Google Analytics and GDPR
As an affiliate, we may earn from qualifying purchases. We get commissions for purchases made through links on this website.
What does GDPR mean for Google Analytics?
Using Google Analytics (GA), Google collects a wealth of information from each visit made to a website, so that one can go in and analyze and measure the number of visits to the page, what visitors do, where they click, and so on.
Here, Google collects information about which browser you use, which mobile you use and where you are in Norway. But they do not collect personal information to the extent that you can track who you are.
According to the GDPR, the IP address of a visitor is seen as personal information. This information is used only to show where the visitor is located roughly, but the IP address is not visible to those who have access to data in GA.
Anonymization of IP addresses
In GA you can use the code snippet
ga(‘set’, ‘anonymizeIp’, true);
anonymize the IP address so that it does not become available to Google or anyone else. When the visitor clicks on the website, Google only retrieves the rough location of the visitor, registers the visit in GA and the IP address is then anonymized and not available to anyone afterwards.
You are responsible for personal information in Google Analytics
In GA, Google acts as a processor of personal data handled in the service, while you act as a controller of information since you control what data is sent to GA.
The data processing rules are available for approval in GA under Administrator → Account Settings.
Here you can see that you have the main responsibility for the processing of personal information in GA, and to be compatible with GDPR you must have control over what information you process, weed out the ones you do not need or take measures to anonymize data .
How to collect consent?
The simplest form of consent, and what Google requires in the GA Terms of Service, is that you do not store any personally identifiable information about your visitors.
While Google will collect consent to the collection of user data on its own services such as Gmail and YouTube, the company places much of the emphasis on third-party publishers and advertisers to obtain consent to continue collecting information it needs to deliver targeted ads .
Here, on the other hand, you must have the consent of all customers, so that you only offer advertising to those who have actually given approval for this.
Access control is also important. One should look at who has access to the GA account, and make sure that everyone who has access is aware of the GDPR and sees the importance of not processing personal information for which no consent has been given.
What information should be given to the customer?
Customers must receive information about what the various information is used for, even if they are anonymised. It does not hold to write; “This information is used to give you a better experience on our site” .
One must have specific and justified purposes for collecting information.
It is also important not to store information longer than necessary. This is a requirement from the GDPR, and means that companies should not have information about customers stored just so that they may one day need it in the future.
GDPR and long URLs
Long URLs can be problematic in reporting, for example in collecting information in a form that you have on the website may contain personal information without being aware of it. Example:
minside.no/skjema?gender=mann&alder=24&firma=Utheve&sted=Trondheim
Here we see that the form link contains information that can be used to identify a person. Then it is better to have a link that only says: minside.no/skjema.
The reason for this is that a combination of different personal information can eventually lead to the identification of a person, which means that you are not in accordance with the GDPR.
How long can information be stored in Google Analytics?
It is also important to have an overview of how long data is stored in GA. There are four time perspectives to choose from when it comes to how long the information should be stored.
- 14 months
- 26 months
- 38 months
- 50 months
Here you have to map out what the information is used for, how long you need it and why you need to have such data stored for so long.
If you do not need to analyze and compare data back more than a year, there is no point in having them stored for 26 months, just because you may one day need them.
Summary
If you use GA to collect a lot of personal information, you must have very good reasons for doing just that, and you should have good routines for accessing and deleting such information if you are contacted by customers who want this.
The simplest is, as I said, not to store personal information, but only use non-identifiable information to analyze customers’ use of your website. This way you know that you are compatible with the GDPR.
NB: This is our interpretation of the law as it is outlined at this time, and is not intended as a conclusion on how to follow the law. For legal advice, we recommend that you contact a lawyer.