You may have received an email from Google recently regarding updates about the General Data Protection Regulation (GDPR) and data retention controls on their Google Analytics platform. They have told their customers that they need to “review these data retention settings and modify as needed” before May 25th when GDPR becomes enforced. This is part of Google putting the requirement on others and not themselves.
The great thing about this is that Google is now giving us the necessary tools to adjust this, but most of us still have no idea what any of this means. We dive deeper.
What is GDPR and Why Should I Care?
The General Data Protection Regulation (GDPR) is a European Union (EU) data privacy regulation that puts the customer/individual in control and it goes into full effect on May 25, 2018. The purpose is to consolidate privacy regulations across the EU. How does this effect anyone within Australia?
From 25 May 2018 Australian businesses of any size may need to comply with the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.
If you are not yet familiar with the details of GDPR and why you should be taking action for readiness ahead of the May deadline, read the following article by the Office of the Australian Information Commissioner: Australian businesses and the EU General Data Protection Regulation.
Google Analytics: Your Data Processor
Under the GDPR, if you use Google Analytics, then Google is your Data Processor. Your organisation is the Data Controller since you control which data is sent to Google Analytics.
With Google as your Data Processor, they have obligations to conform to the GDPR. According to Google’s own Privacy Compliance website, they are “working hard to prepare for the General Data Protection Regulation.” As part of being a Data Processor, Google must provide a data processing agreement that you’ll need to accept. The Google Analytics Data Retention controls give you the ability to set the amount of time before user-level and event-level data stored by Google Analytics is automatically deleted from Analytics’ servers.
As a comparison, Adobe Analytics is working on the same GDPR readiness.
When Does GDPR Apply?
A financial transaction isn’t necessary for the GDPR to apply. A non-EU-based business must comply with the GDPR if it collects or processes personal data of any EU resident (EU citizenship is not required).
Under GDPR, personal data is defined as information that can be used to identify someone, directly or indirectly. This includes IP address, cookies, location data, name, and email address.
GDPR may require significant changes in how a company discloses and obtains consent to collect personal data. Read our blog about how Google collects user data.
Rights to Data
Under GDPR, individuals have greater control over how their personal information is collected, stored, and used. Individuals have a right to access their data, which means the right to know where, why, and how their data is processed. This includes the right to request a report to access their data. Additionally, individuals have a right to be forgotten, which means their data can be deleted.
Organisations have a duty to report certain types of data breaches to the relevant supervisory authority within 72 hours, unless the breach is harmless and poses no risk to the individual. If a breach is concluded to be high risk, the company must also inform the individuals impacted.
Appointment of Data Protection Officer
In some cases, companies must appoint a data protection officer. This is required when:
- an entity regularly monitors sensitive personal information (e.g., race, genetic data, etc.),
- an entity regularly monitors personal data on a large scale, or
- is a public authority.
Information of Children
Under GDPR, a company may not collect personal data of anyone under 16 without parental consent. Implement a process to verify age and to obtain parental consent when necessary.
Takeaway: Under GDPR, companies must ensure that they have clear policies in place to maintain compliance.
How Does GDPR Impact Non-EU Companies?
For many businesses, there are many questions about whether compliance is necessary for companies outside of the EU – such as Australia. However, non-EU companies must comply with GDPR if:
- they collect or process personal data of any EU resident, or
- the company’s activities relate to offering goods or services to EU citizens, regardless of whether payment is required.
This compliance is mandated for any EU resident, regardless of EU citizenship. Even an Australian citizen who’s only temporarily located in the EU is protected by GDPR.
Remember that a financial transaction isn’t necessary for the GDPR to apply. Any non-EU-based business must comply with the GDPR if it collects or processes personal data.
Takeaway: All companies must obtain explicit consent from the data subject, including non-EU companies. Simply being located outside of the EU doesn’t relieve a company of compliance.
GDPR Compliance Action Plan
1. Audit Your Data and Implement GDPR Compliance Strategy
Hopefully this doesn’t come as a surprise, but collecting Personally Identifiable Information (PII) is against the Google Analytics Terms of Service.
This is true both of Google Analytics Standard and the paid Google Analytics 360 solution. Whether you are confident or not, now is the time to audit your data collection to ensure that you are not transmitting PII.
First, conduct an audit of your website.
- Determine what data you hold, where it came from, and whom you share it with.
- Determine what information you have pertaining to existing EU residents.
- Check your Page URLs, Page Titles, and other data dimensions to ensure that no PII is being collected. A common example of PII data collection is when you capture a Page URL that contains an “email= querystring” parameter. If this is the case, you are likely leaking PII to other marketing technologies in use on your site!
- Ensure that any data entered into forms by Users, that is also collected by GA, does not contain PII.
- Be aware that simply filtering out PII (via Google Analytics filters) is not sufficient; you must address this at the code-level to prevent the data from ever being sent to Google Analytics
- Review which third-party service providers you use and ensure they’re GDPR-compliant.
2. Turn on IP Anonymisation
Under the GDPR, an IP address is considered PII. Even though the IP address (by default) is never exposed in reporting, Google does use it to provide geo-location data.
To be safe, we recommend turning on the IP Anonymisation feature in Google Analytics. This requires a code change to enable. If you use Google Tag Manager, adjust your tag or Google Analytics Settings variable by clicking into More Settings -> Fields to Set and then add a new field named ‘anonymizeIp’ with a value of ‘true’.
The result of this change is that Google will anonymise the IP address as soon as technically feasible by removing the last octet of the IP address (your IP becomes 220.127.116.11 — where the last portion/octet is replaced with a ‘0’). This will happen before storage and processing begins. “The full IP address is never written to the disk” when this feature is enabled.
The impact of this GDPR change on your data is that geographic reporting accuracy is slightly reduced.
3. Audit your Collection of Pseudonymous Identifiers (hashed Emails, User IDs)
Your Google Analytics implementation may already be using pseudonymous identifiers. This may include the following:
- User ID— This should be an alphanumeric database identifier. This should never be plain-text PII such as email, username, etc.
- Hashed/Encrypted Data such as Email Address— “Google has a minimum hashing requirement of SHA256 and strongly recommends the use of a salt, minimum 8 characters.” — We do not recommend collecting data in this manner.
- Transaction IDs— Technically, this is a pseudonymous identifier since when linked with another data source, it can lead to the identification of an individual. This ID should always be an alphanumeric database identifier.
From our point of view, you’ll likely need to delete the User ID from your CRM to satisfy this requirement, which will prevent the record in Google Analytics from being associated to a known individual.
Discuss what information you collect, how it’s used, and any third-party service providers you share the information with. Include the process to follow to invoke the right to access personal data or the right to be forgotten.
Per this eConsultancy article, you should consider the following questions when writing your privacy notice:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
5. Obtain Explicit Consent
Takeaway: The goal of your GDPR strategy will first help you determine what personal information you collect and then put new procedures into place to ensure compliance.
Potential Areas of Concern for any Business
If you still aren’t sure exactly what personal data you may be collecting, here are a few examples that are common for businesses, along with some tips on how to stay compliant for each.
If you use Google Analytics, you may be collecting user ID/hashed personal data, IP addresses, cookies, or behavior profiling. To be GDPR-compliant while using Google Analytics, either:
- anonymise the data before storage and processing begin, or
Retargeting Ads and Tracking Pixels
If your website uses remarketing ads, including the Facebook pixel, inform website visitors of this immediately when they enter your site and obtain informed consent.
If you publish sponsored content, ask your client if they use tracking pixels or cookies and why. If the company uses pixels or cookies to capture personal information or to remarket to your audience, you must get consent from visitors immediately when they enter your site.
On the subscription form, have a checkbox for the visitor to consent to everything they’re about to subscribe to. If your newsletter uses tracking pixels to see when they open it, put a visible disclaimer before they subscribe. Verify if your email service provider offers GDPR tools.
If you use affiliate links, you need to get consent for cookie usage. You can gain consent on an individual post or as an overlay. Consent must come before the visitor clicks the affiliate link because a cookie will be placed on their browser to track sales activity.
Before users submit their information in a contact form, get their explicit consent with a checkbox.
Before users can leave a comment, get consent by using a checkbox and disclose that your site will store their comments and, as needed, information relating to the comment such as the date and computer’s IP address. Let them know how the information is used. Also, include a reminder that some information may be displayed publicly, such as name or URL, if they’re submitted with the comment.
If you’re selling services or products to EU residents, only collect necessary information from your customers upon checkout and obtain explicit consent prior to submitting the purchase to let them know how you’ll use that information.
Takeaway: Ensure that you obtain consent for each purpose of the data collection (e.g., one checkbox may say that they authorise being added to your mailing list and another consent to having personal data stored for communication about purchases).
Remember, if you aren’t sure about what type of data a plugin or marketing tool collects, investigate it with the developer to ensure that you’re not using non-compliant tools.
Plugins to Help You Manage GDPR
If you’re looking for tools to help you manage GDPR compliance, here are a few WordPress plugin options:
- Delete Me: allows users to delete their own accounts and profiles.
- Shariff Wrapper: prevents the automatic transmission of data via sharing plugins.
- GDPR Personal Data Reports: generates a personal data report for users invoking their Right of Access.
- Wider Gravity Forms Stop Entries: allows Gravity Forms users to stop sensitive information from being stored on their servers.
Ready or not, GDPR is coming and you need to be compliant by May 25, 2018. Even if you’re a non-EU company and based in Australia, GDPR is likely going to impact your digital business; however, by following a few simple steps, you can ensure your compliance.