Google Analytics is one of the most popular ways to keep track of and analyze the traffic on your website. It’s also free and pretty powerful, so it’s no wonder so many people use it.
The GDPR initiative is a new set of privacy laws in the European Union, which is a collection of 28 member states in and near Europe.
It might seem like the laws of European countries shouldn’t affect you and your American website much. But if your website is available in those countries (if it’s online, then it is), and you market or sell anything in the EU, you need to obey their laws too. No big deal if your website doesn’t harvest personal information, these are privacy laws after all.
But it is a big deal.
Your analytics tracker probably DOES the kind of information gathering that these laws are about. And Google Analytics, which is probably what you use, is available for use in Europe. So, as you can guess, there will be some changes when these laws come into effect. Which is soon. May 25th of 2018 to be exact.
The easiest way to avoid being hit with the heavy fines that come with violations is to become compliant, just in case. The rules are easy enough to comply with. Plus they foster a good relationship with your users, because they are basically built around trust and respect.
Geographical Factors
One thing to know is that the rules of the GDPR do apply within the EU, and not outside of it. So a person could be a citizen of an EU state, but physically outside the territory covered by these laws when visiting your site, and the law would not apply. But for any internet user within the covered territories, these laws must be obeyed.
Whenever someone visits a website that uses Google Analytics, Google tracks that visit via the users’ IP address in order to determine the user’s approximate geographic location. Under GPR, IP addresses are considered private information, and not to be collected behind the scenes (the way that Google Analytics does it). The solution is turning on IP anonymization inside Google Analytics, which does require a code change to enable.
Commerce is not all that matters
You don’t have to sell anything in the EU for GDPR laws to affect you. If any “personal data” is gathered from users in the European Union, then these laws are in effect and there can be consequences to breaking them. AS LONG AS the user’s information was not gathered as part of a generic information gathering system. The pertinent detail is whether users in the EU were in any way targeted by the information gathering system. Some hints would be if they mention EU locations, accept local currencies, or have a country specific URL.
A Forbes article explains: “For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then it would be considered targeted marketing and the GDPR will apply.”
What is “personal data”? In the US we usually call it PII or Personally Identifiable Information, and collecting it is against the Google Analytics Terms of Service. Unfortunately, that DOES NOT mean that your site isn’t collecting this kind of personal data. Now is a good time to audit your data to be sure you aren’t collecting PII through any means.
GDPR and Informed Consent
It’s standard in the US for a pre-checked box to agree to long “terms and conditions” for you. Behind the link is a messy blur of the ways your information may be stored, shared, sold or used. Affected sites will now have to receive “freely given, specific, informed, and unambiguous” consent for all potential data uses. What you’re agreeing to has to be clear. Inaction (like failing to select “opt out”) or default agreement will no longer work.
Once user data is gathered, they still have the “right to be forgotten”, which means their data must be removed if they withdraw consent. Google has announced their support for User ID/Client ID data deletion and will make that available soon. For now, delete users who request it directly in your CRM.
Now is the time to double check that your privacy policy is updated, complete, transparent, jargon-free. There has to be an active opt-in giving consent for your policies, as well as a way to opt-out later.
To read more about the GDPR and what it encompasses, visit www.eugdpr.org. Although the GDPR is not US law, legislation is currently in Congress in response to the Facebook/Cambridge Analytics controversy. This may bring similar changes to the USA. It’s not yet clear whether that legislation will pass.
For more about adjusting your Analytics settings for compliance, visit 5 Actionable Steps to GDPR Compliance for Google Analytics.
For more guidance on this and other internet or app related topics, contact D-Kode Tech today at 925.336.0000.
