Google Analytics, the GDPR and ePrivacy: How webmasters are configuring Analytics in the face of the EU’s new regulations
One of the biggest concerns for webmasters following the GDPR coming into force on 25th May is how to ensure their essential third-party services comply with the new regulation.
While large organizations have access to legal advice and data protection officers, independent webmasters are often forced to fend for themselves in the face of a highly subjective regulation comprising 99 articles and compliance costs of up to £15 million per organization (and that’s just the compliance costs for the FTSE 100).
Moreover, its a regulation that threatens fines of up to 20 million EUR or 4 percent of annual turnover.
One of the main third-party services essential to most webmasters is Google Analytics, a popular web measurement platform developed by Google. The platform collects data on a website’s visitors and sets a range of first-party cookies on their devices.
The data collected includes the user’s IP address, country, city, network, browser, device, operating system, language, etc.
It also sets cookies that allow it to circumvent the stateless nature of HTTP and track users between sessions. The extent to which Google Analytics falls within the scope of the GDPR depends on an organization’s interpretation of the term “personal data.”
Under the GDPR, personal data includes a user’s IP address as well as any information that, when collated, could make that user identifiable.
In order to comply with the GDPR, webmasters are increasingly anonymizing IP addresses sent to Analytics’ servers. This step has been taken by organizations large and small, including some agencies that maintain a web presence on Europa.eu.
Webmasters are also configuring Analytics’ new data retention setting. This setting allows webmasters to specify how long non-aggregated data e.g. data on events and users, will remain on Google Analytics’ servers.
Any user or event data on Google Analytics’ servers that is older than the retention settings specified will be automatically deleted.
According to Brian Clifton, Google’s former Head of Web Analytics for Europe, the primary concern for webmasters utilizing Google Analytics should be whether they’ve enabled advertising features.
According to a blog post on his website, “If you use these Advertising features in [Google Analytics], you must request explicit consent. If you do not, then you don’t.”
A few days prior to the GDPR, Google Analytics also announced its user deletion API, which allows webmasters to delete user data associated with a user’s client or user ID (if enabled). A full overview of the new API can be read here.
While some online commentators have argued that as it’s against Google terms or service to collect personally identifiable information (PII) in Google Analytics and thus the platform is beyond the scope of the GDPR, it’s important to remember PII can make its way into Google Analytics without the knowledge of the average webmaster.
For example, many web forms process data using GET, which pushes data collected in the form into the URL upon submission. This URL can then make its way into Google Analytics reports and can contain PII on a user.
The extent to which web measurement platforms must reform to comply with the EU’s forthcoming ePrivacy regulation is still up in the air.
The ePrivacy Regulation — which will repeal the ePrivacy Directive – does however make specific reference to web measurement.
According to Article 8(d) of the ePrivacy proposal, “the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except… if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the [website] requested by the end-user.”
This was further clarified by amendment 89 of the ePrivacy proposal that, in place of “if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the [website] requested by the end-user,” states:
“If it is technically necessary for measuring the reach of [a website] requested by the user, provided that such measurement is carried out by the [website], or on behalf of the [website]…Where audience measuring takes place on behalf of a [website], the data collected shall be processed only for that [website] and shall be kept separate from the data collected in the course of audience measuring on behalf of other [websites].”
The ePrivacy proposal also states that the user must be given an opportunity to object; it is expected to be finalized by late 2018.