The GDPR, and why it affects us

The General Data Protection Regulation (GDPR) is a definitive and far reaching data protection law that applies to EU citizens and the processing of their personal data.

The GDPR is why you often get the following consent banner when visiting a website.

data/admin/2020/9/1.png

The lowdown of this 2018 law is covered in my blog post here: The GDPR in digestible bullet points for software developers, implement it seamlessly!

I would like to point out a common misconception, the GDPR doesn’t talk about cookies directly, but comes into effect when a cookie holds personal information.

A new regulation called the ePrivacy Legislation is in the works. This law will offer more transparency about how corporations can manage user tracking and advertising online.

But until then, lets focus on Google Analytics and GDPR and answer the question found in this page's title.

Disclaimer: this is not legal advice and should not be construed as such. I am not a lawyer; I am a developer presenting the research I have done on the subject and which might just save you a lot of worry and expense. Your circumstances may be different and for that you need seek out the professionals.

How does the GDPR concern Google Analytics?

The GDPR has a lot to say on data privacy and insists that any sort of data collected that can identify a user requires their explicit consent.

Google Analytics collects anonymized data on site visitors, aggregates it, and reports on how they arrived on your website, what pages they browsed for how long, and so on.

data/admin/2020/9/Google-analytics.jpg

_Anonymized? That should be compliant. So no need for consent, right? _

__Stop right there. __

Although Google analytics’ JavaScript tag doesn’t collect personally identifiable information like name or email, it does:

  • track visitors with a special UserID classification
  • transfers the user's IP address to Google

Persistent IDs and IP addresses are considered personal information by the GDPR.

In addition,

  • it tracks visitors by assigning a unique UserID stored in a cookie on the user’s browser

__Any non-legitimate cookie tracking requires consent. __

In the processing of data, the GDPR defines two distinct organisational roles

  • the data controller
  • the processor

There are numerous obligations for each as found in Articles 4(7), 4(8), 5(1), 5(2), 26, 28 – 36 and Recitals 28, 79, 81 – 83.

As Google manages this data, it is the data processor but since visitors came onto your website, you are the data controller.

A key responsibility of the data controller is to that your use of Google Analytics adheres to GDPR requirements. [1]

There's another key issue.

As well as being the data processor, Google is a third party.

The GDPR dictates that consent must also be collected whenever such data is shared to a third-party.

They argue:

  • The GDPR has the "legitimate interest" clause under Article 6(1)(f), that states that the data collection and profiling may be permitted without consent, if it is in the legitimate interest of the organisation (controller) or third party. Many companies have used this clause to argue that website analyses it is critical in offering better product and service.

  • They have found a way to hack or customise the way Google analytics work in order to remove identifiers such as IP addresses, or have found an alternative tool that does the same.

However, the bottom line is this:

  1. Google is a third party and the GDPR strongly disapproves of such sharing without a user's consent. Although, you can get around this by finding a a first-party solution or local implementation.

BUT

  1. If you're using cookies that are not strictly necessary for the running of your website, you still fall foul. As for whether you deem it a legitimate interest or not, statements from official institutions such as the Court of Justice of the European Union (CJEU) in November 2019 have consistently said that user tracking is not necessary and does require permission.

And finally, from two new official Google documents:

“If you’ve enabled any Google Analytics Advertising features, you are required to notify your visitors by disclosing the following information in your privacy policy” Policy requirements for Google Analytics Advertising Features

“You must use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site, app, email publication or other property as a consequence of your use of Google products; and…” EU user consent policy

We can therefore safely say that we need to ask consent. Not least because of potential fines but you would also be at risk of losing access to Google Analytics.

OK – so what do I need to do?

Right, so now that we’ve got that out of the way, what steps do we need to take to stay legitimate.

The most common and user-friendly approach is triggering a consent banner on your site each time a new user lands on your website.

data/admin/2020/9/1.png

There are plenty of third-party APIs, or you could always build your own.

Here I explain how I achieved this in .NET. Coming soon

Ensure you find a solution that disables the Google Analytics code should the user opt out.

Step 2: Customise your Google settings

  • Sign Google's DPA – (Admin → Account Settings) and accept the Data Processing Agreement. All data processors require DPAs; otherwise sharing your data with them violates the GDPR.

  • Check your Google Analytics integration for your person information leakage. If you are sending Google internal UserIDs, make sure that they are anonymised rather personal user information, such as an e-mail. Also, make sure you do not apply personal information to URLs like https://example.com/[email protected].

IP Anonymization - You can remove the last octet of the IP Address before sending it to Google (for example, 123.456.711.777 becomes just 123.456.711, which helps anonymize who it is)

  • Decide for how long you want to keep user data. Google Analytics stores data attached to an ID for 26 months by default.The GDPR does not specify retention periods for personal data, but you should strive to delete as soon as you don't need it. This blog agues keeping data indefinitely for purposes of historical research, which the GDPR permits. You can adjust your data retention setting to “Do not automatically expire.“ but do use this data for historical research purposes only and let your customers know.

  • Play about with the settings (and adjust these metrics if you don't need them.

    • Demographics and Interests Reports
    • _Reset on new activity off _ (extends the period in which you track users - 14 months by default)
    • Turn Off Data Sharing with other services
    • Limit the Session Settings time
    • Reduce Cookie Expiration Time

Step 2: Create/update your privacy policy page

Make sure you have a page on your website that details your privacy policy that informs the user on:

  • what data is being collected
  • why, how, and to whom it is sent
  • the right to notice, access, opt-in, rectify, request deletion
  • how they can exercise those rights

In this case, you will need to specifically mention Google Analytics and explain what it is and why you use it.

There’s no standardized template for doing so, but something like the below works:

"We use Google Analytics, a web analytics service provided by Google, Inc. Google Analytics uses cookies to help us analyse how users use our site by tracking what pages you browsed, for how long, and so on, anonymously. Google drops a cookie called “ga” with a randomly-generated ClientID in your browser. This ID is anonymous and contains no identifiable information like email, phone number, name, etc. Your IP address is also transmitted by the cookie. The information generated by this analysis is important to us for improving your user experience and determining the effectiveness of our content. Google may transfer this information to third parties when asked to do so by law, or where those third parties process the information on behalf of Google. Please note does not associate your IP address to any other data Google owns. By using this website, you consent to Google collecting data about you in the manner and for the purposes described above. If you would like to access what usage data we have - or request we delete your navigation data - please remove your ga cookies, fill out this form, and/or install the Google Analytics Opt-Out Browser Add-On."

Step 4: Have a data breach plan

Although incredibly unlikely, what should you do if Google experiences a data breech? Google will send you an e-mail, but it'll be up to you to contact the users affected.

The UK information committee bureau has a great guide on what you can do if you have not already put in place a strategy.

Google also has a 24-hour incident response service for dealing with suspected infringements of data.

Step 3: Accessing/deleting a users analytics data (if requested)

If you get a request from a user, you can undertake the following steps:

  1. Ask the user to provide their Google Analytics ClientID. They can get this by going to where their cookies are stored in their browser and find one named _ga, which is the Google Analytics cookie and contains a string that like GA1.2-2.319686121.1567741125.

data/admin/2020/9/AccessingCookies.png This image shows the steps to accessing your cookies in Google Chrome

The ClientID is everything that follows the first two periods. In the above case, this would be 319686121.1567741125

If they have multiple ga cookies, all contained ClientIDs should be submitted.

If you depend on UserIDs instead of ClientIDs, then you must retrieve the ID yourself (for example, if you know their email and have the UserID attached to it).

  1. Then, use Google's User Explorer Report to retrieve all details relevant to this ClientID or UserID, (you can also send them this information if they request it).

  2. In the report, you'll see a 'Delete User' button in the bottom left panel.

Google claims that user's data will be deleted from their database within 72 hours but it could take up to two months for the data to be deleted from their servers.

Additionally, you could use Google's User Deletion API and their ClientID/UserID to delete any data Google has on them.

Alternatively, Google's User Activity API may be used to retrieve the info. The response looks something like:

The response is formatted in json:

 
{
    "sessions": [{
        "sessionId": "1536284411",
        "deviceCategory": "desktop",
        "platform": "Windows",
        "dataSource": "web",
        "sessionDate": "2020-03-09"
        "activities": [{
            "activityTime": "2020-03-09-10T09:14:55.566105Z",
            "source": "(direct)",
            "medium": "(none)",
            "channelGrouping": "Direct",
            "campaign": "(not set)",
            "keyword": "(not set)",
            "hostname": "shop.googlemerchandisestore.com",
            "landingPagePath": "/gpsmap",
            "activityType": "PAGEVIEW",
            "customDimension": [{
                "index": 1,
                "value": "(not set)"
            }, ...]
        }, ...]
    }, ...]
    "totalRows": 1000,
    "nextPageToken": "A6HKZ7",
    "sampleRate": 1
}

Final notes

Further decisions will of course make this information redundant, so I will monitor and update the article with any apparent changes!

There are also other privacy laws that you also need to look into such as Brazil's LGPD or the CCPA (California Consumer Privacy Act) - although imlementing GDPR compliance should cover you there!

[1] https://gdpr-info.eu/chapter-4