GDPR and Google Analytics

With 25th May 2018 behind us, we have now entered the GDPRera. Businesses have been working hard to establish compliance, understanding and processes within their organisations. But if you’re in digital marketing, there are some extra details you should be aware of, relating to the use of Google Analytics.

If you’re tracking website performance stats and data for your own website and/or that of your clients, you are probably using Google Analytics suite. In most cases, the information you collect in Google Analytics probably won’t be personally identifiable information. It will be stats on visits to your site and user behaviour. The most personal data might relate to what device they used or what location they are in.

However, if your website collects personal data, such as names, email addresses etc, from forms, download requests etc, then there is a risk that PII (personally identifiable data) might be inadvertently pulled through to Google Analytics via the page URLs and titles.

What are my GDPR obligations?

If PII is stored in Google Analytics, you become a data controller. If you process that PII data in any way, you are a data processor. GDPR applies to both data controllers and data processors. If you breach GDPR in any way, you could face a fine of 4% of global revenue, or €20million – whichever is highest.

What are Google’s obligations?

If you link Google Analytics to your website or a client website, Google becomes a data processor as they essentially handle that information. This means that Google can be inadvertently being implicated as a data processor, without knowledge and on large scale. Unsurprisingly, this has led them to take a pragmatic approach to accounts collecting PII, penalising any infringements by shutting down their accounts. And we don’t blame them when they could face a fine of €2.4 billion.

Google Analytics is now also hot on its obligation with data retention, permanently deleting data that is older than your default data retention settings.  So, if you don’t set your preferences for data retention or don’t use it, it will be deleted by Google.

Data retention is the time in months that GA will retain property data beyond standard reporting. By standard, that means reporting channels with no segmentation or secondary dimensions applied.

What can I do to be GDPR compliant when using Google Analytics?

You can help both your organisation and Google to be compliant by taking a few simple steps.

  1. If you don’t need to collect PII, remove it from your tracking. Google has a best practice guide to help you to avoid collecting PII in Google Analytics.
  2. Specific your default data retention settings. You can select retention from 14 months, to do not automatically expire. Set this period and Google will delete all data that’s older. You can do this in the Admin – Property – Tracking Info – Data Retention option on Google Analytics.
  3. Update your preferred period in your privacy policy online.

Need advice on your Google Analytics settings? Whitefish Marketing agency in Kent work with businesses in the south east to improve their online visibility. Call us on 01303 720 288.


1 Select a Template

Please select one of our pre-designed templates. This can be changed later on.