Google Analytics, GDPR and Consent
I am going to assume you are aware of GDPR (who isn’t? And Facebook have successfully heightened the awareness in the US). You should also be aware that even though I work in the data industry, I have been a strong privacy advocate for many years now. I approach the subject as an end-user would. Let’s face it, for many years now the data/tracking industry has a bad reputation in general…
In this post I address a key question that is troubling many a website owner using Google Analytics (the “Controller” in GDPR terminology):
Is explicit consent required before I can track my visitors?
Visitor Consent For GDPR Compliance
Q: Do I have to gain explicit visitor consent before I can track my website visitors?
A: It depends…
From two new official Google documents:
- EU user consent policy: “You must use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site, app, email publication or other property as a consequence of your use of Google products; and…”
What are the Google Analytics Advertising features?
These include Demographics and Interest Reports, Remarketing with GA and DCM Integration. The reasoning is that these features require the use of 3rd-party cookies i.e. the sharing of data with organisations other than the website being visited itself. Hence the privacy implications.
Summary of Google’s Advice:
If you use these Advertising features in GA, you must request explicit consent. If you do not, then you don’t.
There is a very large caveat to this – hence I don’t follow Google’s advice. The GDPR is specifically agnostic to the data tool and technology being used. That means gaining consent from your visitors must be based on what data your website collects and does with data – not what happens within Google Analytics.
So if a website has any other tracking technology embedded on its pages e.g. social share icons that also send tracking pixels to 3rd parties, consent would be required. That is the situation for the vast majority of websites – lots of embedded widgets and plugins with tracking pixels firing off to all sorts of places (3rd parties), where governance is potentially unknown.
Here is a classic example of the problem – a blog that uses the 3rd-party Disqus plugin for handling its comments and visitor engagement: The image is taken from the Chrome Developer Console, Network tab:
The image shows that when an article is loaded from the blog, data is sent to the 3rd-party Google Analytics account of Disqus. (Disqus could use any logging tool, even their own, it just happens to be Google Analytics in this case). Note the UA number: UA-1410476. If you view the source of discus.com, you will see the same UAID. Here is another example from a different US focused site.
What is The Implication of This?
If I as a visitor go to the blog site in question running Disqus, then visit other unrelated sites that also use Disqus, ALL my visit data from these sites goes into to the Disqus log/account i.e. they have the ability to stitch together sessions from different websites I visit. Hence the privacy implications for the owner of the original blog website. Therefore, if such a website owner wanted to avoid having to implement tracking consent from its visitors, they would need to verify ALL the 3rd-party tracking pixels on their site and ensure that these match the GDPR requirements for non-consent. That is certainly possible, but not easy by a long shot and a nightmare to manage over time…!
Note, this is not a dig at Disqus. I use them only as an example to illustrate the point – that is, the website owner’s responsibility for obtaining consent goes way beyond what Google specifies for its tools and products.
Best Practice Advice For GDPR Compliance
1. Avoid: The long drawn out and expensive process of auditing your entire site for tracking pixels, building a compliance matrix for each tool, making the necessary changes, and having to repeat/manage this over time.
- Communicate to your organisation that only N tracking pixels are allowed, where N is a small manageable number e.g. 5. That is, all web tracking requirements for the organisation, must be provided by N tools/tracking pixels.
- That means replacing tracking pixels with Google Analytics, and/or deleting others. This is not as drastic as it sounds – often times I see a tracking pixel deployed to track some specific user event, when actually the same information can be obtained within Google Analytics reports.
- Keep N to as small as number as possible i.e. one that your organisation can manage (and justify) the resources required to ensure GDPR compliance. Remember GDPR is a continuous obligation, not a set and forget project.
- Manage ALL tracking pixels (or the widgets/plugins that deploy them) using GTM or other tag manager solution. Tag managers are a huge time saving for managing your deployment(s).
3. The Simplest Route:
Dodge the headache of compliance for all your 3rd-party tracking pixels (pretty much all social platforms and 3rd-party widgets/plugins employ some kind of tracking – the infamous “Like” button is probably the most prolific), by requiring consent by default. That is, for all your visitors, European or otherwise, before any tracking takes place. That way, there are no grey areas and you minimise any risk of getting this wrong – a high risk considering website content is often constantly in flux…
Note, as I state at the beginning of this article, if Google Analytics is the only thing deploying tracking pixels AND you are not using Google Analytics Advertising features, then you do not require visitor consent.
Five Tips When Requesting Consent to Track
Essentially, the approach is that you need to create a compliance alert to your users on their first visit. You probably already have such a message already. However, often I find tracking is already taking place as soon as the visitor loads a page from your site – before they have accepted (or not) your offer to track their activity. That of course is wrong.
Instead, if your visitor accepts to be tracked, then you track their activity into Google Analytics and cookie them. This is so that when they return, you check for the cookie and if present, your compliance alert is not shown again. If your visitors do not accept being tracked and no cookie exists from a previous session, you cannot track them – by any method.
Five tips for compliance consent:
1. Keep your compliance alert in place until your visitor takes action to accept it. If accepted the alert is removed. If the visitor takes no action, then your compliance alert remains in place. That is, there is no available action for the visitor to reject the alert.
2. A site cannot stop or block content if no tracking consent is given. The trick is to make the alert “irritating” and “distracting” enough for the visitor to want to take action, but ultimately you cannot stop the user accessing your content if they do not.
I deliberately emphasize irritating and distracting as you must give a strong reason for the user to take action – accept to be tracked. Otherwise you risk large swathes of visitors simply ignoring your alert and continuing to browse your content regardless i.e. you lose a large amount of visitor data!
3. Do not track unless consent is given – this goes without saying! As long as the visitor does not clear their cookies, their subsequent visits will not trigger the alert.
4. Remember you are only storing if consent is given. Do not store the fact that a visitor did not give consent (i.e. via a cookie) – that would defeat the object.
5. Ensure the correct timing of your data hits. If you track the action of actually confirming consent i.e. the acceptance click, ensure you send this to Google Analytics after the pageview hit has fired. This sequence is important – a pageview hit should always come first, otherwise Google Analytics gets confused (for example, landing pages become “not set”, campaign attribution is lost).
This website take the above approach. If you do not see the compliance alert, simply remove your cookies from this domain and reload the page. The alert is meant to be irritating/distracting enough for visitor to click to accept, without killing the user experience completely! I would be interested to hear if you feel it works and any other comments on this article you have.
BTW, if you are interested in what I am building in this space – an automated GA data auditing tool – visit verified-data.com.
Useful GDPR Resources
- Guidance: What Agencies Should Know About The GDPR – EACA
- Data protection – Better rules for small business | European Commission
- GDPR: 10 examples of best practice UX for obtaining marketing consent | Econsultancy
- General Data Protection Regulation – Wikipedia, the free encyclopedia
- How the new EU cookie law affects law firms | The Law Gazette
- Key Changes with the General Data Protection Regulation | The Law Gazette
- Network Advertising Initiative – privacy opt out
- Public Perceptions of Privacy and Security in the Post-Snowden Era | Pew Research Center’s Internet & American Life Project
- The new EU ePrivacy Regulation: what you need to know | i-scoop
- Third-Party Cookies Explained
- Web-Analytics Firm KISSmetrics Reverses Course on Sneaky Tracking | WIRED
- What does shake-up of EU data laws really mean? – BBC News