Disclaimer: We are not lawyers and this blog post is based on our own research & interpretation of the GDPR & e-privacy. There isn’t a unique interpretation of GDPR so you are suggested to seek a legal adviser who can interpret GDPR to ensure that your business is in compliance with analytics.
What is The GDPR?
The General Data Protection Regulation(GDPR) is a European Union data privacy regulation that has been designed to protect the EU citizens data privacy and is set to go into full effect on May 25, 2018.
This will allow every EU individual to take control of how and if they want their data to be shared with online businesses. They will be given the authority to ask what data has been saved on them and to request any part of it to be deleted, at any given time.
Do you need to worry about GDPR?
Quick fact, The GDPR doesn’t only apply to Google Analytics, but ALL the tools you can possibly use to track your website visitors. All such platforms like Mixpanel, Google Analytics, Kissmetrics have taken the necessary steps to help their users.
Any organization found to be breaching the GDPR could be fined a maximum of 4% of its annual global turnover or €20 Million. That being said, in case you have customers or website visitors from EU member countries, you might want to take the necessary actions before May 25th. If in case you have customers residing outside of Europe and you don’t want to find yourself on the receiving end of any complications, the easiest way out of this is to simply block your website for the EU member territory. That, however, isn’t exactly the smartest way to deal with things now is it?
What Google Analytics is doing about this
Google Analytics took the initiative to spread GDPR awareness among the users with emails and has introduced a brand new feature in analytics to control the data retention. You can find this option by navigating to admin >> property >> tracking info >> data retention.
You can then choose to keep the user data for a minimum of 14 months to a maximum of 50 months.
If you select 26 months, the user level and event level data from the analytics servers will be deleted after 26 months.
By turning on the ‘reset on new activity’ toggle, you ask Google Analytics to reset the expiration time every time a user visits the site. For example, if you select the data retention for 26 months, and a user initiates a new session every month, the retention time will keep on increasing, until the end of time really. On the other hand, if a user does not initiate any new session before the retention period expires, that user’s data, is then, deleted.
For further clarification on this subject, click here.
All that’s good, but what can I do about it?
I’m glad you asked! In the following, I’ve compiled a small survival kit. It includes all the actions and steps you need to take to make sure that your analytics is in compliance with The GDPR.
1. Analytics Audit
According to GDPR and the analytics terms, you can not capture or store any personal data that belongs to your customers. Therefore, it is necessary that you audit your analytics data. This will help you get a better view of the information you have on your customers and what format is it stored in. It will also make it easier for you to provide your customers with any data you have on them if the need ever be.
2. Update Privacy Policy
A privacy policy is what a customer would normally look for to verify if your business is GDPR compliant. If you don’t already have a privacy policy page and have no idea how to create one either, it would be best to consult an attorney regarding this.
3. Modify your sign up forms
If your business requires or includes signing up, being transparent about any information you ask for, is the best way to go about this. If you’re asking for your client’s email address, for example, to send them newsletters, let’s say, add a friendly little note explaining that. And then make sure that their email ID’s are used for nothing other than that!
Another good tip is to include a checkbox that would ask if the customer agrees to the terms and conditions, and the privacy policy of the company, at the bottom of any signup or email registration forms.
4. Setup cookie consent
We know that Google Analytics uses cookies to store visitor information. After May 25, it will be mandatory that you take permission from the user to use their browser cookies. The analytics tracking code should not trigger until the user allows you to use their browser cookies.
5. Organize your Data
Organizing your data will save you so much trouble in the long run, especially if you are one of the bigger business organizations. According to The GDPR, your customers have complete authority to ask you for any information you have on them and how you are using it, at any given time, be it literally the crack of dawn, and you should be able to provide them their answers. In case your customers want you to delete their data, having pre-organized it, will make your job a whole lot quicker and less messy.
6. IP Anonymization
Since user IP is included in The GDPR as “Personal Identification”, it is recommended that Google Analytics users enable IP anonymization, which will modify the last few numbers of the user’s IP address rendering the original, full IP address to never be written to disk. IP anonymization can be enabled by slightly changing up the analytics tracking code.
This is much easier if you are using Google Tag Manager. You have to modify your analytics settings variable by clicking more settings >> fields to set >> ip anonymize equals true.
Read more about IP anonymization here.
Conclusion
Because this article was focused primarily on analytics, I can’t promise that the same steps would suffice for all businesses. If your company falls into a different category, you may need to consult a legal advisor. Do let us know what steps you are taking to be GDPR compliant in the comments below!