Noise or Music?

Google Analytics, GDPR and Consent

Categories: GDPR & Privacy / Comments: 34

Share Button

I am going to assume you are aware of GDPR (who isn’t? And Facebook have successfully heightened the awareness in the US). You should also be aware that even though I work in the data industry, I have been a strong privacy advocate for many years now. I approach the subject as an end-user would. Let’s face it, for many years now the data/tracking industry has a bad reputation in general…

In this post I address a key question that is troubling many a website owner using Google Analytics (the “Controller” in GDPR terminology):

Is explicit consent required before I can track my visitors?

 

Visitor Consent For GDPR Compliance

Q: Do I have to gain explicit visitor consent before I can track my website visitors?

A: It depends…

From two new official Google documents:

  • Policy requirements for Google Analytics Advertising Features: “If you’ve enabled any Google Analytics Advertising features, you are required to notify your visitors by disclosing the following information in your privacy policy”
  • EU user consent policy: “You must use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site, app, email publication or other property as a consequence of your use of Google products; and…”

What are the Google Analytics Advertising features?
These include Demographics and Interest Reports, Remarketing with GA and DCM Integration. The reasoning is that these features require the use of 3rd-party cookies i.e. the sharing of data with organisations other than the website being visited itself. Hence the privacy implications.

Summary of Google’s Advice:
If you use these Advertising features in GA, you must request explicit consent. If you do not, then you don’t.

BIG BUT…

There is a very large caveat to this – hence I don’t follow Google’s advice. The GDPR is specifically agnostic to the data tool and technology being used. That means gaining consent from your visitors must be based on what data your website collects and does with data – not what happens within Google Analytics.

So if a website has any other tracking technology embedded on its pages e.g. social share icons that also send tracking pixels to 3rd parties, consent would be required. That is the situation for the vast majority of websites – lots of embedded widgets and plugins with tracking pixels firing off to all sorts of places (3rd parties), where governance is potentially unknown.

Here is a classic example of the problem – a blog that uses the 3rd-party Disqus plugin for handling its comments and visitor engagement: The image is taken from the Chrome Developer Console, Network tab:

The image shows that when an article is loaded from the blog, data is sent to the 3rd-party Google Analytics account of Disqus. (Disqus could use any logging tool, even their own, it just happens to be Google Analytics in this case). Note the UA number: UA-1410476. If you view the source of discus.com, you will see the same UAID. Here is another example from a different US focused site.

What is The Implication of This?

If I as a visitor go to the blog site in question running Disqus, then visit other unrelated sites that also use Disqus, ALL my visit data from these sites goes into to the Disqus log/account i.e. they have the ability to stitch together sessions from different websites I visit. Hence the privacy implications for the owner of the original blog website. Therefore, if such a website owner wanted to avoid having to implement tracking consent from its visitors, they would need to verify ALL the 3rd-party tracking pixels on their site and ensure that these match the GDPR requirements for non-consent. That is certainly possible, but not easy by a long shot and a nightmare to manage over time…!

Note, this is not a dig at Disqus. I use them only as an example to illustrate the point – that is, the website owner’s responsibility for obtaining consent goes way beyond what Google specifies for its tools and products.

Best Practice Advice For GDPR Compliance

1. Avoid: The long drawn out and expensive process of auditing your entire site for tracking pixels, building a compliance matrix for each tool, making the necessary changes, and having to repeat/manage this over time.

2. Alternative:

  • Communicate to your organisation that only N tracking pixels are allowed, where N is a small manageable number e.g. 5. That is, all web tracking requirements for the organisation, must be provided by N tools/tracking pixels.
  • That means replacing tracking pixels with Google Analytics, and/or deleting others. This is not as drastic as it sounds – often times I see a tracking pixel deployed to track some specific user event, when actually the same information can be obtained within Google Analytics reports.
  • Keep N to as small as number as possible i.e. one that your organisation can manage (and justify) the resources required to ensure GDPR compliance. Remember GDPR is a continuous obligation, not a set and forget project.
  • Manage ALL tracking pixels (or the widgets/plugins that deploy them) using GTM or other tag manager solution. Tag managers are a huge time saving for managing your deployment(s).

3. The Simplest Route:

Dodge the headache of compliance for all your 3rd-party tracking pixels (pretty much all social platforms and 3rd-party widgets/plugins employ some kind of tracking – the infamous “Like” button is probably the most prolific), by requiring consent by default. That is, for all your visitors, European or otherwise, before any tracking takes place. That way, there are no grey areas and you minimise any risk of getting this wrong – a high risk considering website content is often constantly in flux…

Note, as I state at the beginning of this article, if Google Analytics is the only thing deploying tracking pixels AND you are not using Google Analytics Advertising features, then you do not require visitor consent.

Five Tips When Requesting Consent to Track

Essentially, the approach is that you need to create a compliance alert to your users on their first visit. You probably already have such a message already. However, often I find tracking is already taking place as soon as the visitor loads a page from your site – before they have accepted (or not) your offer to track their activity. That of course is wrong.

Instead, if your visitor accepts to be tracked, then you track their activity into Google Analytics and cookie them. This is so that when they return, you check for the cookie and if present, your compliance alert is not shown again. If your visitors do not accept being tracked and no cookie exists from a previous session, you cannot track them – by any method.

Five tips for compliance consent:

1. Keep your compliance alert in place until your visitor takes action to accept it. If accepted the alert is removed. If the visitor takes no action, then your compliance alert remains in place. That is, there is no available action for the visitor to reject the alert.

2. A site cannot stop or block content if no tracking consent is given. The trick is to make the alert “irritating” and “distracting” enough for the visitor to want to take action, but ultimately you cannot stop the user accessing your content if they do not.

I deliberately emphasize irritating and distracting as you must give a strong reason for the user to take action – accept to be tracked. Otherwise you risk large swathes of visitors simply ignoring your alert and continuing to browse your content regardless i.e. you lose a large amount of visitor data!

3. Do not track unless consent is given – this goes without saying! As long as the visitor does not clear their cookies, their subsequent visits will not trigger the alert.

4. Remember you are only storing if consent is given. Do not store the fact that a visitor did not give consent (i.e. via a cookie) – that would defeat the object.

5. Ensure the correct timing of your data hits. If you track the action of actually confirming consent i.e. the acceptance click, ensure you send this to Google Analytics after the pageview hit has fired. This sequence is important – a pageview hit should always come first, otherwise Google Analytics gets confused (for example, landing pages become “not set”, campaign attribution is lost).

This website take the above approach. If you do not see the compliance alert, simply remove your cookies from this domain and reload the page. The alert is meant to be irritating/distracting enough for visitor to click to accept, without killing the user experience completely! I would be interested to hear if you feel it works and any other comments on this article you have.

BTW, if you are interested in what I am building in this space – an automated GA data auditing tool – visit verified-data.com.

Useful GDPR Resources

Share Button

Comments (most recent first)

  1. Tânia says:

    Hi Brian
    Great article!
    I have a blog, I dont use GA Advertising Fetures (I already confirm in my GA account that this option is disable) and I anonymized IP. So I dont need to get consent from visitors right? And what abbout Google AdSense? Do you have any post about that? I disable the personalized Ads I dont know if I need a cookie consent about Google AdSense…
    Bests

    • Afaik Adsense works by sharing 3rd-party cookies. So if you use that then I would say you need to request consent.

      • Tania says:

        Hi Brian
        Thanks for your answer. And what abbout if i use non personalized Ads?
        The RGPD data that says that we need to have explicit concent to colect data, but I could not find any WordPress cookie plugin that has AdSense option and One that just activate the cookies if the visitor click on agree… Bests

        • For obvious reasons I can’t specific advice, but essentially the general rule is: Are you sharing data with 3rd-parties that are not under your direct control? To clarify this point, showing your accountant your data is a third party that is under your direct control. Sharing data with other Google advertisers is not.

          HTH

  2. DS says:

    I have a question about a special case. If the owner of the website has analytics and no other tracking pixels in his site, but he lets another person watch the analytics report of his site, does he have to ask the users for consent?

    • I see no issue with that (i.e. No consent required). My analogy would be an accountant reviewing your business accounts at the year end. That is, the business that collected the data is still in control and the 3rd party accountant is working on behalf of the business.

  3. Jonas says:

    Very nice article. Thanks for that.
    What I have problems with, is a rather technical issue. You state that we should track the given consent. So I need to send some information to google analytics again to track the consent, that a user has given by accepting via clicking on a popup-message. But how would I do that?
    And how is this of value. Let’s say I just use Google Analytics with anonymized IP and no url would ever show any personal data in google analytics.
    Then I get consent from a user that I use google analytics, and I – somehow – store this information in Google analytics again. How would this be of any value, if I cannot connect the given consent with an actual user?

    Or is this all irrelevant, if I don’t track IPs, or any other identifiable personal information via google analytics?

    And then again, let’s assume I track the IP after the given consent, would I have to somehow store the fact, that a user has given the consent with his IP (in connection)?

    Thanks for some clarification. Much appreciated.
    Cheers

    • Hello Jonas – a couple of points for you:

      • Remember GDPR is about your organisation’s handling of data. It is not specific to any tool or technology, such as Google Analytics.
      • Anonymising IP is not a magic switch that makes an org GDPR compliant – its simply best practise and in my view should have always been ON by default (more on the impact of that in my next post 🙂
      • Tracking all user actions is best practice e.g. a click to consent, as opposed to assuming. Do this as an event and ensure the event fires before any pageview request.
      • Only store the consent value. Non-consent should not be stored!
      • If you want to store the clientID of your visitors when they click to consent, do this as a user-scoped custom dimension. That way, the value persists when they return i.e. when they do not need to consent again.
      • Jonas says:

        Hi Brian
        thanks for your very quick response. I do realize your points, I may have focused on the GA a bit too much – that’s just because I am web developer and most of the clients ask me things about how to handle tracking data especially when done by google.

        I note: I have to track the click as an event in GA. That helps a lot. I did not know that this was possible.

        And just for further understanding:
        Let’s assume the following (and we have in mind, that we are just focusing on the tracking data, not all other required steps to become GDPR comliant):

        I have a normal webpage, without any forms, any newsletter, just display of information. I use google analytics for tracking how many visitors my page is getting, but GA never gets URL parameters with usernames, phone numbers etc – because this just not part of the page.

        I understand that the IP is an PII (personally identifiable information). So I anonymize this, because it makes sense anyway (agree on this with you).

        As far as I understand things like:
        – Which browser is used
        – What page is visited
        – Which OS the user has
        … etc.

        Is all not an PII, am I right?

        So in the described case above I would not even have to get any consent, because I don’t track any PII.
        Or is this a whole misunderstanding in my side.

        Thank you in advance.
        Best,
        Jonas

        • Yes, you are correct, so long as:

          • You can verify there are no other tracking pixels
          • GA has its “advertising features” turned off

          Consent is not required. Anonymizelp is a bonus (best practice).

  4. Hugo says:

    3. Do not ask twice
    4. Do not store the answer

    This is a paradox. How can we know if someone said “no” if we do not store that answer in some form?

    What came first, the chicken or the egg?

    • Think of it this way:

      1. if visitor consented, store that. When the same visitor returns, if consent storage is present, do not ask for consent again.
      2. if visitor has NOT consented, do not store any value. When the same visitor returns there is no storage present, therefore consent must be asked for.

  5. Yaro says:

    Hi Brian,
    Thanks for the post. Just a quick question – what about Compliance Check pop-up – isnt the GA tracking should be loaded only if visitor clicks on it?
    Right now i can see that Im still tracked with CliedtID ( if Im not mistaken its part or PII) but pop-up is also live:
    http://prntscr.com/jij2by
    Is its valid “Compliance Check” implementaion?
    Thanks in advance for your time and help!

    • Correct – if you have decided that consent must be granted then no tracking should take place until it is given. In that case make sure your send the pageview hot first before the event click – GA gets confused if it does not see a pageview first.

      BTW, you are not allowed to block access to your content if a visitor does not consent. My analogy is from bricks and mortar retail stores – a store owner cannot stop someone visiting a store just because they don’t like the look of them. That is called discrimination and is illegal in the EU.

  6. Andrew says:

    Loads of web sites using GA, grab my data, ship it out and then tell me what they have done in their Privacy Policy, normally with a loose comment like, we only ship data to companies are reputable. I’m not seeing any chance to consent to this. Even on the ICO’s website my data is pushed through GA.

    Being given to a choice after the event, isn’t really a choice. How can I get all these organisations not to track me through third parties?

    • Hello Andrew – I agree that is the situation we face, hence why I support the principal of GDPR. I think that one day it will become the global norm for best practise. And those businesses that don’t practice it will fail – and quickly – as now there is a legal framework for action against data abuse.

      The question you raise is really for the ICO (in the UK). I am surprised the ICO track without consent. They did not used to – as this comment/chart from Vicky Brock shows: https://brianclifton.com/blog/2011/05/20/google-analytics-and-the-new-eu-privacy-law/#comment-53291, the ICO website lost 90% of their web data when they opted for explicit consent to track in 2011 – maybe that is why they no longer do that!

      There is no doubt that only tracking with explicit consent is going to lose a lot of traffic, hence why I suspect everyone is waiting to see what the other websites do. I am conducting a study now to see what the data loss impact is i.e. my next blog post.

  7. Cathie says:

    Hello Brian, thanks for your article. I am struggling to understand #3 – how to actually implement the process of tracking only when consent is given. I can provide some kind of Compliance Alert, but I don’t know how to ‘link’ it to the the Google remarketing tag or Facebook Pixel installed on my site, so that they only fire if consent is actually received (currently they fire for every visit). I’m not a coder … is there a WordPress plugin that can handle this?

    • Hi Cathie – I do this using GTM. The key is how you define your trigger. Essentially you need to wait until the visitor clicks on “accept” before tracking. That picks up first time visitors who get the alert. However, returning visitors who have previously accepted will not see the alert as they have been cookied. So my trigger is also setup to look for the presence of this cookie – firing only when present.

      HTH. At some point I will write up my GTM solution. I haven’t done this so far as it is specific to my cookie alert plugin…

  8. Yves says:

    In your understanding, would you consider using GA with user ID without consent, in the assumption demographics, interests, advertising are off?

    • In short, no I wouldn’t. By definition a userId ultimately identifies a visitor, such as via your crm.

      However, if it is completely anonymous e.g. A random number, then its no different to the GA cookie (clientid)

      Hope that helps.

      • Yves Hiernaux says:

        Thank you!

        I was hoping that the ePrivacy statement to come (which is anyway still in draft) explaining analytics would be ok for performance measurement, would actually tackle this too.

        Now, when I read opinion like this one:
        http://ec.europa.eu/newsroom/document.cfm?doc_id=44103
        —-
        Additionally, the exception for “web audience measurement” is imprecisely worded. Art. 8(1) (d) of the Proposed Regulation provides for an exception for web audience measuring. The first point of concern is that this term is undefined and may be confused with user profiling. The definition should make clear that this exception cannot be used for any profiling purposes. The exception should only apply to usage analytics necessary for the analysis of the performance of the service requested by the user, but not to user analytics, (i.e. the analysis of the behaviour of identifiable users of a website, app or device). Therefore, the exception cannot be used in circumstances where the data can be linked to identifiable user data processed by the provider or other data controllers.
        —-

        I think the use of User-ID without consent will not be possible even if there are Ads goals or even profiling. Just understanding the campaigns that works and convert.

        As a user, if I have to actively consent to be tracked, I will certainly not do it.

        • Hello Yves

          I too used to argued that explicit consent was not required for benign tracking e.g. using first-party cookies, and importantly, when data is aggregated i.e. no individual user tracking taking place – not even anonymously. GA being the classic example at that time.

          However, the GDPR has moved the needle on this. Essentially because there really is no such thing as benign tracking anymore. Everyone wants to track users, not aggregated cookies, and even when anonymous, there is so much other “anonymous” data freely available that it is relatively trivial to triangulate these data points to identify the user. So attempting to define GA which now focuses very much on users rather than sessions, or any other tracking tool for that matter, as benign is now obsolete…

          • Yves Hiernaux says:

            Just to make sure I understand you right.

            The consent as I understand it in GDPR must be an active consent, in the sense that the script for GA cannot be loaded before the consent is given. Passive consent as the cookie law allowed it, is no more possible.

            I was looking for the non-consent approach, because as a user, who will decide to actively check that box. No one will want to be tracked and ask for it.

            But on your website, the consent is a passive one. GA is already loaded.

            This contradicts the active consent approach too?

            Sorry for being so blunt. This is a grey area and everyone seems to have different explanations.
            Your articles is one of the rare ones that was actually very interesting.

          • I take by active consent, you mean explicit consent? Essentially, scripts can load but data to 3rd-parties cannot be sent without explicit visitor consent obtained first i.e. opt-out by default. That is how this site will work form 25th May onwards.

            To avoid requiring consent, then you need to employ either method 1 or method 2 for compliance. What I am stressing is that it is your website as a whole that needs to be compliant, not any specific tool.

            Hope that helps.

          • Yves Hiernaux says:

            I really appreciate your help.
            This has been the most valuable information I have found till now.

            What do you mean by method 1 or 2?

          • The methods I describe under the heading: Best Practice Advice For GDPR Compliance

  9. Hi Brian, just wanted to get your thoughts on an approach which has occurred to me.

    What would be the impact of your recommendations if you set the user cookie expiration to 0 so that it becomes a session cookie and if you set the IP address to be anonymised. If doing this, you would also be switching off the advertising features so guessing this would just fall into your category of not requiring consent.

    However, with the above, I would want to track customer IDs for users that login via the User ID feature. Having received consent from them at registration or login for doing so. Would then end up with two solutions, one for anonymous visitors and one for identified visitors. And actually might want those advertising features on for the identified visitors.

    Thoughts?

    Peter

    • Hi Peter

      I agree that forcing a session cookie instead would make the “advertising” features redundant (and use anonymiseIP just to be sure). However, the visitor information will still be transmitted (to Doubleclick in Google’s case) and so there is at least the potential for it to be shared with 3rd-parties. Rather than hack, what is needed imo is a parameter in the data hit sent that ensures if set, Google/Doubleclick, drop the hit completely and there is no storage.

      However, the point I am trying to make is that it does not matter what Google say about their tool(s), or whether you, me or the EU agree or not with their approach. Google have given their advice to users and if it is wrong, well Google will need to sort that out.

      Rather, I am stating that websites have so many tracking pixels – often buried, or daisy-chained with multiple dependencies so they are hard to discover. For example WordPress plugins, or the share-me, love-me, like-me social media buttons deployed everywhere.

      So I am saying: “don’t base compliance on a tool, base it on your website“. Therefore, I recommend to ask for consent as default.

  10. Aurelie Pols says:

    Hey Brian,

    Wow, you still think Google Analytics could benefit from the “audience measurement” exemption under ePrivacy to avoid consent, hey?
    I see we continue to agree to disagree 😉

    Not only did Google bundle it’s privacy policies back in 2012, including GA, but they also define where the data is stored in order to improve latency. And while such optimisation efforts are obviously laudable in our line of work, it does bring about an awkward quirk under the GDPR.
    I explain this at length in my article on LinkedIn here: https://www.linkedin.com/pulse/gdpr-google-analytics-you-island-aurélie-pols/. It boils down to the idea that as they define “means of processing”, they have become “joint controllers” and are not mere controllers as their terms state.

    Note that article 26 of the GDPR – on joint-controllers – mentions in paragraph 3 that:
    “Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.”

    And while Google already back in January mentioned they would allow some form of API tool to respect data subject’s rights, which was re-iterated in their communication last week around the 12th of April, I’m still waiting for the section called “User Deletion API” to actually show something in https://developers.google.com/analytics/#apis-for-reporting-and-configuration.

    At the same time, Google is also pushing through this idea that data controllers/advertisers are solemnly responsible for consent, effectively putting everybody in a very dire situation where it’s a take it or leave it stance that is impossible to keep up if you want to be even close to GDPR compliance.
    Note that I didn’t write about the published but someone else did and came to the same conclusions: https://digitalcontentnext.org/blog/2018/04/12/google-to-publishers-on-gdpr-take-it-or-leave-it/

    In light of all that, pushing this idea that you don’t need consent for GA because they only do “audience measurement” and fall under the current ePrivacy exception is a pill I find extremely hard to swallow.

    Last but not least, with respect to legitimate interest (LI), please note that the GDPR specifies in article 6.1 (f) that LI can be used as a legal basis for processing if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

    So while LI might magically reappear within the ePrivacy (now) Regulation that is still in draft mode, I’d argue that consent is actually closer to some form of technical requirement than any use of justified LI. After all, one of the principles added to the GDPR is one of accountability in article 5.2:
    “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

    Best of luck with that when using GA.
    Options?
    Ask for consent and see you traffic tank. Haven’t we been here before, Brian? https://brianclifton.com/images/ICO-visitors.png
    Change tools if traffic is important to you: some European tools would do the trick.

    Hope it helps, kind regards from Madrid,
    Aurélie

    • Hello Aurelie – I just wanted to ensure we are on the same wavelength – which I feel we are not…

      The summary is a summary of the advice from Google – I have edited to make that clearer. My input on what I think about that is from the BIG BUT onwards.

      My post is not intended to point the finger of whether the EU is correct or not, or whether Google is correct or not, or who is responsible – that would dilute the point I am trying to make i.e. that having consent is a good default position to have.

      Adopting default consent protects the website organisation from litigation, or the very expensive and resource intensive job of assessing compliance for all potential tracking pixels – In fact, I will say this is impossible to achieve for all but the most basic of websites. More importantly, it gives users (I prefer the name customers or potential customers!) confidence that the organisation they are interested in takes their data seriously. That’s got to be good for business… 😉

  11. Teta Jewo says:

    You say “3. Do not track unless consent is given – this goes without saying!” Does that mean you don’t believe businesses will be able to rely on legitimate interest as a lawful basis for using Google Analytics (advertising features aside)?

    • Hello Teta – as I state at the beginning of this article, if Google Analytics is the only thing deploying tracking pixels AND you are not using Google Analytics Advertising features, then you do not require visitor consent.

      So the tips section assumes you have made the decision that you require visitor consent.

      • Rachael Clark says:

        Hi Brian. Many thanks for sharing your thoughts on this. One of the most comprehensive I have seen.

        Going back to the point about Google Analytics, an area I am unclear on (and have read lots of opposing articles about) is whether even if you have removed advertising features and anonymised the IP, ensured you’re not collecting data via query strings or using User Ids (phew!), are Google still sharing that data with third parties for others to advertise against?

        For example, when you set up your analytics properties you provide information on the category of the site and I have always presumed they therefore track that cookie against that category of interest to inform their other advertising products and therefore allow other advertisers to market to a user that has visited any site using GA. Therefore, whether you use the advertising features or not, are they not already using this behavioural and interest Client ID data to give an audience of others to advertise against? As such, this is where I believe it is on dodgier ground than the likes or Matomo who have no advertising link ups at all (albeit the IP and User ID elements still need to be considered).

        • Thanks for the feedback Rachael

          The short answer is I don’t know. But in my experience it is highly unlikely Google shares any data with 3rd-parties unless it explicitly says so. That is simply the way they think i.e. privacy built in from the ground up, not an addon later. This was a key point of mine when I was discussing joining the company after the Urchin acquisition. Anyway, I digress…

          I take your point about selecting your business vertical/category (and also selecting to share your data with other Google products) in the Admin settings. However, this was for Google to understand the product usage better so they could build a better product i.e. there is no hidden agenda.

Leave a Reply

Your email address will not be published. Required fields are marked *

Anti-spam question (required):

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Brian Clifton 2018
Best practice privacy statement