GDPR Consent & Google Analytics Guide

I am going to assume you are aware of GDPR (who isn’t? And Facebook have successfully heightened the awareness in the US). You should also be aware that even though I work in the data industry, I have been a strong privacy advocate for many years now. I approach the subject as an end-user would. Let’s face it, the data tracking industry has a bad reputation in general…

In this post I address a key question that is troubling many a website owner using Google Analytics – the “Controller” in GDPR terminology: Is explicit consent required before I can track my visitors?

Visitor Consent For GDPR Compliance

Q: Do I have to gain explicit visitor consent before I can track with Google Analytics?

A: According to Google – it depends…

From two official Google documents:

  • Policy requirements for Google Analytics Advertising Features: “If you’ve enabled any Google Analytics Advertising features, you are required to notify your visitors by disclosing the following information in your privacy policy”
  • EU user consent policy: “You must use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site, app, email publication or other property as a consequence of your use of Google products; and…”

What are the Google Analytics Advertising features?
These include Demographics and Interest Reports, Remarketing with GA and DCM Integration. The reasoning is that these features require the use of 3rd-party cookies i.e. the sharing of data with organisations other than the website being visited itself. Hence the privacy implications.

Summary of Google’s Advice:
If you use these Advertising features in Google Analytics, you must request explicit consent. If you do not, then Google considers its tracking tool as collecting benign data – hence no consent required.

Update Jan 2022: There is a growing consensus across EU data protection authorities that Google Analytics cannot be considered benign, even with Advertising Features disabled. Essentially Google is more than capable of stitching together such benign data to identify an individual and there is no formal documentation from them to deny this. For example, see this page from the French authority CNIL.

BIG BUT – Using 3rd-party tracking pixels

There is a very large caveat to this. The GDPR is specifically agnostic to the data tool and technology being used. That means gaining consent from your visitors must be based on what data your website (or app) collects and does with data – not what happens within Google Analytics.

So if a website has any other tracking technology embedded on its pages e.g. social share icons that also send tracking pixels to 3rd parties, consent would be required. That is the situation for the vast majority of websites – that is, lots of embedded widgets and plugins with tracking pixels firing off to all sorts of places (3rd parties), where governance is potentially unknown.

Here is a classic example of the problem – a popular blog in the analytics (that I do not name) is using the 3rd-party Disqus plugin for handling comments and visitor engagement. The image below is taken from the Chrome Developer Console, Network tab and shows that when an article is loaded from the blog site, data is also sent to the 3rd-party Google Analytics account of Disqus. Disqus could use any logging tool, it just happens to be Google Analytics in this case.

Note, when I viewed the source of disqus.com the same UA-ID (UA-1410476) was also in use. Think about that for a moment – by using the Disqus.com plugin on your own website, Disqus allegedly sucks up your data – the same for ALL users of their plugin – and combines it with their own website data…

Here is another example from a different US focused site.

What is The Implication of This?

If a visitor goes to the blog site in question running Disqus, then visits other unrelated sites that also use Disqus, ALL that visit data from these sites goes into to the Disqus log/account i.e. they have the ability to stitch together sessions from different websites visited. There are huge privacy implications of doing that – not only for Disqus, but also for the owner of the original blog website.

Essentially, audit your website (not tools) to establish what consent is required from your visitors before tracking them. As you may suspect, I have a tool for this, called verified-data.com.

Best Practice Advice For GDPR Consent Compliance

1. Streamline Your Tracking Pixels

  • Communicate to your organisation that only N tracking pixels are allowed, where N is a small manageable number e.g. 5. That is, all web tracking requirements for the organisation, must be provided by N tools/tracking pixels.
  • That means replacing some tracking pixels with Google Analytics, and/or deleting others. This is not as drastic as it sounds – often times I see a tracking pixel deployed to track some specific user event, when actually the same information can be obtained within Google Analytics.
  • Keep N to as small as number as possible i.e. one that your organisation can manage and justify the resources required to ensure GDPR compliance. Remember GDPR is a continuous obligation, not a set and forget project and there is a zero economy of scale in the work required.
  • Manage ALL tracking pixels (or the widgets/plugins that deploy them) using GTM or similar tag manager solution. Tag managers are a huge time saver for managing deployment(s).

2. The Simplest Route – Consent always required

You can simplify the headache of assessing compliance for all your tracking pixels by requiring consent by default – for all your visitors, European or otherwise, before any tracking takes place. That way, there are no grey areas and you minimise any risk of getting this wrong – a high risk considering website content is often constantly in flux. Remember, pretty much all social platforms and 3rd-party widgets/plugins employ some kind of tracking – the infamous “Like” button is probably the most prolific.

But, you will lose traffic. Although consent by default simplifies the significant headache of GDPR compliance, the issue you will face is that visitors will not want to give you their data. Why should they?

See my consent whitepaper on the best practice approach for doing this while maintaining a high opt-in rate.

3. The Best of Both Worlds

If you need to use remarketing, or other 3rd-party tracking pixels, you could be smart about it. That is, set remarketing and 3rd-party pixels OFF by default, then turn on if you gain consent. This is based on Google’s interpretation of the GDPR law as stated at the beginning of this article:  Benign, 1st-party tracking does not require explicit consent.

This approach means you will not lose any traffic. Whether a visitor consents or not, you will still be able to track them with your benign, first-party tracking. What you lose is the ability to remarket to ALL of your visitors i.e. those that opted out.

BTW, if you are interested in what I am building in this space – a forensic GA data auditing tool with an emphasis on GDPR compliance – visit verified-data.com.

Looking for a keynote speaker, or wish to hire Brian…?

If you are an organisation wishing to hire me and my team, please view the Contact page. I am based in Sweden and advise organisations in Europe as well as North America.

You May Also Like…

44 Comments

  1. Bastien

    Hi,

    A very interesting post on a complex subject about which nothing is clear.

    About Google Analytics, I directly wrote the CNIL in France (https://www.cnil.fr/en/home), the official center which check the application of the GDPR.

    I asked them if Google Analytics could be compliant without consent if I set up the Google Analytics tag with all the parameters allowing to disable add, force SSL, anonymise IP, reduce cookie life to 13 months, …

    Even with all the possible set up to anonymise, they replied “no”. Google Analytics can’t be used without consent, only because it’s… Google. Thery refer to some sentences in the Google policy breaking the GDPR.

    Some other consultants told me it’s wrong, some lawyers told me it’s ok and some other “it’s not”.

    CNIL says the only tracking tag which doesn’t need consent is MAtomo with some setup.

    It’s a nightmare for our clients who lose 50% of their sessions if they strictly apply the GDPR.

    Not only CNIL says it’s not possible, but also in UK : https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/how-do-we-comply-with-the-cookie-rules/#comply6

    I don’t really understand what is allowed and what’s not and it’s real problem for all pure players websites. It’s like if the owner of a local shop is blind until the client told him he can see and speak to him.

    Reply
  2. Max

    Hey Brian,

    so I am not using google analytics and I don’t think any of my plugins are giving out cookies. However, I am not sure what Pixles are used by third parties. I have links to Facebook and twitter, but thats it I believe.

    Are there any good plugins for WordPress you can recommend that block cookies, pixles, and everything else needed for GDPR until consent is given?

    I found this plugin https://codecanyon.net/item/weepie-cookie-allow-easy-complete-cookie-consent-plugin/10342528

    Do you think this will be enough?

    Also, how do I go about tracking the given consent? I don’t think the plugin I linked above tracks the consent. I read in the comments that you use GTM. I have never used this tool so I am not sure how to go about it.

    Would really appreciate your time and help.

    Thanks

    Reply
    • Brian Clifton

      Hello Max – for my own personal purposes I use the wordpress plugin GDPR Cookie Consent Banner by termly. Clear your cookies and view this site again to see it in action

      For commercial websites I work with Cookiebot.com – nice and straightforward and a very good/scalable price (not free beyond the trial).

      Remember in both cases you are managing consent – that is not the same as managing cookies/tracking pixels. You have to make that connection yourself. I manage GA installs via GTM. Essentially, you check what consent you have or not (essentially you are looking for a consent cookie) and then fire tracking pixels accordingly. If no consent cookie then no tracking – or a different version of the tracking that is compliant for your purposes.

      HTH

      Reply
  3. Chris

    Thanks for the great article. You mentioned that it is unlikely that a site does not have any 3rd party plugins (e.g. social share plugins) that could be collecting PIIs, thus a cookie consent is usually needed. But if an EU user did not consent cookies by clicking “Accept Cookies”, I guess the 3rd party plugins would still function regardless, right? Or did you implement a solution to disable the plugins for EU users that choose not to consent?

    Reply
    • Brian Clifton

      Hello Chris – the way I implement this on my site is that GA will track a visitor with 1st-party cookies only until they accept the compliance message. If they accept that, then GA will also use 3rd-party cookies for remarketing/demographic data. I do this within GTM looking for the existence of a cookie.

      HTH

      Reply
  4. Earl R. Thurston

    One element of the GDPR seems to be overlooked here — “It shall be as easy to withdraw as to give consent.” The common interpretation of that I’ve found is that, if you have a control (button or otherwise) to allow the data subject to give consent, you must also maintain an equivalent control to revoke consent. Your method, which I frequently see implemented on a lot of websites, is to require users to dig into their browser settings to delete the cookies. This, to me, doesn’t seem as easy, and therefore should be non-compliant.

    Reply
    • Brian Clifton

      I envisage all of this to better managed (i.e. easier) within browsers in the near future. That is the best place for it.

      Reply
      • Earl R. Thurston

        I would agree, both for requesting and revoking consent, since it would create some consistency for website visitors. At the moment, this process is individually programmed per site, making implementation a hodge podge of different styles and techniques, some of which don’t function if a user has JavaScript turned off. But one can certainly argue that, if someone has gone to the length to program a dialog box with an “Accept” button on their site, they can just as easily program an “I revoke my consent” button. There are also potentially detrimental aspects to requiring users to block cookies in order to revoke consent. It’s a bit of an unfair, unbalanced and biased approach meant to encourage consent and discourage refusal, and certainly not within the spirit of the GDPR.

        Reply
  5. Tara

    Hi Brian,

    I use Google Tag Manager to manage cookie consent. I had tried to setup to allow by default google analytics only – so adsense is blocked till the user accepts the cookie notice. But doing this creates google analytics cookies in the visitors browser, even though anonymous with no other advertising features.

    How does this follow along with the “Cookie Law” portion of the GDPR to not create any cookies on the users browsers without explicit consent, unless it is functionally required. I would really like to be able to track all our website visitors, to see the real number we have per day/week/month.

    I have lost at least 1/3 maybe more of my analytics tracking by setting to explicit permission for geo-targeted EU visitors. As no one in the EU is accepting the cookie consent – since it was put in place, I have had maybe one user accept. Is this common practice? Or is it just our sites that are missing out.

    On my other website, it is arcade games provided free by allowing game developers to run advertising. Since I have no control over the game developers ads running and creating cookies, I had to block this content from EU visitors till they accept the cookies. I have not advertised this site for this reason, so there is no activity.

    I’m not sure how else to get past the “you cannot block content”, but you also “cannot show ads” till explicit consent. I noticed that the games have added their own cookie banner, but it appears to just be click ok to acknowledge, not one that opts-in or opts-out. My options are, close down the site – not worth risking the fine. Block all EU visitors completely. Block content for EU visitors, till cookies are accepted.

    Reply
  6. Tânia

    Hi Brian
    Great article!
    I have a blog, I dont use GA Advertising Fetures (I already confirm in my GA account that this option is disable) and I anonymized IP. So I dont need to get consent from visitors right? And what abbout Google AdSense? Do you have any post about that? I disable the personalized Ads I dont know if I need a cookie consent about Google AdSense…
    Bests

    Reply
    • Brian Clifton

      Afaik Adsense works by sharing 3rd-party cookies. So if you use that then I would say you need to request consent.

      Reply
      • Tania

        Hi Brian
        Thanks for your answer. And what abbout if i use non personalized Ads?
        The RGPD data that says that we need to have explicit concent to colect data, but I could not find any WordPress cookie plugin that has AdSense option and One that just activate the cookies if the visitor click on agree… Bests

        Reply
        • Brian Clifton

          For obvious reasons I can’t specific advice, but essentially the general rule is: Are you sharing data with 3rd-parties that are not under your direct control? To clarify this point, showing your accountant your data is a third party that is under your direct control. Sharing data with other Google advertisers is not.

          Looking at this page: https://support.google.com/adsense/answer/7670013?hl=en-GB, Google says that non-personalised ads do not rely on sharing data with 3rd-parties, rather they use contextual information of the page the ad is displayed on. So my interpretation is that non-personalised ads do not require consent.

          HTH

          Reply
  7. DS

    I have a question about a special case. If the owner of the website has analytics and no other tracking pixels in his site, but he lets another person watch the analytics report of his site, does he have to ask the users for consent?

    Reply
    • Brian Clifton

      I see no issue with that (i.e. No consent required). My analogy would be an accountant reviewing your business accounts at the year end. That is, the business that collected the data is still in control and the 3rd party accountant is working on behalf of the business.

      Reply
  8. Jonas

    Very nice article. Thanks for that.
    What I have problems with, is a rather technical issue. You state that we should track the given consent. So I need to send some information to google analytics again to track the consent, that a user has given by accepting via clicking on a popup-message. But how would I do that?
    And how is this of value. Let’s say I just use Google Analytics with anonymized IP and no url would ever show any personal data in google analytics.
    Then I get consent from a user that I use google analytics, and I – somehow – store this information in Google analytics again. How would this be of any value, if I cannot connect the given consent with an actual user?

    Or is this all irrelevant, if I don’t track IPs, or any other identifiable personal information via google analytics?

    And then again, let’s assume I track the IP after the given consent, would I have to somehow store the fact, that a user has given the consent with his IP (in connection)?

    Thanks for some clarification. Much appreciated.
    Cheers

    Reply
    • Brian Clifton

      Hello Jonas – a couple of points for you:

      • Remember GDPR is about your organisation’s handling of data. It is not specific to any tool or technology, such as Google Analytics.
      • Anonymising IP is not a magic switch that makes an org GDPR compliant – its simply best practise and in my view should have always been ON by default (more on the impact of that in my next post 🙂
      • Tracking all user actions is best practice e.g. a click to consent, as opposed to assuming. Do this as an event and ensure the event fires before any pageview request.
      • Only store the consent value. Non-consent should not be stored!
      • If you want to store the clientID of your visitors when they click to consent, do this as a user-scoped custom dimension. That way, the value persists when they return i.e. when they do not need to consent again.
      Reply
      • Jonas

        Hi Brian
        thanks for your very quick response. I do realize your points, I may have focused on the GA a bit too much – that’s just because I am web developer and most of the clients ask me things about how to handle tracking data especially when done by google.

        I note: I have to track the click as an event in GA. That helps a lot. I did not know that this was possible.

        And just for further understanding:
        Let’s assume the following (and we have in mind, that we are just focusing on the tracking data, not all other required steps to become GDPR comliant):

        I have a normal webpage, without any forms, any newsletter, just display of information. I use google analytics for tracking how many visitors my page is getting, but GA never gets URL parameters with usernames, phone numbers etc – because this just not part of the page.

        I understand that the IP is an PII (personally identifiable information). So I anonymize this, because it makes sense anyway (agree on this with you).

        As far as I understand things like:
        – Which browser is used
        – What page is visited
        – Which OS the user has
        … etc.

        Is all not an PII, am I right?

        So in the described case above I would not even have to get any consent, because I don’t track any PII.
        Or is this a whole misunderstanding in my side.

        Thank you in advance.
        Best,
        Jonas

        Reply
        • Brian Clifton

          Yes, you are correct, so long as:

          • You can verify there are no other tracking pixels
          • GA has its “advertising features” turned off

          Consent is not required. Anonymizelp is a bonus (best practice).

          Reply
  9. Hugo

    3. Do not ask twice
    4. Do not store the answer

    This is a paradox. How can we know if someone said “no” if we do not store that answer in some form?

    What came first, the chicken or the egg?

    Reply
    • Brian Clifton

      Think of it this way:

      1. if visitor consented, store that. When the same visitor returns, if consent storage is present, do not ask for consent again.
      2. if visitor has NOT consented, do not store any value. When the same visitor returns there is no storage present, therefore consent must be asked for.

      Reply
  10. Yaro

    Hi Brian,
    Thanks for the post. Just a quick question – what about Compliance Check pop-up – isnt the GA tracking should be loaded only if visitor clicks on it?
    Right now i can see that Im still tracked with CliedtID ( if Im not mistaken its part or PII) but pop-up is also live:
    http://prntscr.com/jij2by
    Is its valid “Compliance Check” implementaion?
    Thanks in advance for your time and help!

    Reply
    • Brian Clifton

      Correct – if you have decided that consent must be granted then no tracking should take place until it is given. In that case make sure your send the pageview hot first before the event click – GA gets confused if it does not see a pageview first.

      BTW, you are not allowed to block access to your content if a visitor does not consent. My analogy is from bricks and mortar retail stores – a store owner cannot stop someone visiting a store just because they don’t like the look of them. That is called discrimination and is illegal in the EU.

      Reply
  11. Andrew

    Loads of web sites using GA, grab my data, ship it out and then tell me what they have done in their Privacy Policy, normally with a loose comment like, we only ship data to companies are reputable. I’m not seeing any chance to consent to this. Even on the ICO’s website my data is pushed through GA.

    Being given to a choice after the event, isn’t really a choice. How can I get all these organisations not to track me through third parties?

    Reply
    • Brian Clifton

      Hello Andrew – I agree that is the situation we face, hence why I support the principal of GDPR. I think that one day it will become the global norm for best practise. And those businesses that don’t practice it will fail – and quickly – as now there is a legal framework for action against data abuse.

      The question you raise is really for the ICO (in the UK). I am surprised the ICO track without consent. They did not used to – as this comment/chart from Vicky Brock shows: https://brianclifton.com/blog/2011/05/20/google-analytics-and-the-new-eu-privacy-law/#comment-53291, the ICO website lost 90% of their web data when they opted for explicit consent to track in 2011 – maybe that is why they no longer do that!

      There is no doubt that only tracking with explicit consent is going to lose a lot of traffic, hence why I suspect everyone is waiting to see what the other websites do. I am conducting a study now to see what the data loss impact is i.e. my next blog post.

      Reply
  12. Cathie

    Hello Brian, thanks for your article. I am struggling to understand #3 – how to actually implement the process of tracking only when consent is given. I can provide some kind of Compliance Alert, but I don’t know how to ‘link’ it to the the Google remarketing tag or Facebook Pixel installed on my site, so that they only fire if consent is actually received (currently they fire for every visit). I’m not a coder … is there a WordPress plugin that can handle this?

    Reply
    • Brian Clifton

      Hi Cathie – I do this using GTM. The key is how you define your trigger. Essentially you need to wait until the visitor clicks on “accept” before tracking. That picks up first time visitors who get the alert. However, returning visitors who have previously accepted will not see the alert as they have been cookied. So my trigger is also setup to look for the presence of this cookie – firing only when present.

      HTH. At some point I will write up my GTM solution. I haven’t done this so far as it is specific to my cookie alert plugin…

      Reply
  13. Yves

    In your understanding, would you consider using GA with user ID without consent, in the assumption demographics, interests, advertising are off?

    Reply
    • Brian Clifton

      In short, no I wouldn’t. By definition a userId ultimately identifies a visitor, such as via your crm.

      However, if it is completely anonymous e.g. A random number, then its no different to the GA cookie (clientid)

      Hope that helps.

      Reply
      • Yves Hiernaux

        Thank you!

        I was hoping that the ePrivacy statement to come (which is anyway still in draft) explaining analytics would be ok for performance measurement, would actually tackle this too.

        Now, when I read opinion like this one:
        http://ec.europa.eu/newsroom/document.cfm?doc_id=44103
        —-
        Additionally, the exception for “web audience measurement” is imprecisely worded. Art. 8(1) (d) of the Proposed Regulation provides for an exception for web audience measuring. The first point of concern is that this term is undefined and may be confused with user profiling. The definition should make clear that this exception cannot be used for any profiling purposes. The exception should only apply to usage analytics necessary for the analysis of the performance of the service requested by the user, but not to user analytics, (i.e. the analysis of the behaviour of identifiable users of a website, app or device). Therefore, the exception cannot be used in circumstances where the data can be linked to identifiable user data processed by the provider or other data controllers.
        —-

        I think the use of User-ID without consent will not be possible even if there are Ads goals or even profiling. Just understanding the campaigns that works and convert.

        As a user, if I have to actively consent to be tracked, I will certainly not do it.

        Reply
        • Brian Clifton

          Hello Yves

          I too used to argued that explicit consent was not required for benign tracking e.g. using first-party cookies, and importantly, when data is aggregated i.e. no individual user tracking taking place – not even anonymously. GA being the classic example at that time.

          However, the GDPR has moved the needle on this. Essentially because there really is no such thing as benign tracking anymore. Everyone wants to track users, not aggregated cookies, and even when anonymous, there is so much other “anonymous” data freely available that it is relatively trivial to triangulate these data points to identify the user. So attempting to define GA which now focuses very much on users rather than sessions, or any other tracking tool for that matter, as benign is now obsolete…

          Reply
          • Yves Hiernaux

            Just to make sure I understand you right.

            The consent as I understand it in GDPR must be an active consent, in the sense that the script for GA cannot be loaded before the consent is given. Passive consent as the cookie law allowed it, is no more possible.

            I was looking for the non-consent approach, because as a user, who will decide to actively check that box. No one will want to be tracked and ask for it.

            But on your website, the consent is a passive one. GA is already loaded.

            This contradicts the active consent approach too?

            Sorry for being so blunt. This is a grey area and everyone seems to have different explanations.
            Your articles is one of the rare ones that was actually very interesting.

          • Brian Clifton

            I take by active consent, you mean explicit consent? Essentially, scripts can load but data to 3rd-parties cannot be sent without explicit visitor consent obtained first i.e. opt-out by default. That is how this site will work form 25th May onwards.

            To avoid requiring consent, then you need to employ either method 1 or method 2 for compliance. What I am stressing is that it is your website as a whole that needs to be compliant, not any specific tool.

            Hope that helps.

          • Yves Hiernaux

            I really appreciate your help.
            This has been the most valuable information I have found till now.

            What do you mean by method 1 or 2?

          • Brian Clifton

            The methods I describe under the heading: Best Practice Advice For GDPR Compliance

  14. Peter O'Neill

    Hi Brian, just wanted to get your thoughts on an approach which has occurred to me.

    What would be the impact of your recommendations if you set the user cookie expiration to 0 so that it becomes a session cookie and if you set the IP address to be anonymised. If doing this, you would also be switching off the advertising features so guessing this would just fall into your category of not requiring consent.

    However, with the above, I would want to track customer IDs for users that login via the User ID feature. Having received consent from them at registration or login for doing so. Would then end up with two solutions, one for anonymous visitors and one for identified visitors. And actually might want those advertising features on for the identified visitors.

    Thoughts?

    Peter

    Reply
    • Brian Clifton

      Hi Peter

      I agree that forcing a session cookie instead would make the “advertising” features redundant (and use anonymiseIP just to be sure). However, the visitor information will still be transmitted (to Doubleclick in Google’s case) and so there is at least the potential for it to be shared with 3rd-parties. Rather than hack, what is needed imo is a parameter in the data hit sent that ensures if set, Google/Doubleclick, drop the hit completely and there is no storage.

      However, the point I am trying to make is that it does not matter what Google say about their tool(s), or whether you, me or the EU agree or not with their approach. Google have given their advice to users and if it is wrong, well Google will need to sort that out.

      Rather, I am stating that websites have so many tracking pixels – often buried, or daisy-chained with multiple dependencies so they are hard to discover. For example WordPress plugins, or the share-me, love-me, like-me social media buttons deployed everywhere.

      So I am saying: “don’t base compliance on a tool, base it on your website“. Therefore, I recommend to ask for consent as default.

      Reply
  15. Aurelie Pols

    Hey Brian,

    Wow, you still think Google Analytics could benefit from the “audience measurement” exemption under ePrivacy to avoid consent, hey?
    I see we continue to agree to disagree 😉

    Not only did Google bundle it’s privacy policies back in 2012, including GA, but they also define where the data is stored in order to improve latency. And while such optimisation efforts are obviously laudable in our line of work, it does bring about an awkward quirk under the GDPR.
    I explain this at length in my article on LinkedIn here: https://www.linkedin.com/pulse/gdpr-google-analytics-you-island-aurélie-pols/. It boils down to the idea that as they define “means of processing”, they have become “joint controllers” and are not mere controllers as their terms state.

    Note that article 26 of the GDPR – on joint-controllers – mentions in paragraph 3 that:
    “Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.”

    And while Google already back in January mentioned they would allow some form of API tool to respect data subject’s rights, which was re-iterated in their communication last week around the 12th of April, I’m still waiting for the section called “User Deletion API” to actually show something in https://developers.google.com/analytics/#apis-for-reporting-and-configuration.

    At the same time, Google is also pushing through this idea that data controllers/advertisers are solemnly responsible for consent, effectively putting everybody in a very dire situation where it’s a take it or leave it stance that is impossible to keep up if you want to be even close to GDPR compliance.
    Note that I didn’t write about the published but someone else did and came to the same conclusions: https://digitalcontentnext.org/blog/2018/04/12/google-to-publishers-on-gdpr-take-it-or-leave-it/

    In light of all that, pushing this idea that you don’t need consent for GA because they only do “audience measurement” and fall under the current ePrivacy exception is a pill I find extremely hard to swallow.

    Last but not least, with respect to legitimate interest (LI), please note that the GDPR specifies in article 6.1 (f) that LI can be used as a legal basis for processing if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

    So while LI might magically reappear within the ePrivacy (now) Regulation that is still in draft mode, I’d argue that consent is actually closer to some form of technical requirement than any use of justified LI. After all, one of the principles added to the GDPR is one of accountability in article 5.2:
    “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

    Best of luck with that when using GA.
    Options?
    Ask for consent and see you traffic tank. Haven’t we been here before, Brian? https://brianclifton.com/images/ICO-visitors.png
    Change tools if traffic is important to you: some European tools would do the trick.

    Hope it helps, kind regards from Madrid,
    Aurélie

    Reply
    • Brian Clifton

      Hello Aurelie – I just wanted to ensure we are on the same wavelength – which I feel we are not…

      The summary is a summary of the advice from Google – I have edited to make that clearer. My input on what I think about that is from the BIG BUT onwards.

      My post is not intended to point the finger of whether the EU is correct or not, or whether Google is correct or not, or who is responsible – that would dilute the point I am trying to make i.e. that having consent is a good default position to have.

      Adopting default consent protects the website organisation from litigation, or the very expensive and resource intensive job of assessing compliance for all potential tracking pixels – In fact, I will say this is impossible to achieve for all but the most basic of websites. More importantly, it gives users (I prefer the name customers or potential customers!) confidence that the organisation they are interested in takes their data seriously. That’s got to be good for business… 😉

      Reply
  16. Teta Jewo

    You say “3. Do not track unless consent is given – this goes without saying!” Does that mean you don’t believe businesses will be able to rely on legitimate interest as a lawful basis for using Google Analytics (advertising features aside)?

    Reply
    • Brian Clifton

      Hello Teta – as I state at the beginning of this article, if Google Analytics is the only thing deploying tracking pixels AND you are not using Google Analytics Advertising features, then you do not require visitor consent.

      So the tips section assumes you have made the decision that you require visitor consent.

      Reply
      • Rachael Clark

        Hi Brian. Many thanks for sharing your thoughts on this. One of the most comprehensive I have seen.

        Going back to the point about Google Analytics, an area I am unclear on (and have read lots of opposing articles about) is whether even if you have removed advertising features and anonymised the IP, ensured you’re not collecting data via query strings or using User Ids (phew!), are Google still sharing that data with third parties for others to advertise against?

        For example, when you set up your analytics properties you provide information on the category of the site and I have always presumed they therefore track that cookie against that category of interest to inform their other advertising products and therefore allow other advertisers to market to a user that has visited any site using GA. Therefore, whether you use the advertising features or not, are they not already using this behavioural and interest Client ID data to give an audience of others to advertise against? As such, this is where I believe it is on dodgier ground than the likes or Matomo who have no advertising link ups at all (albeit the IP and User ID elements still need to be considered).

        Reply
        • Brian Clifton

          Thanks for the feedback Rachael

          The short answer is I don’t know. But in my experience it is highly unlikely Google shares any data with 3rd-parties unless it explicitly says so. That is simply the way they think i.e. privacy built in from the ground up, not an addon later. This was a key point of mine when I was discussing joining the company after the Urchin acquisition. Anyway, I digress…

          I take your point about selecting your business vertical/category (and also selecting to share your data with other Google products) in the Admin settings. However, this was for Google to understand the product usage better so they could build a better product i.e. there is no hidden agenda.

          Reply

Leave a Reply to Tania Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share This