Internet users' data and privacy rights are always changing and evolving to ensure the most secure, private and informed online experience possible for citizens. As part of our commitment to provide our communities with updates on prominent changes in the digital landscape, we'd like to talk about an important change that we're seeing as more legislation and rulings around the world shape our citizens' online experience: Google Analytics and your users' privacy.

Are my users' privacy rights protected when I use Google Analytics?

If your website uses Google Analytics (GA), a free tool offered by Google, to track general information, behaviours and trends from users while visiting your website, you're already a part of this important conversation.

The key question that is being posed today is "Does Google Analytics comply with leading, emerging privacy regulations?" The simple answer is yes. When measured against one of the leading, pioneering digital privacy laws, known as the European Union's General Data Protection Regulation (GDPR), Google Analytics can indeed be GDPR compliant.

So then what's the issue?

It requires a little help from you, the website owner, to get there.

Your GA activity is all about gathering automated, anonymous information. The tool can process data and anonymously track users viewing which pages, for how long, and their overall trends and behaviours once on your site. With no actual name or personally identifiable information (PII) collected (which is against Google Analytics' Terms of Service), this information is used to help website owners like yourself make decisions that enable better user experiences.

Out of the box, Google Analytics is compliant with GDPR. But depending on what additional information you are asking from users and collecting throughout your site, this information could potentially make its way into GA through the use of cookies and individual user IDs.

You might be familiar with cookies (small text files containing a unique ID that identifies a user's browser to GA) as they may be mentioned in your privacy policy or pop-up notification to new users on your site, asking them to agree with their use. While GA doesn't a user's name or location, it does collect randomly generated ClientIDs, and can send Google that ClientID's IP address.

Your responsibility as a website owner

Under the GDPR, users are more empowered and have more control over what information and data they would like tracked and used by GA. This includes clearer notice and consent requirement to using data collected. Users can request to access or delete their data at will.

There are various arguments for or against requiring consent from citizens on using their data within Google Analytics, and they can dive deeper into the legal translation of the GDPR, but the safest answer, is yes, empowering your users with this choice is a positive approach. GA is also committed to user privacy within their own platform.

Your growing responsibility as a website operator lies with informing and offering the option of consent with your users as much as possible.

Actions you can take now - and how we can help!

Everyone, from those who simply have GA, but don't often check it, to those who use it for explorative, in-depth demographics research, has a role to play in this evolving atmosphere of user privacy rights.

Our action steps outlined here range in technical difficulty and it is entirely up to you and your organization as to how and when you'd like to tackle them, but it's important to start thinking about these trends now. We can help you prepare a plan and implement the necessary changes you'll need to keep tracking valuable insights from your users now and into the future!

1)     Accept Google Analytics' Data Processing Terms

Google recently introduced a Data Processing Amendment to its terms of use. In Admin > Account Settings, review the Data Processing Agreement and accept the terms.

2)     Update your Privacy Policy

Update your organization's Privacy Policy to clearly and concisely state what information is being collected, how, for what purposes, and who it will be shared with. Your users will have a greater understanding of their data rights and how their information is being used, and their privacy respected. Explain how your users have the rights to be notified, opt-in to GA analysis, opt-out and request their individual data deletion.

If you use GA, state this process in your policy and explain how you collect information for your users to easily understand. Adzerk provides a good sample update that we have taken inspiration from below:

"We use Google Analytics for aggregated, anonymized website traffic analysis. In order to track your session usage, Google drops a "cookie" with a randomly generated ClientID in your browser. This ID is anonymized and contains no identifiable information like email, phone number, name, etc. We also send Google your IP address. We use Google Analytics to track aggregated website behaviour, such as what pages you looked at, for how long and so on. This information is important to us for improving the user experience and determining site effectiveness. If you would like access or would like to delete your individualized GA data - please reach out to us via this form and/or install the Google Analytics Opt-out Browser Add-On."

Within your form, you can include such questions as:

• Would you like to know the kinds of information and purposes we collect users' data for? (Y/N)
• Would you like to delete your individualized Google Analytics data from our tracking and analysis? (Y/N)
• Please provide your name and email address.

Our team can help you remove individualized user data from Google Analytics if one of your users requests this service.

3)     Enable your users to provide consent for your use of Google Analytics

Create a process where you can provide users the option of consenting to your use of GA. Similar to how users can agree to cookies being used on your site, you can similarly ask if they would like to provide consent to their browsing data being analyzed.

The simplest approach is to add additional details to the cookie consent pop-up you may already be currently using on your site. These additional details would inform users that Google Analytics is being used on your website to track their behaviour. The user can accept the pop-up, however if they don't click 'Accept', the consent functionality will not disable cookies or tracking. This is a simple consent approach, but one that does not actually manage cookies or tracking tags.

You can also link users to Google's Opt-out Browser Add-on, which disable the user's data from being sent to any website they visit, including yours.

Contact us to help you implement the additional details within the cookie pop-up, or to develop a more in-depth consent management platform, which can manage enabling or disabling cookie and tracking tags, based on user consent.

4)     Evaluate and limit the kind of information you are sending to Google

Adzerk provides a great list of things you can do that limit the kind of information being sent to Google in their same post, as well as instructions. This may include steps like:

• Any custom reporting you have set up that use internal UserIDs - ensure that this information is anonymized and does not include PII.
• IP anonymization - this step removes some digits from users' IP addresses before it is sent to Google.
• Reducing how long Google Analytics holds on to and stores your individuals' data.
• Disabling Demographics and Interests Reports - you can turn these off if you don’t need this type of information from your users. If you do use this data, include this in your privacy policy.
• Turning off data sharing between Google Analytics' and other services. Google uses this information to create benchmark reports on industry trends.
• Turning off the link between Google Ads and GA - if you are not conducting any ad campaigns, you can switch this information sharing off. If you do use Google Ads marketing reporting for your site, be sure to include it in your Privacy Policy.
• Reducing session timeouts - you can reduce the amount of timeout time (time away from computer or when on another activity) that a user takes for GA to stop tracking a user's session.
• Reduce cookie expiration time - you can change your settings so that a cookie lasts on a user's browser for a shorter amount of time, or for even that session only.

Remember, eSolutions is here to help if you need any assistance evaluating your settings or implementing changes!

The benefits to your users

All of these steps will help boost your users' privacy and data rights, and give them increased knowledge and decision-making over their browsing data. By taking action now, you will ensure you are set up for the future, when increased regulations may come into place.

Even if you aren't located in the European Union or have stakeholders located there, it's important to be aware of these leading regulations, as Canada's own Personal Information Protection and Electronic Documents Act (PIPEDA) is created in the same spirit, with GDPR's policies being the de facto standard that other countries' policy makers usually look to follow.

Get started

Contact Alison Carden, eSolutions' Head of Products, at 519-340-1546 or ali.carden@ghd.com if you have any questions or would like to get started implementing these important changes to empower your users and better protect their privacy and data rights.