GDPR Risk Matrix for Web Analytics Customers

As you are well aware, Europe’s General Data Protection Regulation (GDPR) goes into effect May 25, 2018. Despite the European origin and focus of these rules, the legislation contains serious implications (20 million Euros, or 4% annual revenue if that is greater!) for any organization which collects, processes, or stores user data. The scope of this legislation is not based on EU citizenship. Rather, it covers any user accessing your site or app from any location within the EU boundaries.

google analytics map of users coming from european countries
How many of your website visitors arrive from protected territories like the E.U.?

GDPR is Not One-Size-Fits-All

While GDPR impacts just about everybody, not all risk profiles are the same. Your organization’s size, location, user base, relationship with Google, measurement strategies, and most importantly your own legal counsel on the matter, all determine where you end up on the threat spectrum and what is a suitable response to the new rules. GDPR is definitely not one-size-fits-all.
So, instead of a single checklist, here we break down your likely GDPR risk profile into a grid of higher-, middle- and lower-risk scenarios and corresponding adjustments needed for your measurement strategy. First consider your risk profile, then review our tailored recommendations to ensure your tracking and consent mechanisms are in place ahead of the May 25th deadline.

We’re Not Lawyers, But We Can Help

Before diving in further, remember we are digital analytics professionals, not lawyers. As with anything else you read on this particular subject, it must be repeated that only your company legal counsel can and should provide final guidance on these matters.

And let’s be honest. It really doesn’t help that the vague wording of the GDPR provides precious little in the way of specific guidance for data collection and online marketing. Like you, we have seen a wide spectrum of interpretations and opinions out there regarding how GDPR impacts tracking of widely used mechanisms like IP addresses, user id collection and remarketing.
As many of our customers have done already, please reach out if we can assist you and your legal team with any technical discovery and implementation that might help you with compliance.

Google Analytics (360), Tag Manager, and GDPR

As a Google Analytics Certified Partner, our main goal here is to help our Google Analytics and Google Tag Manager customers (both 360 and standard edition), but most of our guidance here translates to similar tracking tools. The GDPR Risk Assessment Matrix applies beyond Google Analytics, and most major analytics solutions out there offer similar compliance options for customizing the means and scope of data collection.

Also, as you consider these recommendations, please keep in mind that the nature of your organization’s relationship to Google is important. If you have purchased Google Analytics 360 through Empirical Path or any other Google Analytics 360 Suite Sales Partners, then your agreeing to the new data processing amendment needs to be done together with that Certified Sales Partner. If you obtained your 360 license directly through Google, then you are free to agree to the new terms and conditions on your own. There is no such distinction for users of Google Analytics standard edition (free version). You will be agreeing (or not) to new terms & conditions on your own.

GDPR Risk Assessment Matrix

Table 1: How at-risk is your organization? Review these questions before considering our recommended adjustments to your particular measurement strategy.

High Middle Low
Do you have offices in the European Union (EU)?
Do you have customers or users in the EU?
Are you a well-known brand with high volume annual sales?
Do you track User IDs?
Do you collect data for remarketing ads?
None of the above.  (Really?)

GDPR Analytics Compliance Checklist

Table 2: Adjustments to your tracking based on your GDPR risk profile

  High Middle Low
Update your privacy policy using clear & transparent language. Review/Update Review/Update Review/Update
Stop tracking Personally Identifiable Information (PII) Audit and remove Audit and remove Audit and remove
Review & accept Google’s updated Data Processing Amendment Accept (via Sales Partner if GA 360 not directly from Google) Accept (via Sales Partner if GA 360 not directly from Google) Optional
Review & Accept Google Analytics Updated data retention settings Set to shortest time period needed for user level analysis Keep data retention at new default of 2 years Select a longer timeframe or ‘do not expire’
Begin Anonymizing / Masking IP Addresses Anonymize for all Anonymize for EU visitors Optional
Obtain user consent for some or all User ID Tracking Require explicit opt-in for all visitors prior to tracking userid. Require explicit opt-in for EU visitors. No change
Obtain user consent for advertising & remarketing features Require explicit opt-in for all visitors prior to enabling advertising features. Require explicit opt-in for EU visitors. No change
Obtain user consent for Google Analytics tracking – standard configuration Require explicit opt-in consent for all tracking for EU visitors (this is the most conservative interpretation of GDPR regulations but is stated in Google’s EU user consent policy) Communicate clearly and unambiguously to site visitors that your site uses Google Analytics for justifiable business purposes and offer option to decline tracking. No change
Prepare process for EU Citizens ‘right to be forgotten’ Create a process for receiving and processing requests for data deletion (using Google’s user deletion API) Create a process for receiving and processing requests for data deletion (using Google’s user deletion API) If a request is received and this a concern, upgrade to all ‘middle’ tier recommendations for GDPR compliance

GDPR For Lower Risk Profiles

With GDPR, any user visting your site or app from Europe is protected. GDPR
With GDPR, any user visting your site or app from Europe is protected.

Organizations without any presence or audience in Europe, without any sales to EU customers, no user id collection, and no remarketing might qualify as low risk in our GDPR Assessment Matrix (see Table 1) and thus require very little compliance adjustment. Does this mean there is zero risk involved? No! And before we explain further, let us repeat we are not lawyers.

GDPR Covers any User in Europe, Not Just European Citizens

Do you run a personal blog with no revenue running standard a Google Analytics configuration? You’re going to be sleeping much more soundly May 24th than the CMO of a large multi-national. You likely don’t have much to worry about, but do keep an eye on your visits from EU countries. Remember that the scope of GDPR is not limited to EU citizens or EU-based companies. Unlike similar laws in the past, GDPR now covers users from any country accessing your site from within the EU.

If your homemade salsa blog suddenly become famous in Europe, congratulations, you’re now a mid-tier risk profile!

Collecting Sensitive Information (PII) Has Never Been OK

All organizations are already bound by Google Analytics’ general terms of service which prohibit collection of personally identifiable information (PII). We see this come up often enough in our comprehensive audits to say it again here. More than ever before, you need to be careful not to accidentally collect information like names or email addresses in query string parameters.
Further, Google’s terms also state,

You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect data. You must disclose the use of Google Analytics, and how it collects and processes data.

GDPR requires that the privacy policy be clear and easy to read – this is an opportunity to revisit that page of legal mumbo jumbo and make sure it clearly explains for your typical user what types of data you collect and how you use it.

Review Your Google Analytics Data Retention Settings

Finally, Google now gives us the ability to choose the timeframe for user-level data retention. Beginning on the date of GDPR enforcement, the timeframe for retention will default to two years for the first time as the default setting. Low-risk organizations who would like to do user-level analysis longer than two years might opt to a longer timeframe, or even ‘do not expire’.
When reviewing these settings, our general recommendation is to enable the “Reset on New Activity” switch so your records are automatically updated and retain the most recent and comprehensive data set.

Google Analytics Data Retention Settings for GDPR

For GDPR, simply select a data retention longevity that your business can justify

GDPR For Middle Risk Profiles

European Data Subjects
GDPR draws a line for user privacy between sensitive and non-sensitive data collection.

Any company actively selling and marketing to EU customers (note, this is not limited to companies with a physical presence in Europe) should automatically rank in the middle or high tiers. User ID tracking or remarketing campaigns also push you into the mid-tier risk profile.

In addition to the recommendations above which apply to all Google Analytics users, middle-risk organizations should review and confirm these additional adjustments:

Tag Management & GeOlocation To the Rescue

One of the simplest options for mid-tier compliance involves limiting data collection based on the physical location of the visitor. With a tag management solution and some basic geOlocation, Google Analytics tracking can fire a different version of GA settings for EU visitors. For instance, this makes it easy to set IP anonymization to “True” for EU visitors while leaving the default setting for everyone else. Of course, you might just as easily decide to anonymize all IP addresses (definitely recommended for the high risk tier).

Google Tag Manager makes it easy to satisfy GDPR guidelines with IP anonymization. Some clever implementation suggestions also include firing tags based on opt-in responses. The opt-in could be shown conditionally to EU visitors and, based on user preference, serve up the desired level of remarketing or User ID tracking mechanisms.

Google Analytics Advertising Features settings via Google Tag Manager

Be sure to review your Google Analytics advertising and remarketing settings for GDPR readiness.Important: if setting advertising features conditionally from your tag management solution, be sure not to enable remarketing or advertising reporting features in the admin console, or it will be enabled for all visitors.

Google Analytics Advertising & Remarketing Features settings for GDPR

How Do You Accommodate the GDPR Right To Be Forgotten?

Finally, the new rules require an EU citizen’s ‘right to be forgotten’ which includes deletion of any previously-collected digital data. In order to give organizations the tools to comply, Google will be introducing a data deletion API. While we wait for that, all mid- and higher- risk organizations should begin creating a process for receiving and processing requests for data deletion.

GDPR For Higher Risk Profiles

European Office Buildings on a Canal
No matter where you are located, if you are doing big business in Europe, GDPR impacts you and the way you track all users of your website or app.

Having a physical presence in Europe, or a combination of mid-tier qualifiers could push your company into the higher risk status. Large brands with a high annual sales volume that are implementing corporate-wide GDPR compliance measure also might opt to select the most conservative adjustments.

This can include opting for a shorter data retention period, anonymizing IP addresses for all visitors, and requiring an opt-in for any userid and/or remarketing list generation. An extremely conservative interpretation might also require opt-in for standard Google Analytics tracking for EU visitors.

How Can We Help?

At this stage in the game, we might expect most of our customers have everything in-place, but we know that’s not always the case. if you have a quick question or are working on last-minute implementations or need help auditing your setup, we can help. Our expert consultants are all up-to-speed on GDPR-friendly analytics, so please contact us.

Here’s to getting a good night of sleep May 24th!

Helpful Links

Did this interest you? Reach out to learn
how we can help you.

Contact Us

When you reach out to Empirical Path, you get in touch directly with our fully qualified and experienced consultants.   Whether you need an analytics audit, training, support, or a custom quote on Google Analytics 360 licensing, let’s talk today.