GDPR and Google Analytics

Google Analytics is a web analytics service offered by Google. It is by far the most popular tool used worldwide by website owners to look into the insights of how their website is being used. 

The tool helps website owners understand and get insights about the website like the sources where the users to the website are coming from, how many of them are new users, how long the users on the website stay, where do they navigate in the website, etc. 

Google Analytics also helps the owner understand the performance of the website with metrics like bounce rate, which can be very useful in improving and optimizing the website.

Apart from all these statistics, Google Analytics also helps you understand the kind of audience your website has. It gives you insight into the demographics of your audience like their age, gender, etc.

Google Analytics uses a small piece of Javascript tracking code to collect data about your website visitors and their interactions on your website. 

When a user arrives at a website with this code added, the code is executed by the browser when the website is loaded. It collects information about the user’s browser, settings, operating system, screen resolution, etc. The script then sets a few cookies containing basic information about the user’s visit to identify them later.

All of the data collected is sent to Google’s servers and recorded there for the data to be processed. GA tracking code sends the information by requesting a small file. Visit data is processed every few hours for a website.

GDPR or General Data Protection Regulation is a privacy regulation that aims to protect the privacy of the citizens of the EU. The law places emphasis that the users have the authority of their personal data that is in possession of an organization. 

What distinguishes GDPR from the rest of the privacy laws is its global impact. Any organization that serves the citizens of the EU, even if their geographical presence is not in the EU, has to comply with the law or else they could be facing hefty fines.

GDPR puts great emphasis on transparency from organizations dealing with personally identifiable data of the users. It requires that all organizations inform the users about its data collection and processing practices. The users should not only be informed, but there must also be a legal basis for the organization to be able to collect the data. These legal bases are clearly stated in the regulation.

GDPR makes sure that all organizations honor the fundamental rights of the user.

The rights of data subjects under GDPR go as follows:

The Right To Information

This right authorizes the user or customer to ask the website about how the information collected from them is being used and with who it is shared with.

The Right To Access

Under this right, the data subjects get access to their data being processed. They can request the website owner to get a copy of the data they submitted. 

The Right To Rectify

Under this right, the data subjects can modify or change the data submitted by them to the website. The users can send a request to do so in case their data is not up to date or need any modifications. 

The Right To Restrict Processing

GDPR gives the data subject (users) the right to restrict the processing of their data. The users can send a request regarding this to the website, which will immediately stop any ongoing process of their personal data. 

The Right To Object 

If the user wishes to object to the processing of the data given by them then they can do so using this right. However, when the user is in legal situations or so, the law might overrule this right.

The Right to Data Portability

This right gives the user the freedom to obtain and reuse their data for their personal use across different services. The user can use the data submitted to a website, copy, move or submit it from one IT environment to another without affecting its usability.

The Right to Erasure

Under this right, the user can opt to be forgotten by the website. This right comes in handy when the users have ended taking any services from the website. With the customer relationship ended it is important that the customer has the right to request the website to delete all the details previously submitted by them.

The Right To Object To Automated Decision Making

The automated decision-making is the process of making decisions without any human involvement.

Automated processing of data of users can be carried out in different scenarios such as when the decision is important for the performance or entry in a contract, it is authorized by the union or law if the user gives their consent. 

If the processing takes place without the above scenarios happening, the users must be informed immediately, they need to be informed of simple ways to challenge the decision. 

The Right To Notification Obligation

According to this right, any change or deletion or rectification of user’s data must be notified to them. This is important as the change may or may not be made by them and is to be followed even in case of loss or breach of user’s data.

All websites are to honor them with GDPR. The non-compliance of GDPR could cost you a penalty of €20 million or 4% of worldwide revenue. 

GDPR is considered to be one of the most significant changes in data protection in the past 20 years. There is no processing of sensitive personal data allowed without a user’s explicit consent. It has brought some major strict requirements on data handling procedures, transparency, documentation and user consent.

Cookies and scripts are used for user-tracking by websites and third-party tools like Google Analytics. Cookies are small text files that are locally stored and can be easily viewed and deleted. A lot about the user’s activity and data can be stored without the user’s consent, with chances of misuse.

GDPR ensures that cookie policy is a declaration given to the user, stating what cookies are used in the website, why they are used, where the information will be shared to and if the user’s consent is involved. Same goes for tracking scripts that Google Analytics use to view a user’s browsing activity. In short, GDPR ensures that users are informed of any user tracking and asked to provide their consent.

Under GDPR websites are to make note of the following in their privacy policies.

following included in the policy.

• The name and type of cookies and scripts used.
• The purpose of the cookies and scripts used. Along with the type, the purpose of each cookie and script used should also be specified in the list. 
• Cookie duration. Some cookies die out after a user session and some are persistent ones, that stay along for a year or so. The duration to which a cookie will stay in your browser must be specified.
• The whereabouts of the data shared through the cookie and script should be specified.
• Cookie and script rejection and acceptance policy should be mentioned. Users should know how to opt-out of them.

Google Analytics uses scripts that track users and assigns them an ID as they visit your website to give you real-time insights into how your website is being used, when and by whom. It works by means of a tracking code that is added to pages of your website. This unique ID is to recognize the users when they return to the website.

But is the user informed?

For your website to be in compliant with GDPR it is important to ask the consent of the users before setting those Google Analytics scripts that track users on your website. To do this a cookie banner can be used, that would pop up when a user visits your website, showing them the cookies and scripts that are used in your website. 

Only when a user explicitly gives their consent should the GA scripts be set on your website that tracks user behaviors. Even when the user changes their mind and decide to decline the cookies and scripts used and refuse to give their consent, the scripts should be removed from the website.

One of the methods to do this is to use the tool CookieYes. 

CookieYes helps in blocking the tracking cookies by Google Analytics and asking consent from the user for the setting of cookies and scripts. CookieYes helps you display a cookie banner that will pop up when a user visits your website.

All you have to do is sign up and paste an installation code on your website.

In the dashboard, you can scan all the cookies and script present on your website with the scan option.

In the Menu on the left side, under Manage Cookies, you will find options Category, Cookies, and Scripts. 

Under Scripts, you will find the list of scripts present on your website, categorized with their Ids and description. Here you can activate or deactivate your Google Analytics scripts by turning off the Active button.

Under Cookies, there is a list of all cookies with their name, description, duration, type, and domain.

There are other options available in the menu to customize the cookie banner. 

To check if the Google Analytics scripts are installed or deleted when the user accepts or rejects the use of them, you can inspect the code of the website.