working pattern internet abstract

GDPR Friendly Implementation of Google Analytics

If you haven’t dove head first into the ever-changing world of data regulations, data compliance, and general data management you might be feeling a little overwhelmed when it comes to confidently tracking any kind of insights or analytics on your user’s behavior or interactions with your digital platforms.

My anxiety started to accruing at a higher rate through some recent discussions around cookie and consent management so I embarked on a crusade to make sure I had my facts separated from my assumptions.

First off, kudos to Blast Analytics for this post as I’ve come back to it several times and followed their references to get more information where needed.

Regulating Data Collection

Before we get into implementing anything, I think it’s smart to start with a quick summary. As of right now, there are two main sets of laws that provide fairly strict guidance on data collection, GDPR and CCPA. That being said, more countries, states, space colonies, etc. are starting to come up with their own sets of rules and regulations so it’s always worth looking in to who is most critical in terms of requirements.

Most of these regulations are focused on managing the collection, sharing, and use of personally identifiable information aka PII. As a general statement,these regulations support a broader philosophy/belief that you shouldn’t be able to profile information around an individual without their consent and you definitely shouldn’t be able to share the information with other people or businesses.

GDPR specifically requires any entity who is collecting data to be able to provide users with all of the data they have for the individual, explain how it is used or shared and then to be able to delete or edit that data.

Resource: IAB EU has rolled out their own guiding principles for transparency and consent that I think are worth looking through to better understand what the philosophical piece really means in practice.

Opinion: If you’re trying to understand trends in user behavior and engagement with your site or app, you don’t really need to be collecting PII. In my experience working with a broad range of businesses from various industries, I see most of them collecting too much data, the wrong data, or almost no data at all. It’s still very rare to see a business or team with a very intentional approach to measurement and analysis and I’d like to see that change, quickly.

All that being said, let’s dive in to a basic Google Analytics setup you can fire on all pages for all users without (currently) getting in trouble.

Google Analytics Settings

This post is based on my own research on a very rapidly changing subject. This information should help you find the direction you want to go in but you should absolutely consult with legal consult on your terms/policy as well as the implementation itself.

What you need to think about when it comes to Google Analytics or any other analytics platforms is

A. Whether or not you are collecting PII or information that can be used to profile or target a user.

B. If the data collected is shared with any other services that might use it to target or profile the user.

Note: It’s worth calling out the difference between “not allowed ever” and “not allowed without consent”. For this specific post, I’m focused on a safe way to track all users by default so you don’t lose behavioral trend data bout how your site is used. At some point I will come back and add a post about how/when to capture consent and how to fire the features/cookies based on user consent.

We’ll start with anonymizing data in GA since that is easiest. By default, Google Analytics is pretty good about not collecting anything you would need to worry about. Because of that, there are just a few things you need to adjust/check for at the basic settings level (assuming default GA setup).

Start by navigating to the Account Settings section by clicking on the gear on the very bottom of the far left navigation. Account level settings are the column you will see on the far left of the three column layout that should have opened for you.

If you scroll down you’ll immediately see a section dedicated to “Data Sharing Settings”. The safest option is to not share the data at all but I am still planning to follow up with some of my Google Contacts to see if sharing with technical support or for broader benchmarking purposes is still allowed.

If you scroll down a little further there is a Data Processing Amendment specifically focused on making sure your data processing is regulated in a way that complies with GDPR and CCPA and/or absolving Google from responsibility if you connect your data to another service that violates the requirements of those regulations.

Now you should navigate to your Property level settings in the admin section of Google Analytics. Start with the gear on the bottom of the very left side nav bar and you will see three columns for Account > Property > View.

In the property column, click on “Tracking Info” to expand your options and then select “Data Collection”. This screen gives you options to activate and allow data collection and remarketing abilities with Google Ads and, as I mentioned earlier, sharing that data isn’t allowed so you will want to make sure these are toggled off.

The next thing you need to do is anonymize any IP Adress that you collect. The official Google support documentation I linked shows you how to do it at the code level but the much easier way is to update your Analytics Setting variable in Google Tag Manager.

When you open up your variable you have two quick updates to make.

1.Update the Cookie Domain field to anonymizeIp

2. Create a field name for anonymizeIp and set the value to true

It should look like this and then you’ll obviously need to push those updates to the container before they actually make anything happen. Not that I would forget to publish changes or anything…..

Wrap Things Up

Before you do you’re victory dance I want to summarize what we actually accomplished and what is still remaining.

Accomplishments

  • We’re not collecting any personal information that can be tracked back to a specific user.
  • We’re not sending behavioral information to any Google services that may use that data for ad targeting, profiling, etc.
  • We are now (theoretically) able to continue to fire Google Analytics for all users and get a more accurate reading on total traffic basic behavioral trends in relation to how users get to your site and what they do once they are there.
  • If this is the only place you store user data, you don’t have a need or even the ability to adhere to personal data requests. In other words, if a user asked to see all o the data you had on them with an explanation of how it was being used, there’s no way you could find that data and you can confirm it is not being shared.

What’s left

  • Google Analytics is probably just one data tracking tool using cookies to gather user information. This solution doesn’t solve for other ad cookies, retargeting pixels, or even custom features on sites that use content engagement or history to profile and/or target users.
  • Pending on the type of business or site you run, turning off data sharing and moving towards more restricted tracking likely means your paid campaigns, marketing automation systems, and even product insights/analysis efforts are going to be slowed. Less users who can see tests you may be running, less users offering data used for ad revelancy that earn higher CPMs, slower building of remarketing audiences in general. We’ll need to explore manually triggering the features and tools that need this data based on consent.
  • If you use other tools for insights, relationship management, customer data, etc. You will need to go through a similar process to make sure you’re following the regulations that are in place.

I plan to dig further into basic third party tags/features like remarketing pixels and at least confirm my assumptions that they shouldn’t fire without confirming consent. To give you a preview, I have an implementation set up now where we’re checking the data layer to see if the user has accepted cookies with a simple cookiepolicyaccepted:true value assigned via…. wait for it ……. a cookie. I’ll use that check as part of my trigger logic for all of the other tags that require those conditions to fire.

Additionally, if you have registration or sign up forms set up as conversion points on your site, you should include your own data usage and cookie policy as part of their opt in AND make sure you’re storing that record somewhere where it won’t expire/disappear. This way, those events can open the gates for more actionable data based on the user’s interest/willingness to engage with you and you can use it to improve their experience or add value to them in some way.