Noise or Music? - The Insights Blog

Google Analytics, GDPR and Consent

Categories: Privacy and Accuracy / Comments: 8

Share Button

I am going to assume you are aware of GDPR (who isn’t? And Facebook have successfully heightened the awareness in the US). You should also be aware that even though I work in the data industry, I have been a strong privacy advocate for many years now. I approach the subject as an end-user would. Let’s face it, for many years now the data/tracking industry has a bad reputation in general…

In this post I address a key question that is troubling many a website owner using Google Analytics (the “Controller” in GDPR terminology):

Is explicit consent required before I can track my visitors?

 

Visitor Consent For GDPR Compliance

Q: Do I have to gain explicit visitor consent before I can track my website visitors?

A: It depends…

From two new official Google documents:

  • Policy requirements for Google Analytics Advertising Features: “If you’ve enabled any Google Analytics Advertising features, you are required to notify your visitors by disclosing the following information in your privacy policy”
  • EU user consent policy: “You must use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site, app, email publication or other property as a consequence of your use of Google products; and…”

What are the Google Analytics Advertising features?
These include Demographics and Interest Reports, Remarketing with GA and DCM Integration. The reasoning is that these features require the use of 3rd-party cookies i.e. the sharing of data with organisations other than the website being visited itself. Hence the privacy implications.

Summary of Google’s Advice
If you use these Advertising features in GA, you must request explicit consent. If you do not, then you don’t.

BIG BUT…

There is a very large caveat to this – hence I don’t follow Google’s advice. The GDPR is specifically agnostic to the data tool and technology being used. That means gaining consent from your visitors must be based on what data your website collects and does with data – not what happens within Google Analytics.

So if a website has any other tracking technology e.g. social share icons that also send tracking pixels to 3rd parties, consent would be required. That is the situation for the vast majority of websites – lots of tracking pixels firing off to all sorts of places (3rd parties), where governance is potentially unknown.

Here is a classic example of the problem – a blog that uses the 3rd-party Disqus plugin for handling its comments and visitor engagement: The image is taken from the Chrome Developer Console, Network tab:

The image shows that when an article is loaded from the blog, data is sent to the 3rd-party Google Analytics account of Disqus. (Disqus could use any logging tool, even their own, it just happens to be Google Analytics in this case). Note the UA number: UA-1410476. If you view the source of discus.com, you will see the same UAID. Here is another example from a different US focused site.

What is The Implication of This?

If I as a visitor go to the blog site in question running Disqus, then visit other unrelated sites that also use Disqus, ALL my visit data from these sites goes into to the Disqus log/account i.e. they have the ability to stitch together sessions from different websites I visit. Hence the privacy implications for the owner of the original blog website. Therefore, if such a website owner wanted to avoid having to implement tracking consent from its visitors, they would need to verify ALL the 3rd-party tracking pixels on their site and ensure that these match the GDPR requirements for non-consent. That is certainly possible, but not easy by a long shot and a nightmare to manage over time…!

Note, this is not a dig at Disqus. I use them only as an example to illustrate the point – that is, the website owner’s responsibility for obtaining consent goes way beyond what Google specifies for its tools and products.

Best Practice Advice For GDPR Compliance

1. Avoid: The long drawn out and expensive process of auditing your entire site for tracking pixels, building a compliance matrix for each tool, making the necessary changes, and having to repeat/manage this over time.

2. Alternative:

  • Communicate to your organisation that only N tracking pixels are allowed, where N is a small manageable number e.g. 5. That is, all web tracking requirements for the organisation, must be provided by N tools/tracking pixels.
  • That means replacing tracking pixels with Google Analytics, and/or deleting others. This is not as drastic as it sounds – often times I see a tracking pixel deployed to track some specific user event, when actually the same information can be obtained within Google Analytics reports.
  • Keep N to as small as number as possible i.e. one that your organisation can manage (and justify) the resources required to ensure GDPR compliance. Remember GDPR is a continuous obligation, not a set and forget project.
  • Manage ALL tracking pixels (or the widgets/plugins that deploy them) using GTM or other tag manager solution. Tag managers are a huge time saving for managing your deployment(s).

3. The Simplest Route:

Dodge the headache of compliance for all your 3rd-party tracking pixels (pretty much all social platforms and 3rd-party widgets/plugins employ some kind of tracking – the infamous “Like” button is probably the most prolific), by requiring consent by default. That is, for all your visitors, European or otherwise, before any tracking takes place. That way, there are no grey areas and you minimise any risk of getting this wrong – a high risk considering website content is often constantly in flux…

Note, as I state at the beginning of this article, if Google Analytics is the only thing deploying tracking pixels AND you are not using Google Analytics Advertising features, then you do not require visitor consent.

Five Tips When Requesting Consent to Track

Essentially, the approach is that you need to create a compliance alert to your users on their first visit. You probably already have such a message already. However, often I find tracking is already taking place as soon as the visitor loads a page from your site – before they have accepted (or not) your offer to track their activity. That of course is wrong.

Instead, if your visitor accepts to be tracked, then you track their activity into Google Analytics and cookie them. This is so that when they return, you check for the cookie and if present, your compliance alert is not shown again. If your visitors do not accept being tracked and no cookie exists from a previous session, you cannot track them – by any method.

Five tips for compliance consent:

1. Keep your compliance alert in place until your visitor takes action to accept it. If accepted the alert is removed. If the visitor takes no action, then your compliance alert remains in place. That is, there is no available action for the visitor to reject the alert.

2. A site cannot stop or block content if no tracking consent is given. The trick is to make the alert “irritating” and “distracting” enough for the visitor to want to take action, but ultimately you cannot stop the user accessing your content if they do not.

I deliberately emphasize irritating and distracting as you must give a strong reason for the user to take action – accept to be tracked. Otherwise you risk large swathes of visitors simply ignoring your alert and continuing to browse your content regardless i.e. you lose a large amount of visitor data!

3. Do not track unless consent is given – this goes without saying! As long as the visitor does not clear their cookies, their subsequent visits will not trigger the alert.

4. Remember you are only storing if consent is given. Do not store the fact that a visitor did not give consent (i.e. via a cookie) – that would defeat the object.

5. Ensure the correct timing of your data hits. If you track the action of actually confirming consent i.e. the acceptance click, ensure you send this to Google Analytics after the pageview hit has fired. This sequence is important – a pageview hit should always come first, otherwise Google Analytics gets confused (for example, landing pages become “not set”, campaign attribution is lost).

This website take the above approach. If you do not see the compliance alert, simply remove your cookies from this domain and reload the page. The alert is meant to be irritating/distracting enough for visitor to click to accept, without killing the user experience completely! I would be interested to hear if you feel it works and any other comments on this article you have.

BTW, if you are interested in what I am building in this space – an automated GA data auditing tool – visit verified-data.com.

Useful GDPR Resources

Share Button

Comments (most recent first)

  1. Hi Brian, just wanted to get your thoughts on an approach which has occurred to me.

    What would be the impact of your recommendations if you set the user cookie expiration to 0 so that it becomes a session cookie and if you set the IP address to be anonymised. If doing this, you would also be switching off the advertising features so guessing this would just fall into your category of not requiring consent.

    However, with the above, I would want to track customer IDs for users that login via the User ID feature. Having received consent from them at registration or login for doing so. Would then end up with two solutions, one for anonymous visitors and one for identified visitors. And actually might want those advertising features on for the identified visitors.

    Thoughts?

    Peter

    • Hi Peter

      I agree that forcing a session cookie instead would make the “advertising” features redundant (and use anonymiseIP just to be sure). However, the visitor information will still be transmitted (to Doubleclick in Google’s case) and so there is at least the potential for it to be shared with 3rd-parties. Rather than hack, what is needed imo is a parameter in the data hit sent that ensures if set, Google/Doubleclick, drop the hit completely and there is no storage.

      However, the point I am trying to make is that it does not matter what Google say about their tool(s), or whether you, me or the EU agree or not with their approach. Google have given their advice to users and if it is wrong, well Google will need to sort that out.

      Rather, I am stating that websites have so many tracking pixels – often buried, or daisy-chained with multiple dependencies so they are hard to discover. For example WordPress plugins, or the share-me, love-me, like-me social media buttons deployed everywhere.

      So I am saying: “don’t base compliance on a tool, base it on your website“. Therefore, I recommend to ask for consent as default.

  2. Aurelie Pols says:

    Hey Brian,

    Wow, you still think Google Analytics could benefit from the “audience measurement” exemption under ePrivacy to avoid consent, hey?
    I see we continue to agree to disagree 😉

    Not only did Google bundle it’s privacy policies back in 2012, including GA, but they also define where the data is stored in order to improve latency. And while such optimisation efforts are obviously laudable in our line of work, it does bring about an awkward quirk under the GDPR.
    I explain this at length in my article on LinkedIn here: https://www.linkedin.com/pulse/gdpr-google-analytics-you-island-aurélie-pols/. It boils down to the idea that as they define “means of processing”, they have become “joint controllers” and are not mere controllers as their terms state.

    Note that article 26 of the GDPR – on joint-controllers – mentions in paragraph 3 that:
    “Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.”

    And while Google already back in January mentioned they would allow some form of API tool to respect data subject’s rights, which was re-iterated in their communication last week around the 12th of April, I’m still waiting for the section called “User Deletion API” to actually show something in https://developers.google.com/analytics/#apis-for-reporting-and-configuration.

    At the same time, Google is also pushing through this idea that data controllers/advertisers are solemnly responsible for consent, effectively putting everybody in a very dire situation where it’s a take it or leave it stance that is impossible to keep up if you want to be even close to GDPR compliance.
    Note that I didn’t write about the published but someone else did and came to the same conclusions: https://digitalcontentnext.org/blog/2018/04/12/google-to-publishers-on-gdpr-take-it-or-leave-it/

    In light of all that, pushing this idea that you don’t need consent for GA because they only do “audience measurement” and fall under the current ePrivacy exception is a pill I find extremely hard to swallow.

    Last but not least, with respect to legitimate interest (LI), please note that the GDPR specifies in article 6.1 (f) that LI can be used as a legal basis for processing if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

    So while LI might magically reappear within the ePrivacy (now) Regulation that is still in draft mode, I’d argue that consent is actually closer to some form of technical requirement than any use of justified LI. After all, one of the principles added to the GDPR is one of accountability in article 5.2:
    “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

    Best of luck with that when using GA.
    Options?
    Ask for consent and see you traffic tank. Haven’t we been here before, Brian? https://brianclifton.com/images/ICO-visitors.png
    Change tools if traffic is important to you: some European tools would do the trick.

    Hope it helps, kind regards from Madrid,
    Aurélie

    • Hello Aurelie – I just wanted to ensure we are on the same wavelength – which I feel we are not…

      The summary is a summary of the advice from Google – I have edited to make that clearer. My input on what I think about that is from the BIG BUT onwards.

      My post is not intended to point the finger of whether the EU is correct or not, or whether Google is correct or not, or who is responsible – that would dilute the point I am trying to make i.e. that having consent is a good default position to have.

      Adopting default consent protects the website organisation from litigation, or the very expensive and resource intensive job of assessing compliance for all potential tracking pixels – In fact, I will say this is impossible to achieve for all but the most basic of websites. More importantly, it gives users (I prefer the name customers or potential customers!) confidence that the organisation they are interested in takes their data seriously. That’s got to be good for business… 😉

  3. Teta Jewo says:

    You say “3. Do not track unless consent is given – this goes without saying!” Does that mean you don’t believe businesses will be able to rely on legitimate interest as a lawful basis for using Google Analytics (advertising features aside)?

    • Hello Teta – as I state at the beginning of this article, if Google Analytics is the only thing deploying tracking pixels AND you are not using Google Analytics Advertising features, then you do not require visitor consent.

      So the tips section assumes you have made the decision that you require visitor consent.

      • Rachael Clark says:

        Hi Brian. Many thanks for sharing your thoughts on this. One of the most comprehensive I have seen.

        Going back to the point about Google Analytics, an area I am unclear on (and have read lots of opposing articles about) is whether even if you have removed advertising features and anonymised the IP, ensured you’re not collecting data via query strings or using User Ids (phew!), are Google still sharing that data with third parties for others to advertise against?

        For example, when you set up your analytics properties you provide information on the category of the site and I have always presumed they therefore track that cookie against that category of interest to inform their other advertising products and therefore allow other advertisers to market to a user that has visited any site using GA. Therefore, whether you use the advertising features or not, are they not already using this behavioural and interest Client ID data to give an audience of others to advertise against? As such, this is where I believe it is on dodgier ground than the likes or Matomo who have no advertising link ups at all (albeit the IP and User ID elements still need to be considered).

        • Thanks for the feedback Rachael

          The short answer is I don’t know. But in my experience it is highly unlikely Google shares any data with 3rd-parties unless it explicitly says so. That is simply the way they think i.e. privacy built in from the ground up, not an addon later. This was a key point of mine when I was discussing joining the company after the Urchin acquisition. Anyway, I digress…

          I take your point about selecting your business vertical/category (and also selecting to share your data with other Google products) in the Admin settings. However, this was for Google to understand the product usage better so they could build a better product i.e. there is no hidden agenda.

Leave a Reply

Your email address will not be published. Required fields are marked *

Anti-spam question (required):

© Brian Clifton 2018
Best practice privacy statement