I am going to assume you are aware of GDPR (who isn’t? And Facebook have successfully heightened the awareness in the US). You should also be aware that even though I work in the data industry, I have been a strong privacy advocate for many years now. I approach the subject as an end-user would. Let’s face it, the data tracking industry has a bad reputation in general…
In this post I address a key question that is troubling many a website owner using Google Analytics – the “Controller” in GDPR terminology: Is explicit consent required before I can track my visitors?
Visitor Consent For GDPR Compliance
Q: Do I have to gain explicit visitor consent before I can track with Google Analytics?
A: According to Google – it depends…
From two official Google documents:
- EU user consent policy: “You must use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site, app, email publication or other property as a consequence of your use of Google products; and…”
What are the Google Analytics Advertising features?
These include Demographics and Interest Reports, Remarketing with GA and DCM Integration. The reasoning is that these features require the use of 3rd-party cookies i.e. the sharing of data with organisations other than the website being visited itself. Hence the privacy implications.
Summary of Google’s Advice:
If you use these Advertising features in Google Analytics, you must request explicit consent. If you do not, then Google considers its tracking tool as collecting benign data – hence no consent required.
Update Jan 2022: There is a growing consensus across EU data protection authorities that Google Analytics cannot be considered benign, even with Advertising Features disabled. Essentially Google is more than capable of stitching together such benign data to identify an individual and there is no formal documentation from them to deny this. For example, see this page from the French authority CNIL.
BIG BUT – Using 3rd-party tracking pixels
There is a very large caveat to this. The GDPR is specifically agnostic to the data tool and technology being used. That means gaining consent from your visitors must be based on what data your website (or app) collects and does with data – not what happens within Google Analytics.
So if a website has any other tracking technology embedded on its pages e.g. social share icons that also send tracking pixels to 3rd parties, consent would be required. That is the situation for the vast majority of websites – that is, lots of embedded widgets and plugins with tracking pixels firing off to all sorts of places (3rd parties), where governance is potentially unknown.
Here is a classic example of the problem – a popular blog in the analytics (that I do not name) is using the 3rd-party Disqus plugin for handling comments and visitor engagement. The image below is taken from the Chrome Developer Console, Network tab and shows that when an article is loaded from the blog site, data is also sent to the 3rd-party Google Analytics account of Disqus. Disqus could use any logging tool, it just happens to be Google Analytics in this case.
Note, when I viewed the source of disqus.com the same UA-ID (UA-1410476) was also in use. Think about that for a moment – by using the Disqus.com plugin on your own website, Disqus allegedly sucks up your data – the same for ALL users of their plugin – and combines it with their own website data…
Here is another example from a different US focused site.
What is The Implication of This?
If a visitor goes to the blog site in question running Disqus, then visits other unrelated sites that also use Disqus, ALL that visit data from these sites goes into to the Disqus log/account i.e. they have the ability to stitch together sessions from different websites visited. There are huge privacy implications of doing that – not only for Disqus, but also for the owner of the original blog website.
Essentially, audit your website (not tools) to establish what consent is required from your visitors before tracking them. As you may suspect, I have a tool for this, called verified-data.com.
Best Practice Advice For GDPR Consent Compliance
1. Streamline Your Tracking Pixels
- Communicate to your organisation that only N tracking pixels are allowed, where N is a small manageable number e.g. 5. That is, all web tracking requirements for the organisation, must be provided by N tools/tracking pixels.
- That means replacing some tracking pixels with Google Analytics, and/or deleting others. This is not as drastic as it sounds – often times I see a tracking pixel deployed to track some specific user event, when actually the same information can be obtained within Google Analytics.
- Keep N to as small as number as possible i.e. one that your organisation can manage and justify the resources required to ensure GDPR compliance. Remember GDPR is a continuous obligation, not a set and forget project and there is a zero economy of scale in the work required.
- Manage ALL tracking pixels (or the widgets/plugins that deploy them) using GTM or similar tag manager solution. Tag managers are a huge time saver for managing deployment(s).
2. The Simplest Route – Consent always required
You can simplify the headache of assessing compliance for all your tracking pixels by requiring consent by default – for all your visitors, European or otherwise, before any tracking takes place. That way, there are no grey areas and you minimise any risk of getting this wrong – a high risk considering website content is often constantly in flux. Remember, pretty much all social platforms and 3rd-party widgets/plugins employ some kind of tracking – the infamous “Like” button is probably the most prolific.
But, you will lose traffic. Although consent by default simplifies the significant headache of GDPR compliance, the issue you will face is that visitors will not want to give you their data. Why should they?
See my consent whitepaper on the best practice approach for doing this while maintaining a high opt-in rate.
3. The Best of Both Worlds
If you need to use remarketing, or other 3rd-party tracking pixels, you could be smart about it. That is, set remarketing and 3rd-party pixels OFF by default, then turn on if you gain consent. This is based on Google’s interpretation of the GDPR law as stated at the beginning of this article: Benign, 1st-party tracking does not require explicit consent.
This approach means you will not lose any traffic. Whether a visitor consents or not, you will still be able to track them with your benign, first-party tracking. What you lose is the ability to remarket to ALL of your visitors i.e. those that opted out.
BTW, if you are interested in what I am building in this space – a forensic GA data auditing tool with an emphasis on GDPR compliance – visit verified-data.com.