Do you use Google Analytics on your website? Discover how to configure it effectively to comply with GDPR requirements. Setting the duration, anonymizing IP addresses, contractual review, implementation of a consent mode… There are many actions to be taken.
We’ll help you see more clearly. This is our product news of the day.
Why worry about the GDPR compliance of Google Analytics cookies?
Google Analytics is a powerful tool for analyzing your site’s traffic. It allows you to understand your users’ browsing behaviors deeply.
Using it requires inserting Javascript tags into the source code of your pages. These tags are executed when your site is launched. The requests made by your site to Google’s servers result in the placement of cookies used for the audience measurement.
These cookies contain a unique user identifier that allows your site’s browsing journey to be stored and reconstructed.
The question of GDPR compliance is therefore pressing.
- The use of analytics cookies is governed by legal obligations, including the need to collect and track consents and objections;
- Sometimes, you only use Google Analytics to measure your traffic and work on the site’s ergonomics. But browsing data is used to personalize advertising campaigns in other situations, such as the Google Ads tool.
- Google exploits the data for its purposes.
Sign a Data Protection Agreement covering the use of Google Analytics.
Google is your audience measurement solution provider. In other words, it is your data processor.
You have a contract with this company. This is an opportunity to review the existing contractual framework:
- Download and sign a Data Protection Agreement. This is a specific contractual document defining the obligations that Google must respect;
- Review the applicable contractual rules. For example, using Google Analytics advertising features requires you to comply with specific commitments.
Minimize the collection of data by Google Analytics cookies
Keep control over the data that your audience measurement service provider collects on your behalf.
Several measures are, therefore, to be taken:
- Log in to the administration interface of the solution and apply the filters proposed by Google to minimize data collection;
- You will transmit the URLs of your visited pages to Google via its Google Analytics tool. Therefore, check these URLs and make sure they do not contain personal data in plain text (phone number, email address, name…).
Activate IP address anonymization before storage by Google Analytics
The CNIL considers the IP address as personal data presenting a certain level of sensitivity.
Only collect this data to the extent necessary. Certainly, truncating part of the collected IP addresses impacts the accuracy of geographic reports. But was this level of precision essential for you?
- How to proceed to anonymize the collected IP addresses? By removing the last octet of the IP address.
- The Google Tag Manager tool allows you to configure the Google Analytics tag to make it GDPR-friendly. Alternatively, your tag management system may also allow you to perform the manipulation.
- Finally, you can intervene on the source code of the Google Analytics Javascript tag and insert a parameter.
Reduce the lifespan of Google Analytics cookies.
Configuring Google Analytics correctly also means setting the cookie lifespan, which by default exceeds the duration authorized by the CNIL.
- 13 months for advertising cookies;
- Twenty-four months for audience cookies.
You will therefore need to modify this duration via Google Tag Manager or by editing the source code of the javascript tag.
Check the list of pseudonymous identifiers used by Google Analytics
User identifier, transaction identifier… Google Analytics uses several unique identifiers.
Please make sure they are alphanumeric identifiers. They must not contain personal data written in clear text (such as an email address or last name).
Update the privacy policy and cookie section of your website
Remember, your website must include dedicated information sections. These provide clear information on how you collect and process personal data from your users.
- Make sure your website has a privacy policy. Update it:
- Mention it to improve the ergonomics of the website. Specify (if you have done the necessary!) that the collected data is anonymized.
- Review the list of processed data and specify that using an audience measurement solution involves transferring personal data to the United States. This is indeed the case with the Google Analytics solution.
- Also, review the cookie information section. Include an area related to audience measurement explaining analytics cookies’ operation and usefulness.
Secure your Google Analytics cookies with the consent mode
On September 3, 2020, Google announced the launch of its consent mode.
The consent mode allows the execution of Google services (Google Ads, Google Analytics, for example) by your website to be conditioned based on the consent status of your users.
Technically, suppose you use a cookie management solution, such as the one offered by Axerptio. In that case, it collects and stores a digital trace of consent or opposition to the deposit of analytics or advertising cookies.
Your solution transmits this information to Google’s Consent Mode. The analytics_storage and ad_storage tag settings allow the consent module to control the operation of the analytics module based on the consent given.
What is Google’s consent mode used for?
- The user visits your website for the first time or not.
- They benefit from your cookie management module and express a choice. Let’s assume that they refuse the deposit of cookies for analytics or advertising purposes.
- The cookie management solution records and transmits this action to the consent mode.
- Google’s analytics and advertising solutions continue to work on your website, but in a more limited way and without depositing cookies. Thus, as the website’s publisher, you respect your audience’s choices regarding the possibility of using trackers.
Stay vigilant about data transfers outside the EU.
The Privacy Shield previously secured the transfer of personal data to the United States.
This transfer may, for example, result from collecting audience data via a solution provided by a US-based actor.
However, this protocol has recently been invalidated. This link provides you with a checklist of actions to take to secure these data transfers. Recommendations should be issued on this subject by European regulators.
Consider alternatives to Google Analytics.
Google Analytics is a robust audience measurement tool. It allows you to obtain many indicators related to your website’s traffic. However, you may only need some of these indicators.
Worse, if you edit an essential website with limited features, you risk getting lost in the mass of data available.
Alternatives exist, both more adapted to your needs and more respectful of personal data protection.
To learn more, check out our article on alternatives to Google Analytics.
Conclusion: save your GDPR compliance, configure Google Analytics
Contractual framework, administrator interface settings, source code updates, review of your privacy policy…
We have provided you with a checklist of actions to save your website’s audience measurement. Some measures require legal action; others require development skills.
Ultimately, it’s about optimizing the use of this solution in a data protection-friendly environment for your users.
