Making analytics account GDPR compliant
To begin with, Google analytics has incorporated some additional features on its dashboard, which should be utilized effectively. Techniques to comply with GDPR policies are enumerated below:
Data Minimization
- Collect, store and use only that personal data which is essential and relevant for the specified purpose. As a thumb rule, minimum possible personal data required should be asked for.
- Refrain from asking unnecessary personal information. Eg. ‘marital status’, ‘gender’, ‘first name’, ‘last name’ etc. to be asked only if in health/fitness industry. Phone number to be asked only on the checkout pages.
Auditing the past analytics database
- Check and rectify unnecessary personal data previously collected & shared with third party websites (Salesforce, adwords, Facebook).
- Scan data layer hardcoded on the website and delete personal data like IP address, email address, gender, name and browsing history. All databases, CRM’s and shopping carts should be scanned.
Advertising reporting /remarketing
This feature of google analytics should not be enabled unless required. When enabled, visitors should be notified about the same. The privacy policy should include :
- Google analytics advertising features have been implemented.
- How you & third party vendors use cookies?
- How users can opt out from the advertising feature?
User & event data retention
This feature of google analytics allows setting the time for which Google Analytics retains user specific data (i.e. data associated with cookies, user identifiers, or advertising identifiers) for an inactive website user, before automatically deleting it. You should change your data retention settings else you can lose your advanced segments.
- Time limits are allowed are:- 14 months, 26 months, 38 months, 50 months or ‘’Do not automatically expire’.
- User specific data is deleted automatically on a monthly basis ,unless the retention period specifies ‘do not automatically expire’
Reset ON new activity
- When ‘on’ :-The retention period of the website users’ data will be renewed (i.e extended) with each new event from that user.
- When ‘off’:- The retention period of the website users’ data will not be renewed (i.e extended) with each new event from that user.
IP Anonymization
- IP address is classified as personal data under GDPR.
- Website user’s IP address is tracked by Google analytics to report geolocation data.
- When this feature is enabled, Google analytics (depending on the technical feasibility) anonymizes website user’s IP address at the earliest possible stage of the collection network.
- The IP anonymization feature in Analytics sets the last octet of IPv4 user’s IP addresses and the last 80 bits of IPv6 addresses to zeros in memory, shortly after being sent to the analytics collection network. The complete IP address never gets written to disk in such a scenario.
- This feature can be enabled by adding a new field name ‘anonymizeIP’ with a value of ‘true’ in the settings variable of the google analytics.
Data Sharing Settings
Use only settings which are required
- Google products & services: Turn off, if google products (other than GA) like: Google Adwords, Google Optimize etc. are not being used.
- Benchmarking: Turn off, if the analytics data is not to be shared with third parties. The data is shared in aggregate and anonymous form.
- Technical support: Turn off if Google support representatives are not to be given access to Google Analytics data to fix technical issues, unless you are using Analytics 360.
To conclude, despite its complexities, GDPR compliance is attainable if necessary steps as illustrated above are made at the organizational level. Take note that the steps may be applied to other digital analytics and marketing vendors, and not just google analytics.