Google Analytics (GA), the Web Analytics service offered by Google is by far the most popular tool used by worldwide website owners to look into the insights of how their website is being used.
This function of tracking users is against GDPR rules as user consent is not obtained while setting up a data tracking cookie on the website. For those of you who are not familiar with the term here is what GDPR means. GDPR or General Data Protection Regulation is an EU policy that applies to all EU citizens and that serve EU citizens.
GDPR has provided the data subjects their fundamental rights that all websites should honor. According to these rights, the users can withdraw the consent provided by them to the website anytime and even request for deletion of their data from the website if required. Even in case of loss or breach of user’s data, they must be notified immediately.
All GDPR rules are to be followed by websites failing which can lead to penalty and fines. The non-compliance of GDPR will cost you a penalty of €20 million or 4% of worldwide revenue.
What are the steps to make your Google Analytics GDPR Compliant?
If you have read this far and came to the conclusion that your Google Analytics is not GDPR compliant, fret not! Here are a few actionable steps to become GDPR compliant with Google Analytics.
Auditing Personally Identifiable Data
PII or Personally identifiable information is any type of data that may be used to identify a specific individual. Auditing of the website’s data collection is to inform the user why the website is collecting any such data, what it is used for, where it is stored, how long it will be stored and whether you are transmitting the PII outside your website.
For example, the URL is a kind of PII. If the page URL gives out the email address, then you’re in a way leaking that personal information of the user to other marketing services in your site.
Turn on IP Anonymization
IP address falls under Personally Identifiable Information. The IP address may not be shared but Google does use it to find geo-location. To be safe, it is recommended to turn on IP Anonymization feature.
This can be done in two ways. One way is to add a code to anonymize Ip in the Google Analytics tracking code.
ga(‘set’, ‘anonymizeIp’, true);
The second way is that you can turn it ON via Google Tag Manager, go to settings, click on fields to set and add a new field ‘anonymizelp’ its value set to true. This will anonymize the IP address and replace the end part of it to zero before any processing begins.
Image source: Screenshot
Audit Pseudonymous Identifiers
GDPR encourages pseudonymization of personal data. Pseudonymous identifiers are used to replace original text such that it cannot be identified until additional information is provided.
Pseudonymous identifiers include user ID. User Ids should be alphanumeric in nature and should not include plain text PII. Even the e-mail address must be hashed. Also, the transaction ID is a kind of pseudonymous identifier, which is important to be in alphanumeric form.
An Opt In and Opt Out option
Before Google Analytics executes it is important to ask the consent of the user. If Google Analytics is being used to collect user data or to assist advertising technologies, an opt-in consent mechanism is to be built that will allow users to opt in or out when they wish to do so.
When giving consent of setting cookies, the user must be able to opt out of non-necessary cookies that are not required for the functioning of the website. Also, a documentation of the consent given must be saved for any future reference.
These steps will help you use Google analytics being GDPR compliant. GDPR is indeed a complex regulation but not complying with it can lead to huge fines. Thus it is advised to take necessary steps and make your use of Google Analytics GDPR compliant.