Is Google Analytics GDPR compliant? The General Data Protection Regulation (GDPR) has brought about numerous changes since it came into effect in 2018. These changes have affected the digital ecosystem which includes both small and large companies, such as Google.
In this article you will discover how Google had to adapt its services to the new European data protection legislation and how Didomi can help you maximise monetisation without compromising user choices and rights. Read on to find out how you can maximise your monetisation using Google Analytics, while remaining fully GDPR compliant.
Disclaimer: In February 2022, both the French and Austrian Data Protection Authorities declared Google Analytics to be illegal in France and Austria. This groundbreaking decision could impact millions of websites currently relying on Google Analytics to track their website performance.
What is GDPR?
What is the General Data Protection Regulation (GDPR) and what does it mean for your company? What does it change in terms of data collection and data processing? What are the risks in case of non-compliance?
Today more and more personal data (name, race, sexual orientation, contact details, localisation, etc.) is being collected, stored and traded by companies. That’s why the GDPR steps in.
The GDPR is intended to protect all personal data. It aims at making it clearer for users what information companies store about them and what they do with this data. It also aims at avoiding the collection of unnecessary data.
Who Does GDPR Apply To?
The GDPR is primarily aimed at large companies, which process personal data on a large scale within the European Union. However, small and medium-sized companies must also comply.
In a nutshell, the GDPR affects companies and individuals who process personal data in the European Union, even if they are not based or resident there.
What Rights Are Given to EU Citizens?
According to the GDPR, companies need to prove the reason why they’re holding users' information and, more importantly, how they’re keeping it safe.
Companies need to be more upfront about it: no more confusing check boxes with unclear questions, or data collection information hidden in the depths of a 30 page terms and conditions document.
Besides, companies need to prove users’ consent if they want to keep their personal data and they can keep it for a period not exceeding that stipulated for fulfilling the original purpose.
What is PII under GDPR?
Personal data is that type of information that identifies or makes identifiable, directly or indirectly, an individual. It can provide information on his or her characteristics, lifestyle, habits, personal relationships, state of health, economic situation, etc.
As new technologies evolve, additional personal data is being protected under the GDPR, such as those related to digital communications (via the Internet or telephone) and those that enable geolocalisation, providing information on locations and/or relocation.
What are the risks of GDPR non-compliance?
In the event of a data breach, potential sanctions can be massive for companies. In fact, they can be up to €20 million or 4% of the company’s global annual turnover of the previous financial year.
Be aware that this cookie and data collection compliance issue does not only apply in Europe. Countries beyond Europe are also affected. See for example the recent laws that have been enacted in California, Colorado and Virginia to protect residents' and consumers' personal data.
Privacy is becoming a global issue and it is no longer limited to individual areas. Indeed, Gartner estimates that by 2023, 75% of the world's population will have their personal data protected by modern privacy regulations.
How Does Google Analytics Collect Data?
Google Analytics is a tool that enables the analysis and monitoring of the user behaviour of a website or mobile application through the collection of client-side data.
All this raw data is sent to the Google Analytics servers where it is processed and displayed in the platform's reports.
Data collected by Google Analytics cookies
Google Analytics allows you to collect lots of information and insights about your users. The data collected by Google Analytics includes:
The number of times and hours per day a user is visiting your website;
How the user reached your website and via which device;
ClientIDs consisting in a string of individual numbers for each user on your website;
IP addresses (unless they have been deactivated in your Google Analytics account).
Google Analytics sets the following cookies when in use on your website:
_ga (they last 2 years and they are used to distinguish individual users on your domain);
_gid (they last 24 hours and they are used to distinguish individual users on your domain);
_gat (they last just 1 minute and they are used to limit the amount of user requests in order to maintain the well performance of your website);
AMP_TOKEN (they can last from 30 seconds to 1 year and they contain a unique ID assigned to each user on your domain);
_gac_<property-id> (they can last 90 days and they contain a unique ID that makes Google Analytics and Ads work together).
Google Analytics is used by all those marketers who want to understand whether their website is achieving its marketing objectives and how it is doing so.
Google Analytics and GDPR
Do you want to know how many visitors are landing on your website? The geographical areas they come from? From which device are they mainly browsing (laptop or smartphone)? Whether they have arrived via organic or paid search engine traffic? The list goes on…
Are you worried about no longer being Google Analytics GDPR compliant? Since we've entered a new world of conversion measurement, are you no longer sure whether you are entitled to carry on with your conversion measurement business?
Do not panic! Google is moving more and more towards aggregated forms of measurement that are more privacy safe with the help of a consent management platform solution.
Google Analytics cookies belong to the set of cookies that require the user's consent before being dropped on their device since they collect extremely sensitive data. So, in order to keep running its services and drop its cookies, Google needs to apply a series of measures.
The only cookies that do not require the user's consent for their activation are the technical ones, i.e. those aimed at the proper functioning of your website.
So what are the rules to be GDPR compliant when using Google Analytics? Let's take a closer look at what you should and what you shouldn't do:
What you should do
The banner should also inform that the website uses third-party cookies for profiling purposes in order to provide advertising.
Also, you should set the period before the data stored by Google Analytics is automatically deleted from the servers. This feature responds to the need introduced by the GDPR to establish a retention period for any personal data collected, which period must be defined by the data controller.
By default, the retention time is set to 26 months, but you can choose to change it with one of the available options:
- 14 months;
- 26 months;
- 38 months;
- 50 months;
- They do not expire automatically.
What you shouldn’t do
What is it forbidden to do, under the GDPR, when using advertising services?
- Collect sensitive information;
- Collect and process childrens’ personal data who are under the GDPR age of consent;
- Display ads that collect or contain personal information;
- Send Google precise information on users' location without their consent.
Steps to make Google Analytics GDPR compliant
Briefly, what are the steps required to quickly comply with the GDPR? We will show you below in a short and concise list:
Include in the Google Analytics cookie banner, a simple and clear information explaining how user data is collected, the purposes of data collection, the duration of the data collected, the vendors and technical details;
Collect user consent for all Google Analytics cookies before they are activated and set. The GDPR does not allow cookies to be activated before the user has made any choice on the website or application concerned;
The user should be able to withdraw its consent as easily as he/she was able to give it in the first place;
The user should be able to enable IP anonymization on their Google Analytics account and ensure that they use pseudonymous identifiers.
Google Analytics and Google Consent Mode
How can Google Consent Mode be used to make Google Analytics work based only on the end-users' consent status? And how can analytics be optimised in full compliance with the GDPR?
Google Consent Mode is an API that lets your website make all of Google’s services run based on user consent. It allows you to find a balance between respecting user data privacy and the analytical information on your website.
When consent is given, measurement tools work as normal. Conversions are reported and ads cookies are used, allowing the company to better understand user behavior.
Essentially, this is the process that takes place in case of a positive act:
Users make a consent choice on the consent banner;
The consent banner informs Google via Google Consent Mode whether consent has been given for Analytics and Ads cookies;
Google’s cookies will adapt accordingly to fulfil only the purposes specified by the user.
This process is possible through the use of a consent management solution, such as the Didomi CMP, which can help you request and obtain users' prior consent to the processing of their personal data. After that, your website will use the consent status to allow Google Consent Mode to run all of your website's preferred Google services in a simple and compliant manner.
In case your users decide not to give their consent to statistical cookies, Google Consent Mode ensures that you can still obtain aggregate statistics and non-identifying information about the performance of your website.
Thanks to the Didomi Google Consent Mode integration, you can achieve greater insights into your conversion data while respecting user choice as well as the GDPR when using Google Analytics or Google Ads.
Didomi is proud to be an official partner for Google Consent Mode. This integration allows companies to achieve a compliant balance where users can make their consent choices and publishers can manage their consent.
How the Didomi CMP helps
It may seem to you like a whole series of legal issues for which you do not see an end. But don't worry! Didomi is here to make everything clearer and easier.
We know how important it is for you to analyze website performances and bring data together to create actionable insights in a compliant way. Hence, Google’s partnership with Didomi, Europe’s leading Consent Management Platform.
Following the steps to be GDPR compliant, you will be able to track from which region your visitors come from, how often they visit your website, what their main interests are, and much more.
It will end up being a win-win situation where users will have the privacy rights they deserve about their personal data, while advertisers can continue to monitor their conversions and see if they’re heading in the right direction with their business.
Didomi is proud to be able to help advertisers in their monetisation efforts, and to ensure they're fully GDPR compliant when using Google Analytics. So, don’t hesitate to get in contact with one of our experts to be able to place consent at the core of your strategy with Didomi!