GDPR and Google Analytics
GDPR – What you now need to consider when using Google Analytics
What is Google Analytics and how does it work?
Search the web and you’ll find lots of excellent articles outlining just how useful Google Analytics can be to your business. It fact, it’s estimated that well over half of all websites already rely on Google Analytics as their web analytics tool.
How does GDPR make a difference to Google Analytics?
In a nutshell, it’s to do with the fact that when you use Google Analytics you and Google are sharing personal data – that is data which relates to an individual data subject. Under current data protection law, some (although not all) of this data may not be protected but GDPR will change this.
GDPR, which comes into effect from the 25th May 2018, aims to offer more protection relating to personal data of data subjects (individuals) in the EU based on the way technology has now advanced and used (current legislation dates back to 1998). According to the new and broader GDPR definitions, personal data is any information which could identify an individual using “all means reasonably likely to be used”, including considering how an individual could be identified if you were to combine apparently unrelated data sets you hold. So it still includes obvious information such as someone’s name and address but will now include online identifiers including IP addresses, cookie identifiers and pseudonymised data – for example data which is key-coded data, if a data subject could be identified from that data, including if you were to combine several data sources.
If you will be
- processing personal data of individuals who are in the EU because of goods/services offered to them and/or
- monitoring the behaviour of your website users
then GDPR will apply to you.
That means that you must comply with GDPR requirements but you must also be able to provide proof that you do.
So what does GDPR have to do with Google Analytics?
The whole point of using Google Analytics is to allow Google to share data you’ve collected so that it can ultimately produce the reports that you need. Under current data protection legislation at least some of the data which is used as part of Google Analytics is probably not personal data, but the GDPR broader definitions as discussed above means that it will be.
The issue is also complicated because you will need to consider both the data which
- you are allowing Google to access and
- you are using from Google in the form of the reports prepared by Google Analytics.
So, for example, you could be collecting and allowing Google access to:
- email addresses, if these are part of your website log-in process or
- users’ names in page URLs you collect because a user name is part of the URL (for example https://www.acompany.org/user/janewilliams)
You could also be accessing data from Google which would mean that you could identify an individual using “all means reasonably likely to be used”, considering how an individual could be identified, including IP addresses.
Don’t forget client specific pages.
Just because the content is only available to users who are logged onto your website (for example, as with a membership site) doesn’t mean that any personal data collected is exempt from GDPR requirements.
You need a lawful basis to process (use, collect etc) data you and your business may be one of the many that relies on the consent of the individual. So, for example, it seems quite straightforward to get someone to agree that you can use their data for your own purposes. Unfortunately, under GDPR the question of consent is much more complicated that under current law so if you are relying on consent you’ll need to review the consent and also consider whether you have another (and potentially less fragile) lawful basis for at least some data processing.
Surely Google already has all of this covered?
Yes and no.
Google is certainly committed to complying with GDPR and so, for example, as Google tells us, internet users may have the option to “install the Google Analytics opt-out browser add-on”. The problem is that this doesn’t mean your responsibility is somehow shifted to Google, or anybody else for that matter.
If you take a good look at Google’s own terms and conditions (which you agree to when you use Google Analytics) it’s really clear that YOU are “solely responsible” when you use Google Analytics and it’s your responsibility to
- ensure that no “personally identifiable information” (i.e. anything which could identify an individual) passes between you and Google and
So, using any data which could identify an individual could mean breaching GDPR and your agreement with Google Analytics, meaning not only will the ICO (Information Commissioners Office who will supervise GDPR compliance) issue you with a fine but you will no longer being able to use Google Analytics anyway because Google will terminate your agreement.
So what can you do if you want to carry on using Google Analytics?
(1) Know your data
A lot of businesses are data hungry but some of that data is just stored and never used so a frequent data clean is always a great idea but with GDPR looming up it’s essential. Remember you should only keep data for as long as is reasonable anyway.
- Start by being clear about what data you hold and how you are going to process (use, store etc) it.
- Next, look at what data you need to collect and use and how long you need it for.
Do you have a lawful basis for processing? If not, there’s time to put things right. For example, if you are relying on someone’s consent to use their data, check you have a GDPR compliant consent in place. Otherwise you can’t lawfully use that data after 25th May 2018.
Once you’ve done this make sure that you permanently delete anything you don’t need or can’t justify keeping.
It may seem a little time-consuming but at the end of your data cleanse you’ll be in a good position to be GDPR compliant, particularly if you regularly repeat the exercise.
(2) Check your policies
Bearing in mind that you are also responsible for your organisation’s compliance consider putting a complete data protection policy in place (this sets out how your business will achieve its data protection obligations) with some relevant training so that everyone is clear about the organisation’s obligations and the part they must play.
(3) Be clear about how you are going to use Google Analytics
Make sure you have clear boundaries so that you don’t inadvertently “share” any “personally identifiable information”.
If someone else is accessing your Google Analytics accounts (for example if an agency or freelancer helps you with your website analytics) be clear about ownership and responsibility for the account and control who has access; clarify exactly what they can (and can’t) do. Remove any permissions unless they are absolutely necessary.
(4) Data transfer compliance
Google is a US company and, although it does have some servers based in the EEA, there is still likely to be some data transfer outside the EEA. Since Google will in effect be your data processor this means that you need to check that Google is GDPR compliant for data transfer outside the EEA. At the moment Google relies on the EU-US Privacy Shield, but bear in mind that things change. Since it is your responsibility, have a simple process that shows you regularly check Google’s compliance with GDPR so that you can prove that you are complying with your own obligations.
(5) Remember data subjects’ rights
Finally, under GDPR, data subjects will have a lot more control over their data. If you want to carry on using analytical tools and are concerned that some personally identifiable information (such as IP addresses) could be used, then the most sensible course of action is to make sure that your website users
- know you are using Google Analytics and that they understand what it does and how their data is used
- give their explicit consent to enable you to use Google Analytics
- can change their mind about consent and opt out easily and at any time
Do you need help with GDPR compliance? Call us on 01244 300413 or email firstname.lastname@example.org or complete the form below: