Google Analytics, GDPR and Consent
Brian Clifton
Author; Founder Verified-Data.com; Former Head of Web Analytics Google (EMEA); Data Privacy Expert; PhD; Specialising in enterprise Google Analytics, GTM, Consent Management; Piwik PRO.
I am going to assume you are aware of GDPR (who isn’t? And Facebook have successfully heightened the awareness in the US). You should also be aware that even though I have worked in the data industry for nearly 20 years(!), I am a strong privacy advocate. I approach the subject as an end-user would. Let’s face it, for many years now the data/tracking industry has a bad reputation in general…
In this post I address a key question that is troubling many a website owner using Google Analytics (the “Controller” in GDPR terminology): Is explicit consent required before I can track my visitors?
Visitor Consent For GDPR Compliance
Q: Do I have to gain explicit visitor consent before I can track my website visitors?
A: It depends…
From two new official Google documents:
-Policy requirements for Google Analytics Advertising Features: “If you’ve enabled any Google Analytics Advertising features, you are required to notify your visitors by disclosing the following information in your privacy policy”
-EU user consent policy: “You must use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site, app, email publication or other property as a consequence of your use of Google products; and…”
What are the Google Analytics Advertising features?
These include Demographics and Interest Reports, Remarketing with GA and DCM Integration. The reasoning is that these features require the use of 3rd-party cookies i.e. the sharing of data with organisations other than the website being visited itself. Hence the privacy implications.
Summary of Google's Advice
If you use these Advertising features in GA, you must request explicit consent. If you do not, then you don’t.
BIG BUT…
There is a very large caveat to this – hence I don’t follow Google’s advice. The GDPR is specifically agnostic to the data tool and technology being used. That means gaining consent from your visitors must be based on what data your website collects and does with data – not what happens within Google Analytics.
So if a website has any other tracking technology embedded on its pages e.g. social share icons that also send tracking pixels to 3rd parties, consent would be required. That is the situation for the vast majority of websites - lots of embedded widgets and plugins with tracking pixels firing off to all sorts of places (3rd parties), where governance is potentially unknown.
Here is a classic example of the problem – a blog that uses the 3rd-party Disqus plugin for handling its comments and visitor engagement: The image is taken from the Chrome Developer Console, Network tab:
The image shows that when an article is loaded from the blog, data is sent to the 3rd-party Google Analytics account of Disqus. (Disqus could use any logging tool, even their own, it just happens to be Google Analytics in this case). Note the UA number: UA-1410476. If you view the source of discus.com, you will see the same UAID.
What is The Implication of This?
If I as a visitor go to the blog site in question running Disqus, then visit other unrelated sites that also use Disqus, ALL my visit data from these sites goes into to the Disqus log/account i.e. they have the ability to stitch together sessions from different websites I visit. Hence the privacy implications for the owner of the original blog website. Therefore, if such a website owner wanted to avoid having to implement tracking consent from its visitors, they would need to verify ALL the 3rd-party tracking pixels on their site and ensure that these match the GDPR requirements for non-consent. That is certainly possible, but not easy by a long shot and a nightmare to manage over time…!
Note, this is not a dig at Disqus. I use them only as an example to illustrate the point – that is, the website owner’s responsibility for obtaining consent goes way beyond what Google specifies for its tools and products.
COO of Engine Digital
6 年Great article Brian!! It's particularly instructive for someone like me - a non-expert in analytics, who is now wrestling with the implications of GDPR. One of the thornier issues related to Data Processing for me is the continuum of ownership. As a consultancy, the design and integration of the various systems will be our remit, but post-deployment addition of various tracking tools and services could muddy the waters of accountability. Do you have any rules of thumb for iterating compliance as it relates to data privacy, or will it be as some of your other threads suggest an audit function, much like finance???
Author; Founder Verified-Data.com; Former Head of Web Analytics Google (EMEA); Data Privacy Expert; PhD; Specialising in enterprise Google Analytics, GTM, Consent Management; Piwik PRO.
6 年Nice article Sergio - your comment: "a major issue will still need to resolved: there is strong pressure to require that analytics services are not performed by third parties" is what stands out for me. With so many tracking pixels now embedded within pages, it is practically impossible for an org to show/prove this is not happening. Better to ask for consent by *default* and be smart about how that is done... Its a fine balance between protection the user's privacy and annoying the hell out of them - but I am sure it can be done! BTW, I added another 3rd-party example of "hidden" tracking pixels - this one from Linkedin - just for balance (and more to come). If interested its part of the original post on brianclifton.com/blog
Co-founder and CEO at PrivacyCloud | Privacy Advisor at Empathy.co
6 年Great point on Disqus, Brian! Bottom line on Google is whether you can match sources at user level or not (as the threshold for consent). I did touch on it here: https://www.dhirubhai.net/pulse/digital-analytics-gdpr-compliance-sergio-maldonado - last note: I don’t think you want to use “explicit” in there (higher threshold, only required for special categories of data -9.2a gdpr, international transfers..) but rather “express” consent or even “basic” consent