The General Data Protection Regulation (GDPR) is right around the corner. As a professional online marketeer your are probably already pretty familiar with the major aspects of the upcoming law. It is clear this will have a massive impact on the way many agencies work and process user data. However, it is not so clear what this means for tools you use on a daily basis, especially Google Analytics, by far the tool of preference in website analytics. Cookie policies will have to be reviewed as well.
Quick recap: what is GDPR?
As from 25 May 2018, a new law in the European Union will apply to better protect the privacy of EU citizens. When we list the major topics it is clear that Europe is serious about privacy to say the least. Although laws for privacy protection have been around for years, the GDPR takes this to a new level. Adopted by the EU in April 2016, it will replace the existing EU Data Protection Directive 95/46/EC. Given the recent scandals around leaked data from Facebook, influence of foreign states in the Brexit referendum, the American presidential election and Cambridge Analytica, don’t be surprised the GDPR will be a blueprint for future legislation around the world. The major topics are:
- Protection of personal data of EU citizens
- Measures against hackers and dataleaks
- Procedures for the collection and storage of personal data
- Ask for permission to collect and uses personal data
- The individual has the right to be ‘forgotten’
- National authorities can give fines (up to 4% of global annual turnover or a maximum of 20 million Euros)
- Data leaks have to be reported within 72 hours
- Large organisations must appoint a Data Protection Officer (DPO)
What is definitely not allowed anymore?
Direct marketeers will certainly have been scratching their heads the last few months. Up until now it was not unusual for companies to buy or sell personal e-mailaddresses that had been obtained through a number of ways. Under GDPR, this will be a no-go unless you comply with a clear set of rules. What will still be allowed: sending newsletters, promotions and offers to generic or anonymized e-mail recipients. To illustrate this: you will need clear and indisputable permission from John Doe to send a newsletter to email@example.com but you can still perfectly send promotional offers to firstname.lastname@example.org or email@example.com.
Consent of the end-user will thus be key to be compliant. But for those working in the online industry, things are not so clear-cut.
So, I can continue to use Google Analytics under GDPR like I always have?
Therefore, it’s a good practice to build in some failsafes.
A clear and comprehensive explanation what data you collect and for what purposes was already mandatory but under the new regulation things wil be tightened further. Tell the visitor what kind of cookies you uses and why. The majority of cookies can roughly be divided into three or four categories:
- Performance cookies: These cookies collect information about how visitors use the website, for instance which pages visitors go to or how much time they spend on the website. Google Analytics falls under this category but also other SEO tools like Hotjar, Google AdWords, Bing, etc…
- Functionality cookies: Often used for the aforementioned category to indicate you use tools for Search Engine Optimization or remarketing.
- Third-party cookies: Although every cookie other that your own is ‘third party’, this category mainly contains cookies from social media platforms like Facebook, Twitter, LinkedIn etc…
It’s a good idea to provide your visitor with some additional information how he can delete cookies in his browser:
- Cookie settings in Internet Explorer and Edge
- Cookie settings in Firefox
- Cookie settings in Chrome
- Cookie settings in Safari web and iOS.
2. Anonymize the traffic that Google Analytics collects
Although Google Analytics has been using IP anonymization since 2010 and although an IP address cannot be linked to a specific person, it is a possibility to build profiles and to individualize visitors. It is not completely clear if this falls under GDPR but it won’t hurt to think ahead. Fortunately, this can be rectified rapidly.
Anonymize IP in Google Analytics tracking code:
By adding a simple line of code to your snippet, Google Analytics will anonmyize the IP addresses of your visitors.
ga('set', 'anonymizeIp', true);
Anonymize IP in Google Tag Manager:
If you use Google Tag Manager, you don’t even need to hardcode anything. Simply go to the list of your tags, under ‘More Settings’, select ‘Fields to Set’, add a field with Field Name ‘anonymizeIp’ and value set to ‘true’.
You have to do this on all of your tags, not just the GA pageview tag. This is because GTM creates a unique tracker for each tag.
3. Disable Data Sharing
On the account level, select ‘Account Settings’. Untick the options:
4. Think ahead
The major players like Google or Facebook will most likely have their homework cut out but laws have a tendency to change over time. E-privacy reforms are already on the table, with browsers warning you when a website tries to place cookies. So you might want to start thinking about procedures on your site where visitors can choose to disable certain cookies if they want to.