collection of data via advertising cookies and identifiers.

With the recent launch of Google Signals to enable Cross Device features in Google Analytics, this is also linked to being an ‘Advertising feature’ and you will need consent here too.

It would also seem that if you are NOT using advertising features with Google Analytics, then you do not need consent (more advice on that further below).

Why Else Might You Need Consent

In addition to Google’s statement about Advertising Feature usage, you should strongly consider gaining consent in the following situations:

  • Collection of a User ID.
  • Collection of any other pseudonymous identifiers.
  • Collection of detailed geographic data (postal code, latitude/longitude coordinates).

User ID & Other Pseudonymous Identifiers

It is against the Terms of Service in Google Analytics (standard and the paid 360 version) to collect any PII. The litmus test is generally that if the data set in Google 

image representing why else you might need consent using google analytics

Analytics alone can personally identify a visitor, then it is PII. What is not PII under Google’s terms would be pseudonymous identifiers such as numeric User ID. The Google Analytics support site provides advice on how you should encrypt an identifier that is based on PII by leveraging a minimum hashing requirement of SHA256. If you decide to hash a personal identifier, this does not provide an escape from the requirements of GDPR.

Don’t confuse this with the definition of PII Personal Data under the GDPR.  Under GDPR, Personal Data is expanded to include direct or indirect identifiers, such as an IP Address (hence the recommendation to turn on IP Anonymization).

Under GDPR, Personal Data is expanded to include direct or indirect identifiers, such as an IP Address.

Are You Sharing Data With Google?

There are data sharing settings in Google Analytics that promote sharing your data with Google to help improve its services and to allow account specialists to inspect your data for opportunities. I’ve not heard of any clients benefiting from this data sharing and under GDPR, I don’t recommend sharing your data. The benchmarking setting is completely anonymous (and thus likely safe in the lens of GDPR) and is the only one remotely beneficial to your organization.

Data Sharing Settings in Google Analytics

In ‘Account Settings’ of the Google Analytics admin area, there are several Data Sharing Settings that you should be aware of:

screen grab representing data sharing settings in google analytics for gdpr

How to Have Your Google Analytics Cake and Eat it Too

We’ve gone over a few areas where you may need consent to track data in Google Analytics. Unless you are in the camp of the most stringent interpretation of GDPR (specifically where any online identifier cookie, such as the GA Client ID, requires consent), then there is a method to consider. You can collect data in Google Analytics for your entire audience and then once opted in, expand your data collection as appropriate to include User ID and/or Remarketing data.

This method allows you to have data from all visitors to the site and then if the user opts in, you can include them in the ‘Advertising Features’ to enable remarketing, demographics, Google Signals, and other future features.

This is a win-win in my book as you are honoring the user’s privacy by not collecting anything that is PII or that can be used for behavioral ad targeting.

Designing a GDPR Compliant* Google Analytics Implementation

Recently, the Google Analytics team introduced a code feature to ‘Allow Ad Features’. This code setting is used to disable the beacons that fire to collect data for the advertising features. This setting will override the admin interface selection when the ad features are enabled.

Below is a method to follow for a GDPR compliant* Google Analytics implementation:

*Disclaimer: Consult your legal team before taking my advice

  • Review and accept (if applicable) the Data Processing Amendment (DPA) under the Admin –> Account –> Account Settings screen within Google Analytics.
  • On your Google Analytics tag implementation, set the ‘allowAdFeatures’ to false if the user has not consented (default value should be false until you have consent).  In GTM, this is really simple to do via the More Settings -> Fields to Set option on the Google Analytics tag.  See Simo’s great post on how to ‘Allow And Block Advertising Features In Google Analytics’.
  • If the user has opted in, at that point, you should set the ‘allowAdFeatures’ to a true value so that Ad Feature beacons are sent.
  • Turn on the Anonymize IP feature via your Google Analytics code. Brian Clifton recently researched the impacts of AnonymizeIP and found no accuracy issues at the country level, but there was more of an impact at the city level. Assuming you have clear consent for this type of data collection, then you could set the AnonymizeIP value to true at that point.
  • In the Google Analytics Admin under Property –> Tracking Info –> Data Collection, turn on the advertising features you will be leveraging: Remarketing, Advertising Reporting Features, and/or Google Signals.

Sounds simple right?

The biggest effort is going to be building/implementing a consent management modal to allow the user to select their preferences. Once you have their preference stored in a cookie, then you can decide whether to set the ‘allowAdFeatures’ on the Google Analytics tag to true or not.

image designing a gdpr compliant google analytics implementation

Assuming your lawyers agree with the interpretation that Google themselves have been promoting, then this method will increase your confidence of compliance towards this regulation.

Your compliance with GDPR can help your brand avoid penalties and build trust.

Shouldn’t we all be advocates for our customers? We sure think so and we hope that brands are taking privacy more seriously for the benefit of their customers.

Ask Questions or Share Your Input

Do you have other tips or questions on how to implement GDPR with Google Analytics? We’d love to hear from you in our comments below and we promise to respond in a reasonable time period.

Disclaimer: I am not a lawyer and the information provided within this blog post is based on my own research and interpretation of the General Data Protection Regulation (GDPR) and e-Privacy Regulation. You are advised to seek legal counsel that specializes in the GDPR and e-Privacy Regulation to ensure that your organization conforms to these regulations. GDPR is complex and interpretations vary. If you have questions or suggested clarifications, please comment and provide sources, as appropriate.

 

  • Michael O`Toole

    Hey Joe

    just to be sure, I would turn on advertising features in Google Analytics and doa setup in GTM that when the user gives consent turn on allowAdFeatures. Does GA now that it doesnt fire Adfeatures before the consent?

    Thanks for clarifying and have a great day!

  • @lars_kops:disqus Great question! You would turn on the advertising features in the GA Admin interface and then you should set the allowAdFeatures field in the GA code to false until you have consent, at which point you can set it to true. You need to set this field before the pageview or any event fires. Let me know if this clarifies your question or if I can provide additional details.

  • Todd Weise

    Hey Joe, I’m not sure if I missed this in the article or not. But in the cases where your GA setup is very vanilla other than maybe some even tracking. If you’ve got those advertising features off, and essentially you’re letting GA fire off without an explicit “I agree” type button click. Do you think that the GA cookies should even be listed in the cookiesets that cover what is running? I hope that makes sense. I’m in the US (and more of a dev than a marketer), and have one client that is Swiss-based and currently we’ve got it so that GA doesn’t fire until the button in their footer is clicked, and of course numbers dropped tremendously earlier in the year. Just revisiting the topic as they are about to run an LinkedIn campaign, and I’ve been telling them that the metrics they’ll capture are going to be very unrealistic.

  • @Iodine74:disqus Thank you for your question. If your GA setup is just the basic snippet and you don’t have the advertising features enabled, I still recommend for the EU to turn on IP Anonymization (code change required) and you should still list GA in your privacy policy/cookie list. But, you probably don’t need consent under that scenario. I hope that helps!

  • Nathan McKean

    Hi Joe, whilst GDPR is one thing, the ePrivacy directive still states that cookies (whether personal or not) require prior informed consent for storage or for access to information stored on a user’s terminal equipment. In other words, you must ask users if they agree to most cookies and similar technologies (e.g. web beacons, Flash cookies, etc.) before the site starts to use them.

    For consent to be valid, it must be informed, specific, freely given and must constitute a real indication of the individual’s wishes, so firing even a reduced version of GA on page load is likely not to comply until they’ve explicitly clicked a confirmation.

    Just pointing out. Save or me as for you. This is not legal advice. Consult a professional. 🙂

  • @nathanmckean:disqus Thank you for your comment. It will be interesting to see how this evolves with the ePrivacy Regulation (whenever that happens). As it is, you can go to major EU brand sites and most do not comply to this level. Most are using ‘cookie notification’ banners which do not ask for permission, they just notify that they’ll be using cookies (and by the time it notifies the user, a cookie has already been set).

  • Denis

    Regarding the cookie problem, what do you think about ‘storage’: ‘none’ until the user agree the usage of analytics? If the user agree, you can set the user id how you described and that the storage to cookie. What do you think about this approach? By this way you won‘t have an identifier or even a cookie until the user agrees. So you don’t have to inform or what do you think?

  • Claude Bossett

    hi,
    I am using GA and adwords seperately. they are not connected. I only use the most basic GA features. GEO (which city users are from) device, and amount of users. do I need a cooke consent popup?
    thanks,
    Claude

  • @claudebossett:disqus My previous answer to Todd up above is my recommendation (turn on IP Anonymization). Consult a lawyer that specializes in GDPR to be sure for your scenario though.

    Also be aware of CCPA (California Consumer Privacy Act) which is more of an opt-out type of privacy consent. You may still want to build the ability for users to opt-out to be in compliance with CCPA. We’ve built the Blast website to allow for this capability (click on Privacy Settings in the footer) and then in GDPR countries, we show this to modal users to ask them for their permission.

  • Claude Bossett

    thanks for your help! it will save me tons of work… where can I turn this on in analytics….

  • @claudebossett:disqus The IP Anonymization is something that must be turned on in the code itself. There is no interface option inside GA.

    The way you do this depends on how you have GA installed on your site. https://support.google.com/analytics/answer/2763052?hl=en discusses this further. If you are using GTM, then you can customize each GA tag to enable this feature and set it to true.

 

Connect with Blast Analytics & Marketing



Connect with us on LinkedIn