Google Analytics – Simple GDPR checklist

GDPR aka General Data Protection Regulation  is the most trendy scary word of 2018. Everybody knows that there is a lot to do, and there are huge fines if somebody is not complaint. But still there a lot of question marks: what exactly should be done? how the GDPR regulation will work? what if my company is not in EU, will GDPR it impact me? We’ve tried to keep it simple and make a simple checklist of what is really must do to be complaint with your Google Analytics

  1. Audit Your Data 

    1. Check your Page URLs, Titles, and other data  to make sure no personal data is stored. An easy example of “forbidden” data  is if you capture a Page URL that contains an “email= blabla” parameter. You shouldn’t have in your logs any personal data stored without an explicit user consent (a form)
    2. Apropos forms, make sure that no data from the forms goes to google analytics as a page title, url-parameter or anything else. A user gave you the details, that means no other service should access it.
    3. Also, you cannot just build filters for the data (via Google Analytics filters) is not enough; you need to do it on the code-level so the data will not be sent to GA in the first place
  2.  IP Anonymization

    Yes, IP is a personal data too. Although there is nothing you can do with it, GA uses it to improve the GEO targeting. Will, from now on Google should do it without this little help.To be on the safe side,  turn on the IP Anonymization feature in Google Analytics.  If you use Tag Manager, adjust your tag or Google Analytics Settings variable by clicking into More Settings -> Fields to Set and then add a new field named ‘anonymizeIp’ with a value of ‘true’.

  3. Check you Identifiers collection (hashed Emails, User IDs)

    • User ID — It should be a number, make sure your unique ID doesn’t pass any meaningful data.
    • Transaction IDs — Technically, this is a pseudonymous identifier since when linked with another data source, it can lead to the identification of an individual. This ID should always be an alphanumeric database identifier.

    Under both GDPR and the Google Analytics Terms of Service, this appears to be an acceptable practice. But, this is where you are advised to ensure that your Privacy Policy is updated to reflect this data collection and purpose, as well as to gain explicit consent (via opt-in) from your users. In both cases, the language used needs to be clear (no technical or legal terms) and answer the questions of, “what data is collected?” and “how it will be used?”

  4. How GDPR is changing the privacy policy?

    The only change required is to explain the policy in a  clear, and understandable way. You can ask who defines “clear” and you are right. The best practice is to remember that end users are not lawyers (most of them). So it should be pretty easy for them to understand the following:

    • What information is being collected?
    • Who is collecting it?
    • How is it collected?
    • Why is it being collected?
    • How will it be used?
    • Who will it be shared with?
    • What will be the effect of this on the individuals concerned?
    • Is the intended use likely to cause individuals to object or complain?
  5. Let it go!  (Opt In/Out Capability)

    One of the big concerns is: where do I ask the user? As we don’t want to ruin UX, wat make it easy for both the company and the end user? The most common practice is to show an  overlay popup on the page that asks the user for permission and then once granted, the page either reloads or the Google Analytics scripts (and other marketing technologies) proceed to execute.