GDPR is coming to all of us. How can we get our Google Analytics ready for the privacy changes?
There are a few things you need to take care of to be compliant. In this video we are going to have a look at those changes.
1. Avoid PII in GA
2. Anonymize IP
3. Disable Display Features
4. GA Cookies
GDPR – What you need to know https://www.youtube.com/watch?v=nA9NgrvS8vg
GDPR Compliance – The steps that I take to prepare https://www.youtube.com/watch?v=khr6sctQjRM
Tools & Widgets to Manage Cookie Consent: https://medium.com/gdprstories/tools-widgets-to-manage-cookie-consent-346a00dc1dff
GDPR Review service: https://www.disclaimertemplate.com/julian/
In this video we’re gonna take a look at what you need to change inside of your Google Analytics installation to become compliant with GDPR. All and more coming up. Hey there and welcome back to another video of measureschool.com teaching you the data-driven way of digital marketing. My name is Julian and today we want to talk about GDPR again.
Now, in our last videos we already talked about what GDPR actually is, and how I prepared for GDPR, and how you could too. Today we want to talk about a specific tool, in this case Google Analytics, so how can you prepare your Google Analytics account to be compliant with GDPR and privacy laws in Europe. Google Analytics is obviously a tracking tool and it’s gathering data from data subjects, such as people who come to your website from the EU, and that’s why you need to protect their privacy. Google Analytics has come out with certain features, even before the GDPR was actually announced, to protect users’ privacy.
In today’s video we want to go through the steps that you need to take in order to get your Google Analytics implementation ready for GDPR. It’s important to remember that there’re actual levels of compliance so you could, for example, turn off Google Analytics completely, then you definitely would not gather any data obviously, but you wouldn’t be able to analyze your user behavior on your website anymore. You could take these steps that I will show you in this video, or leave them out completely and ignore GDPR, which I wouldn’t recommend.
Now, there are steps that you need to take that could impact your data quality. You can mitigate this data quality loss a little bit, but in a sense, if you want to become fully GDPR-compliant, then you need to put these provisions in place. So let’s take a look at these steps. Here we are in our Google Analytics account and we want to get it GDPR ready.
Avoid Personal Identifiable Information (PII) in GA
The first thing that we want to check is there any personal identifiable information that goes already into this account. This has been a big no-go in terms of service of Google Analytics anyways, and so you want to make sure that you are not inadvertently tracking any personal identifiable information. That might be an email address, first name, and so on. This can happen, for example, if your email tool sends your user to your website with a query string here and the email address is in the query string. Obviously Google Analytics is gonna send over a pageview to the system, and also is gonna send that information of the URL to the system right here. And then it would be saved in the account and you would be tracking personal identifiable information in Google Analytics.
So, if you want to spot-check this, you can go into your behavior reports here, and to Site Content, and look in the search bar if there’s any email address with the @ symbol, for example. And if you see anything in your URLs, you could also put in first name, or any other identifiers that you can think of. So the URLs and the page paths seem to be clear. You are also not allowed to send this in as custom dimensions so check your custom dimensions as well. If you have any personal identifiable information that you are sending over to the system.
If you find that you are sending data over, you might already be at risk for violating the terms of service of Google Analytics so you might as well start with a new account. But for sure put in filters in place on the management site, so on Google Tag Manager site, where you are filtering out that information before it goes on to Google Analytics so this doesn’t happen again.
Anonymize IP Feature
All right, let’s go through some concrete steps that we need to take in order to get GDPR-compliant, first step being implementing the Anonymize IP feature. Well, Anonymize IP feature takes out the last numbers of the IP address, and analytics would only use the first digits to actually store and process in that dataset. That might lead to a slight decrease of accuracy in terms of the geolocation that Google Analytics does, but since this is considered personal identifiable information under new GDPR regulations, you need to implement this for the protection of European citizens.
So how can your implement this feature? It depends on how you have installed Google Analytics. You need to do this on the tracking site, so on the actual tracking code. In Google Tag Manager you can go into your Google Analytics Pageview tag, or in your Google Analytics Settings variable, and under the More Settings, you’ll be able to implement a Field to Set option, and here is the option Anonymize IP that you will set to true, and that will anonymize your IP in the future. So, just to try this out, let’s save this, refresh our Preview and Debug Mode, go back to our page, let’s refresh that.
This is a feature that you need to turn on all your pageview and other hits that go out to Google Analytics. If you’re not working with Google Tag Manager, you might be doing this in your analytics.js. For this example you would need to implement the ga set option anonymizeIp to true. Or if you’re using the new Global Site Tag, you need to add to your configurations of your Universal Analytics code the object here with anonymizeIp true so it will be configured in that way.
Disable Display Features
Once you have that turned on, you can go to the next step, which is disable advertising features.
If you are familiar with display advertising features, it’s a feature set within Google Analytics that you can turn on, that gives you, first of all, the ability to build remarketing audiences from your custom segments, and also gives you some pretty interesting data about the users coming to your websites. This is data that is actually derived from different sources and therefore is classified as third-party data, which you also don’t want to connect to your Google Analytics account. So it’s safer to turn this feature completely off.
How do you do this? Well, if you have it enabled on the server side, then that means in your Admin section, if you go to the Tracking Info here, then you will see Data Collection. And under these data collections, you see the Remarketing on, and the Advertising Reporting Features on. These need to be turned off.
Now, I don’t have edit rights to this account, but that might be possible in one of my demo accounts here. So you would turn these off, save this advertising feature and you will be safe for GDPR purposes. It might be that you have an older installation, before Google Analytics actually allowed you to turn this on in the Admin section, where you had an analytics.js code where you added this little line to require these display advertising features.
Obviously you want to then delete this line so it doesn’t get tracked specifically in your analytics.js codes, or in the gtag you can add this allow display features false, and we would just add this to the object in our configuration file, with a comma, so you are not sending this display feature information onto Google Analytics anymore. And obviously, if you had that implemented in your Google Tag Manager account, you might find this under the More Settings, under Advertising, that this was set to True.
Now, you can set this to No value set or explicitly False at this point. Once you have saved this, we have now taken care of the display advertising features.
Google Analytics Cookies
Last but not least, we have to talk about the Google Analytics cookie. A cookie gets set when you have Google Analytics installed with a pseudonymous ID that gets stored in this cookie, it’s the client ID. GDPR is not super clear on all the requirements we need to take in order to become GDPR compliant in terms of cookies.
There has been a lot of talk around this but there’s not yet a real consensus on what needs to be done. If you want to be on the safe side, you might want to install a cookie consent form that actually manages and makes sure that you don’t get tracked when the user doesn’t explicitly consent to this tracking. That would mean you would have a popup where there’s a button and the user actually can read about Google Analytics and then also consent to the data being sent to Google Analytics.
As you might have seen in my last video, I’m holding off on what the best practice here is. I want to give you some pointers if you want to install this. There’s a great blog post by Vicky on tools and widgets to manage cookie consent, different solutions out there. I wouldn’t say that I have found the one that I really like yet, but this is a great overview on what kind of providers are out there, and how they are displaying their consent forms.
The important part would be that the user actually consents to you sending that data, only then you can send over the hits to Google Analytics or other tools. That would require another set of rules, triggers in your Google Tag Manager, or in your implementation of analytics before this data actually gets sent.
So you can’t just install the Google Analytics code on your website anymore. You would need to actually have some kind of opt-in gate that lets the user choose if the information should be sent to Google Analytics. So if you want to install one of these tools, then I’d refer you to look up how this would be done for your situation.
Before I leave you to implement these changes in your analytics account, I also want to mention that Google has released a new version of the processing terms that you can send into Google and they will make a processing agreement with you. They’ve also launched a new feature which entails data retention, so you can change when your data should expire. And they will come out with a specific tool to delete data within your Google Analytics account. That hasn’t been released yet as of recording of this video.
At the end I also want to mention that this is maybe a pretty extreme step for you because you will lose data in your account. You will be missing out on that great demographics information. So how could you mitigate the damages that this makes to your data quality? Well, you could take these measures that we just went through only for European citizens.
So if you have a broad user base all over the world, you may only want to take these steps for European citizens. It is possible to install these features based on the location of the user. For that you will need a geolocation API that actually detects where the user is from at the point of him being on your website, and then enabling showing the cookie consent form, anonymizing his IP, and so on. Again, this would add another technical layer to your analytics setup.
You will need a third party, such as this geoPlugin API, to locate the user. If you want to do that, then I will link up some resources down below. A great discussion I read on the Google Tag Manager forum on how to do that.
All right, today you have, these are the points that you need to take care of in your Google Analytics account. Again, there are levels of compliance so you could get some data back or mitigate the data quality loss by putting something into place, like geolocation where you only activate certain features for certain users who come from the European Union. But obviously this takes a lot more implementation than we have done today.
It’s probable that there will be more changes to come in Google Analytics and to privacy laws, it’s always a work in progress so we will see how the best practices and the lawsuits will inform us. If there’s anything new, then I will inform you on this channel so make sure to subscribe. And also, if you want to find out more about GDPR, we have done several videos on this as well, one of them up there. My name is Julian. Till next time.