So, it was only after researching about GDPR for our very informative article and download (see here) that it suddenly dawned on us… is Google Analytics GDPR compliant?
We’ve been using Google Analytics for many years now and find it to be an incredibly useful tool. Google offers a freemium web analytics service that tracks and reports website traffic. You can seamlessly integrate Google products like your Adwords account & Search Console. Also, you can use tracking codes to tag and track any advertising, social or PR campaign on any platform/website.
So, what does GDPR have to do with Google Analytics?
Well, from May 25th, 2018 GDPR applies to you and your company. From then on, you need to comply with the GDPR requirements and have proof that you do so. All good so far. We also know that GDPR is going to apply to the personal data of any EU individual. Especially when the data controller and/or data processor is either processing that personal data, because of goods, and/or services being offered, or monitoring the behaviour of those within the EU.
All clear so far…
However, the problem lies in the fact that there is a very broad definition of what we consider is ‘personal data’. And whether or not you can identify someone ‘directly’ or ‘indirectly’ using “all means reasonably likely to be used”. So basically, any such data, is personal data. This includes pseudonymous data, online identifiers and cookies. Which, as we reported in our GDPR article, can be combined with other data to create “profiles of the natural persons and identify them”.
This means that by using Google Analytics, you are allowing Google to access data. And in return, Google is supplying you with data in the form of reports. Although it is actually a breach of the Google Analytics agreement to share “personally identifiable data”, they allow you to share IP addresses. These are personally identifiable. They also allow you to share usernames and email addresses, which, you guessed it, are personally identifiable.
Also check you’re not storing postcodes, as they too can be linked to specific users; especially when paired with pages visited and segmented down into small groups.
It’s also worth considering that it’s not just about one individual data set or Google Analytics report on its own. If you combine data sets that may appear unrelated such as a Google Analytics report, does that mean you can identify an individual from that combined data? Because then it’s personal data.
Plus, if your Google Analytics is outsourced, the data might be subject to third party access. Do any other organisations manage your account for you? If so you’re in the tricky situation of ‘who owns the account?’.
And if you can only process personal data if you have a lawful basis for doing so, does that mean you can’t use the data collected from individuals as part of the Google Analytics process? Because at the moment you might be relying on the individual’s consent. But GDPR makes that more difficult considering your current method may not be compliant.
Don’t go thinking that Google will take care of all of this for you either. Google themselves are taking steps to become GDPR compliant but remember that using Google doesn’t erase your own responsibilities. According to the agreement you sign with Google Analytics, using their software is your own responsibility. If you commit a breach of that agreement – including not being GDPR compliant – you might find that your access to Google Analytics is, at the very least, terminated.
What can you do if you want to carry on using Google Analytics?
As with everything GDPR related, you need to be clear and concise about the data you currently hold; the data you intend to collect and how you’re going to use it. Don’t hold onto information “just in case” – you’ll probably never need it. Have a good data cleanse and permanently delete the data that you don’t need or can’t justify retaining.
Also, ensure that you know how you can stop and/or monitor the use of personal data on Google Analytics. And you need to know who will be involved in that data processing activity. If you want to rely on an individuals’ consent to enable you to use their data, you need to make sure how you obtain and interpret that consent is GDPR compliant. Realistically, are you still able to use Google Analytics whilst having a lawful basis for that processing activity?
Lastly, Google currently relies on the EU Privacy Shield, which means data transferred outside of the EU (to approved compliant areas or organisations) is acceptable. However, under GDPR’s new rules, it’s your responsibility to make sure that if you transfer any personal data outside the EU that the data will be properly protected. Meaning, that it’s your responsibility to work out if you’re being compliant with data transfer issues.
It would seem Google Analytics and GDPR go hand in hand. So if you have everything covered on one, you’ve probably got everything covered on the other.