You may have received an email from Google recently regarding updates about the General Data Protection Regulation (GDPR) and data retention controls on their Google Analytics platform. They have told their customers that they need to “review these data retention settings and modify as needed” before May 25th when GDPR becomes enforced. This is part of Google putting the requirement on others and not themselves.
The great thing about this is that Google is now giving us the necessary tools to adjust this, but most of us still have no idea what any of this means. We dive deeper.
What is GDPR and Why Should I Care?
The General Data Protection Regulation (GDPR) is a European Union (EU) data privacy regulation that puts the customer/individual in control and it goes into full effect on May 25, 2018. The purpose is to consolidate privacy regulations across the EU. How does this effect anyone within Australia?
From 25 May 2018 Australian businesses of any size may need to comply with the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.
If you are not yet familiar with the details of GDPR and why you should be taking action for readiness ahead of the May deadline, read the following article by the Office of the Australian Information Commissioner: Australian businesses and the EU General Data Protection Regulation.
Google Analytics: Your Data Processor
Under the GDPR, if you use Google Analytics, then Google is your Data Processor. Your organisation is the Data Controller since you control which data is sent to Google Analytics.
With Google as your Data Processor, they have obligations to conform to the GDPR. According to Google’s own Privacy Compliance website, they are “working hard to prepare for the General Data Protection Regulation.” As part of being a Data Processor, Google must provide a data processing agreement that you’ll need to accept. The Google Analytics Data Retention controls give you the ability to set the amount of time before user-level and event-level data stored by Google Analytics is automatically deleted from Analytics’ servers.
As a comparison, Adobe Analytics is working on the same GDPR readiness.
When Does GDPR Apply?
A financial transaction isn’t necessary for the GDPR to apply. A non-EU-based business must comply with the GDPR if it collects or processes personal data of any EU resident (EU citizenship is not required).
Personal Data
Under GDPR, personal data is defined as information that can be used to identify someone, directly or indirectly. This includes IP address, cookies, location data, name, and email address.
GDPR may require significant changes in how a company discloses and obtains consent to collect personal data. Read our blog about how Google collects user data.
Rights to Data
Under GDPR, individuals have greater control over how their personal information is collected, stored, and used. Individuals have a right to access their data, which means the right to know where, why, and how their data is processed. This includes the right to request a report to access their data. Additionally, individuals have a right to be forgotten, which means their data can be deleted.
Breach Notification
Organisations have a duty to report certain types of data breaches to the relevant supervisory authority within 72 hours, unless the breach is harmless and poses no risk to the individual. If a breach is concluded to be high risk, the company must also inform the individuals impacted.
Appointment of Data Protection Officer
In some cases, companies must appoint a data protection officer. This is required when:
- an entity regularly monitors sensitive personal information (e.g., race, genetic data, etc.),
- an entity regularly monitors personal data on a large scale, or
- is a public authority.
Information of Children
Under GDPR, a company may not collect personal data of anyone under 16 without parental consent. Implement a process to verify age and to obtain parental consent when necessary.
Takeaway: Under GDPR, companies must ensure that they have clear policies in place to maintain compliance.
How Does GDPR Impact Non-EU Companies?
For many businesses, there are many questions about whether compliance is necessary for companies outside of the EU – such as Australia. However, non-EU companies must comply with GDPR if:
- they collect or process personal data of any EU resident, or
- the company’s activities relate to offering goods or services to EU citizens, regardless of whether payment is required.
This compliance is mandated for any EU resident, regardless of EU citizenship. Even an Australian citizen who’s only temporarily located in the EU is protected by GDPR.
Remember that a financial transaction isn’t necessary for the GDPR to apply. Any non-EU-based business must comply with the GDPR if it collects or processes personal data.
Takeaway: All companies must obtain explicit consent from the data subject, including non-EU companies. Simply being located outside of the EU doesn’t relieve a company of compliance.
GDPR Compliance Action Plan
1. Audit Your Data and Implement GDPR Compliance Strategy
Hopefully this doesn’t come as a surprise, but collecting Personally Identifiable Information (PII) is against the Google Analytics Terms of Service.
This is true both of Google Analytics Standard and the paid Google Analytics 360 solution. Whether you are confident or not, now is the time to audit your data collection to ensure that you are not transmitting PII.
First, conduct an audit of your website.
- Determine what data you hold, where it came from, and whom you share it with.
- Determine what information you have pertaining to existing EU residents.
- Check your Page URLs, Page Titles, and other data dimensions to ensure that no PII is being collected. A common example of PII data collection is when you capture a Page URL that contains an “email= querystring” parameter. If this is the case, you are likely leaking PII to other marketing technologies in use on your site!
- Ensure that any data entered into forms by Users, that is also collected by GA, does not contain PII.
- Be aware that simply filtering out PII (via Google Analytics filters) is not sufficient; you must address this at the code-level to prevent the data from ever being sent to Google Analytics
- Review which third-party service providers you use and ensure they’re GDPR-compliant.
After you’ve completed the initial audit, review all information to determine what you need to do to comply with GDPR. Next, prepare an action plan to update your privacy policy and methods for obtaining consent.
2. Turn on IP Anonymisation
Under the GDPR, an IP address is considered PII. Even though the IP address (by default) is never exposed in reporting, Google does use it to provide geo-location data.
To be safe, we recommend turning on the IP Anonymisation feature in Google Analytics. This requires a code change to enable. If you use Google Tag Manager, adjust your tag or Google Analytics Settings variable by clicking into More Settings -> Fields to Set and then add a new field named ‘anonymizeIp’ with a value of ‘true’.
If you don’t use Google Tag Manager (GTM), your tag management system may have this setting exposed as an option, or you may need to edit the code directly.
The result of this change is that Google will anonymise the IP address as soon as technically feasible by removing the last octet of the IP address (your IP becomes 123.123.123.0 — where the last portion/octet is replaced with a ‘0’). This will happen before storage and processing begins. “The full IP address is never written to the disk” when this feature is enabled.
The impact of this GDPR change on your data is that geographic reporting accuracy is slightly reduced.
3. Audit your Collection of Pseudonymous Identifiers (hashed Emails, User IDs)
Your Google Analytics implementation may already be using pseudonymous identifiers. This may include the following:
- User ID— This should be an alphanumeric database identifier. This should never be plain-text PII such as email, username, etc.
- Hashed/Encrypted Data such as Email Address— “Google has a minimum hashing requirement of SHA256 and strongly recommends the use of a salt, minimum 8 characters.” — We do not recommend collecting data in this manner.
- Transaction IDs— Technically, this is a pseudonymous identifier since when linked with another data source, it can lead to the identification of an individual. This ID should always be an alphanumeric database identifier.
Under both GDPR and the Google Analytics Terms of Service, this appears to be an acceptable practice. But, this is where you are advised to ensure that your Privacy Policy is updated to reflect this data collection and purpose, as well as to gain explicit consent (via opt-in) from your users. In both cases, the language used needs to be clear (no technical or legal terms) and answer the questions of, “what data is collected?” and “how it will be used?”
From our point of view, you’ll likely need to delete the User ID from your CRM to satisfy this requirement, which will prevent the record in Google Analytics from being associated to a known individual.
4. Update Your Privacy Policy
The most important update to your Privacy Policy under GDPR is that these notices need to be written in a way that is clear, understandable, and concise.
Discuss what information you collect, how it’s used, and any third-party service providers you share the information with. Include the process to follow to invoke the right to access personal data or the right to be forgotten.
Per this eConsultancy article, you should consider the following questions when writing your privacy notice:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
Remember, while your privacy policy will reference the requirements of GDPR, having it installed doesn’t mitigate your need to obtain informed consent.
5. Obtain Explicit Consent
After you’ve determined what personal information you collect or process, obtain explicit consent, described above, for each reason you collect such data. For instance, if you use cookies for affiliate links and a Facebook pixel, you’ll need explicit consent for each use.
Takeaway: The goal of your GDPR strategy will first help you determine what personal information you collect and then put new procedures into place to ensure compliance.
Potential Areas of Concern for any Business
If you still aren’t sure exactly what personal data you may be collecting, here are a few examples that are common for businesses, along with some tips on how to stay compliant for each.
Google Analytics
If you use Google Analytics, you may be collecting user ID/hashed personal data, IP addresses, cookies, or behavior profiling. To be GDPR-compliant while using Google Analytics, either:
- anonymise the data before storage and processing begin, or
- add an overlay to the site that gives notice of the use of cookies and asks for the user’s permission prior to entering the site.
Retargeting Ads and Tracking Pixels
If your website uses remarketing ads, including the Facebook pixel, inform website visitors of this immediately when they enter your site and obtain informed consent.
If you publish sponsored content, ask your client if they use tracking pixels or cookies and why. If the company uses pixels or cookies to capture personal information or to remarket to your audience, you must get consent from visitors immediately when they enter your site.
Email Opt-In
On the subscription form, have a checkbox for the visitor to consent to everything they’re about to subscribe to. If your newsletter uses tracking pixels to see when they open it, put a visible disclaimer before they subscribe. Verify if your email service provider offers GDPR tools.
Affiliate Links
If you use affiliate links, you need to get consent for cookie usage. You can gain consent on an individual post or as an overlay. Consent must come before the visitor clicks the affiliate link because a cookie will be placed on their browser to track sales activity.
Display Ads
If you have ads on your website from a third-party ad server, upon entering your site, users should immediately consent to your use of a third-party server that collects user data for advertising and marketing purposes. If your ad server uses cookies to gather data on the visitor for targeting purposes, inform visitors upon entering your site and get consent for using cookies for this purpose.
Contact Forms
Before users submit their information in a contact form, get their explicit consent with a checkbox.
Comments
Before users can leave a comment, get consent by using a checkbox and disclose that your site will store their comments and, as needed, information relating to the comment such as the date and computer’s IP address. Let them know how the information is used. Also, include a reminder that some information may be displayed publicly, such as name or URL, if they’re submitted with the comment.
Product Sales
If you’re selling services or products to EU residents, only collect necessary information from your customers upon checkout and obtain explicit consent prior to submitting the purchase to let them know how you’ll use that information.
Takeaway: Ensure that you obtain consent for each purpose of the data collection (e.g., one checkbox may say that they authorise being added to your mailing list and another consent to having personal data stored for communication about purchases).
Remember, if you aren’t sure about what type of data a plugin or marketing tool collects, investigate it with the developer to ensure that you’re not using non-compliant tools.
Plugins to Help You Manage GDPR
If you’re looking for tools to help you manage GDPR compliance, here are a few WordPress plugin options:
- GDPR: a nearly all-in-one solution with options for consent management, privacy policy configurations, fulfilling data export requests, and more.
- Delete Me: allows users to delete their own accounts and profiles.
- Shariff Wrapper: prevents the automatic transmission of data via sharing plugins.
- GDPR Personal Data Reports: generates a personal data report for users invoking their Right of Access.
- Wider Gravity Forms Stop Entries: allows Gravity Forms users to stop sensitive information from being stored on their servers.
Conclusion
Ready or not, GDPR is coming and you need to be compliant by May 25, 2018. Even if you’re a non-EU company and based in Australia, GDPR is likely going to impact your digital business; however, by following a few simple steps, you can ensure your compliance.
