Google Analytics, GDPR and Consent
I am going to assume you are aware of GDPR (who isn’t? And Facebook have successfully heightened the awareness in the US). You should also be aware that even though I work in the data industry, I have been a strong privacy advocate for many years now. I approach the subject as an end-user would. Let’s face it, for many years now the data/tracking industry has a bad reputation in general…
In this post I address a key question that is troubling many a website owner using Google Analytics (the “Controller” in GDPR terminology):
Is explicit consent required before I can track my visitors?
Visitor Consent For GDPR Compliance
Q: Do I have to gain explicit visitor consent before I can track my website visitors?
A: It depends…
From two new official Google documents:
- EU user consent policy: “You must use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site, app, email publication or other property as a consequence of your use of Google products; and…”
What are the Google Analytics Advertising features?
These include Demographics and Interest Reports, Remarketing with GA and DCM Integration. The reasoning is that these features require the use of 3rd-party cookies i.e. the sharing of data with organisations other than the website being visited itself. Hence the privacy implications.
Summary of Google’s Advice:
If you use these Advertising features in GA, you must request explicit consent. If you do not, then you don’t.
BIG BUT – Using 3rd-party tracking pixels
There is a very large caveat to this. The GDPR is specifically agnostic to the data tool and technology being used. That means gaining consent from your visitors must be based on what data your website collects and does with data – not what happens within Google Analytics.
So if a website has any other tracking technology embedded on its pages e.g. social share icons that also send tracking pixels to 3rd parties, consent would be required. That is the situation for the vast majority of websites – lots of embedded widgets and plugins with tracking pixels firing off to all sorts of places (3rd parties), where governance is potentially unknown.
Here is a classic example of the problem – a blog that uses the 3rd-party Disqus plugin for handling its comments and visitor engagement: The image is taken from the Chrome Developer Console, Network tab:
The image shows that when an article is loaded from the blog, data is sent to the 3rd-party Google Analytics account of Disqus. (Disqus could use any logging tool, even their own, it just happens to be Google Analytics in this case). Note the UA number: UA-1410476. If you view the source of discus.com, you will see the same UAID. Here is another example from a different US focused site.
What is The Implication of This?
If I as a visitor go to the blog site in question running Disqus, then visit other unrelated sites that also use Disqus, ALL my visit data from these sites goes into to the Disqus log/account i.e. they have the ability to stitch together sessions from different websites I visit. Hence the privacy implications for the owner of the original blog website. Therefore, if such a website owner wanted to avoid having to implement tracking consent from its visitors, they would need to verify ALL the 3rd-party tracking pixels on their site and ensure that these match the GDPR requirements for non-consent. That is certainly possible, but not easy by a long shot and a nightmare to manage over time…!
Note, this is not a dig at Disqus. I use them only as an example to illustrate the point – that is, the website owner’s responsibility for obtaining consent goes way beyond what Google specifies for its tools and products.
Best Practice Advice For GDPR Compliance
The long drawn out and expensive process of auditing your entire site for ALL possible tracking pixels. There will be many – I typically come across dozens, but I have come across sites with 100’s of tracking pixels! Building a compliance matrix for each tool, making the necessary changes, and having to repeat/manage this over time is of course possible, but extremely expensive.
2. An Alternative – Streamline your tracking pixels
- Communicate to your organisation that only N tracking pixels are allowed, where N is a small manageable number e.g. 5. That is, all web tracking requirements for the organisation, must be provided by N tools/tracking pixels.
- That means replacing some tracking pixels with Google Analytics, and/or deleting others. This is not as drastic as it sounds – often times I see a tracking pixel deployed to track some specific user event, when actually the same information can be obtained within Google Analytics.
- Keep N to as small as number as possible i.e. one that your organisation can manage and justify the resources required to ensure GDPR compliance. Remember GDPR is a continuous obligation, not a set and forget project and there is a zero economy of scale in the work required.
- Manage ALL tracking pixels (or the widgets/plugins that deploy them) using GTM or similar tag manager solution. Tag managers are a huge time saver for managing deployment(s).
3. The Simplest, though Bluntest Route – Consent always required
You can dodge the headache of compliance for all your 3rd-party tracking pixels by requiring consent by default – for all your visitors, European or otherwise, before any tracking takes place. That way, there are no grey areas and you minimise any risk of getting this wrong – a high risk considering website content is often constantly in flux. Remember, pretty much all social platforms and 3rd-party widgets/plugins employ some kind of tracking – the infamous “Like” button is probably the most prolific.
But, you will lose traffic…
Although consent by default dodges the significant headache of GDPR compliance, the issue you will face is that the vast majority of visitors will ignore your request for consent. – there really is very little in it for them. (See point 2 in the Tips section below on why you cannot force visitors to consent).
90% of visitors do not bother to consent
My research has shown that as many as 90% of visitors do not bother to consent – they simply ignore it or close the box. And if that is your default position to track, it means you could lose 90% of your traffic! Note I am referring to traffic in your web analytics report, not any actual visitors coming to your site…
4. The Best of Both Worlds
If you need to use remarketing, or other 3rd-party tracking pixels, you can be smart about it. That is, set remarketing and 3rd-party pixels OFF by default, then turn on if you gain consent. This is based on Google’s interpretation of the GDPR law as stated at the beginning of this article: Benign, 1st-party tracking does not require explicit consent. The trick to this being successful is being able to verify that is what you have, and only have, on your site.
This approach means you will not lose any traffic. Whether a visitor consents or not, you will still be able to track them with your benign, first-party tracking. What you lose is the ability to remarket to ALL of your visitors, or send data to other 3rd-parties – unless of course you have their explicit consent. That can still be a 90% reduction in the size of your remarketing lists, but you keep all of the data and visitor journeys. I feel this is a good compromise and is the method I use and recommend.
If you are a user of Google Analytics you can check if your website is compliant with verified-data.com (disclaimer – I am the founder).
Tips For Requesting Consent
Essentially, the approach is that you need to create a compliance alert to your users on their first visit. You probably already have such a message already. However, often I find tracking is already happening as soon as the visitor loads a page from your site i.e before they have accepted (or not) your offer to track their activity. That of course is wrong.
Instead, if your visitor accepts to be tracked, then you track their activity into Google Analytics and cookie them. This is so that when they return, you check for the cookie and if present, your compliance alert is not shown again. If your visitors do not accept being tracked and no cookie exists from a previous session, you cannot track them – by any method.
Five tips for compliance consent:
1. Keep your compliance alert in place until your visitor takes action to accept it. If accepted the alert is removed. If the visitor takes no action, then your compliance alert remains in place. That is, there is no available action for the visitor to reject the alert.
2. A site cannot block a visitor if consent is not given. The trick is to make the alert “irritating” and “distracting” enough for the visitor to want to take action, but ultimately you cannot stop the user accessing your content if they do not. This is directly analogous to a bricks-n-mortar store i.e. no store owner can deny a law abiding citizen access to their store just because they want to. Think of the implications if the citizen is a different colour, religion, gender, gay, transgender, disabled etc.
I deliberately emphasize irritating and distracting as you must give a strong reason for the user to take action – accept to be tracked. Otherwise you risk large swathes of visitors simply ignoring your alert and continuing to browse your content regardless i.e. you lose a large amount of visitor data!
3. Do not track unless consent is given – this goes without saying unless you can verify you have no third-party tracking! As long as the visitor does not clear their cookies, their subsequent visits will not trigger the alert. Related article: GDPR – Should You Request Consent Before Tracking?
4. Remember you are only storing whether consent is given. Do not store the fact that a visitor did not give consent (i.e. via a cookie) – that would defeat the object. You will be tracking them!
5. Ensure the correct timing of your data hits. If you track the action of actually confirming consent i.e. the acceptance click, ensure you send this to Google Analytics after the pageview hit has fired. This sequence is important – a pageview hit should always come first, otherwise Google Analytics gets confused (for example, landing pages become “not set”, campaign attribution is lost).
This website takes the above approach. If you do not see the compliance alert, simply remove your cookies from this domain and reload the page. The alert is meant to be irritating/distracting enough for visitor to click to accept, without killing the user experience completely! I would be interested to hear if you feel it works and any other comments on this article you have.
BTW, if you are interested in what I am building in this space – an automated GA data auditing tool – visit verified-data.com.
Useful GDPR Resources
- Guidance: What Agencies Should Know About The GDPR – EACA
- Data protection – Better rules for small business | European Commission
- GDPR: 10 examples of best practice UX for obtaining marketing consent | Econsultancy
- General Data Protection Regulation – Wikipedia, the free encyclopedia
- How the new EU cookie law affects law firms | The Law Gazette
- Key Changes with the General Data Protection Regulation | The Law Gazette
- Network Advertising Initiative – privacy opt out
- Public Perceptions of Privacy and Security in the Post-Snowden Era | Pew Research Center’s Internet & American Life Project
- The new EU ePrivacy Regulation: what you need to know | i-scoop
- Third-Party Cookies Explained
- Web-Analytics Firm KISSmetrics Reverses Course on Sneaky Tracking | WIRED
- What does shake-up of EU data laws really mean? – BBC News