GDPR Compliance with Google Analytics – Do You Need Cookie Consent?

Last week we talked about data retention in Google Analytics, how this change will affect ad-hoc reporting (i.e., segmentation), and whether this impact on your data retention settings was due to GDPR.

That blog post generated a lot of dialogue. In fact, it created more conversations than any of my other posts so far this year! And our blog PSA may have even provoked a response from Google?

Google Analytics email response

But discussing GDPR related changes in Google Analytics also raised a lot of new questions.  Questions like:

  • What impact does retaining user data have on GDPR compliance?
  • How long can I retain my user data and still be GDPR compliant?
  • How do I know if I should be using a cookie consent notification? And how do I implement that notification?

Today, I will attempt to answer these questions to the best of my ability, and the best of my knowledge given what I know about GDPR right now.

GDPR Compliance Resources

To help further our understanding of how to make our websites GDPR compliant, I’ve created some additional resources. One of these resources is a tracking consent flowchart. This flowchart will help you think about when, and if, you need to be using a cookie consent pop-up.

I also built a Google Analytics segment. You can grab our link to my GDPR segment and use it in your Google Analytics account. This segment will show how much of your website traffic is potentially affected by GDPR.

And, I’m sharing my current go-to steps for GDPR compliance. Of course, this strategy is subject to change as we learn more about GDPR, but for now, I have bulleted out my upcoming plans for making Jeffalytics GDPR compliant.

You can download all these resources below. Or you can grab just the link to my GDPR Google Analytics segments later on in this post.

Legal Disclaimer

Before I start answering your GDPR compliance questions, please note:

Warning: I am not an attorney. This video and post do not offer or represent legal advice. You should work with your own legal counsel for any GDPR related policies and actions you take.

Can you be GDPR compliant and retain user data?

Can you be GDPR compliant and still retain your user data longer than 26 months?

Data retention controls

This question came up many times over the past week. Many readers, YouTube subscribers (like my friend Mark), and Twitter users asked a similar question.

GDPR compliance questions

And I believe the answer is yes. You can use the data retention setting “Do not atomically expire” and still comply with GDPR…

If you do two things:

1. You need to allow users to delete their data easily

Google Analytics is adding a new user deletion tool. This tool isn’t available yet. But once it’s released, you need to hook it up to your site and allow users the option to delete their data.

new user deletion tool

Now, you might be wondering how to implement user deletion. As I mentioned, the user deletion tool is not in place yet. When Google releases this tool, we’ll do a tutorial on the user deletion process.

2. Storage of user data is for historical research

If you look at the GDPR data collection policy, you’ll notice that data storage is allowed for scientific and historical research.

GDPR compliance and historical research

So the question becomes, is web analytics historical research?

And the answer is Yes!

Analytics is historical research. If you’ve taken my Analytics Course, you know one of the first things I teach is:

“We use analytics data to learn from the past so that we can make future improvements to our marketing efforts and our customer’s online experience.”

If we couldn’t analyze website data from three or more years ago, the Internet would be a worse-off place. And not having historical data would significantly limit the scope of our research. So, retaining user data is necessary for historical research (analytics).

If you want to retain your user data make sure you:

  • Adjust your data retention setting to “Do not automatically expire.”
  • Set up your user deletion process as soon as the tool becomes available.
  • And use your data for historical research purposes.

With our data retention question answered, let’s talk about tracking consent, AKA cookie consent popups.

Cookie consent popups and GDPR compliance

If you visit Brian Clifton’s website, you’ll see the popup featured in the picture below. Brian is a foremost authority on web analytics and a former head of web analytics at Google. This popup provides a great example of how one of the leading experts is obtaining tracking consent.

Cookie Consent popup

Source: brianclifton.com

Brian wrote an excellent article on GDPR and tracking consent that I would encourage you to read.

But I also wanted to break down my interpretation of when you need to use a tracking consent popup, specifically for your Google Analytics data.

So let’s look at cookie consent notifications as they relate to Google Analytics data and GDPR compliance.

When are Cookie consent popups necessary?

Many of you have asked me: “Do you know if I need a cookie consent popup if I’m using Google Analytics?”

Well here’s the shortish answer:

You need to obtain tracking consent if your Google Analytics data is being shared with third parties (i.e., third-party cookies), and you’re tracking people inside the countries affected by GDPR.

However, if you use Google Analytics as your only tacking tool, and you don’t enable display features, then Google doesn’t require you to gain tracking consent.

That said, most websites will need a tracking consent popup to comply with GDPR. And here’s the reason why: Third-party plugins.

Third-party cookies and GDPR compliance

Many plugins, sharing tools, and video players (i.e., third parties) have third-party tracking in their embed codes. So if you use a third party tool that tracks your users, you need to get tracking consent to comply with GDPR.

GDPR cookie consent flowchart

Figuring out how your website is affected by tracking consent requirements can be pretty confusing. So I created a diagram to help us break down the factors that influence tracking consent.

GDPR Compliance/cookie consent Flowchart

Let’s walk through the chart together:

Decision point #1 – Do you have Google Analytics installed?

GDPR cookie consent flowchart

If the answer is “No,” then you don’t need a cookie consent popup. (And you probably don’t need to read about GDPR, unless you’re really bored).

If the Answer is “Yes,” then move to decision point #2.

Decision point #2 – Do you send any data to third parties, directly or inadvertently?

GDPR cookie consent flowchart

Remember, inadvertently transmitting data to third parties can occur through the plugins you use on your website. You don’t necessarily have to be doing this proactively.

If the answer is “Yes,” then to comply with GDPR, you should use a cookie consent popup.

If the answer is “No,” then move on to decision point #3.

Decision point #3 – Do have any other tracking tools sending data to third parties?

GDPR cookie consent flowchart

If the answer is “No,” then you don’t need a tracking consent popup.

If the answer is “Yes,” then you need a consent popup.

So let’s talk about the bottom line here.

Which type of website is most likely to be affected by GDPR?

Publishers, bloggers, information sites, and data resellers are all likely to need tracking consent. Any website that sends user data to third parties needs to be thinking about GDPR compliance.

websites affected by GDPR compliance

What type of website apps could create a GDPR violation?

The most common types of apps that could result in a GDPR compliance problem include:

  • Any app that tracks demographics, or uses remarketing and display systems.
  • Video Embeds
  • Social Sharing buttons
  • Comment plugins and other third-party WordPress plugins

Third party tracking apps

Any app that tracks your users could create a GDPR compliance violation. Under GDPR, you are responsible for letting your users know if the software on your website is tracking them.

Where does GDPR apply?

I believe this map represents the countries that are affected by GDPR.

GDPR country map

The region of the world affected by GDPR is substantial! And lots of potential website visitors fall under the GDPR statutes.

So, you might want to figure out how much of your traffic will be affected by GDPR. To help with that process, I created a Google Analytics GDPR users segment and Non-GDPR users segment.

Google Analytics GDPR segment

Here’s an example of how the segments work using data from an anonymous website.

GDPR Google Analytics segments

The segments use regular expressions to categorize your website users based on their location.

GDPR Segments

And, If you want to dig deeper into your analytics, you can use these segments to compare your conversion rates.

GDPR conversions vs. Non-GDPR conversions

You can use the GDPR segment to help you look at your baseline before you make GDPR related changes to your website. Then you can track how your cookie consent popup affects traffic, conversion rates, and other critical metrics.

High GDPR user conversion rate

If you have lots of conversions from GDPR users, then you’ll want to monitor how your cookie consent affects your conversion rate. Based on the anonymous data below, you can see that almost 30% of this website’s conversions are currently coming from users in GDPR countries.

GDPR user conversions

Analyzing how GDPR could affect your traffic, conversions, and users is an important step in planning a compliance strategy.

Pre-GDPR baseline conversion rate

 

My GDPR compliance plans (as of today, and 100% subject to change!)

We’ve discussed a lot of GDPR compliance-related issues. Absorbing all this information could have your head spinning. So, I am going to share how my team plans to make Jeffalytics GDPR compliant. Now, these plans are 100% subject to change. I am still learning along with everyone else. But as of today, these are things we will do to try to minimize any GDPR compliance violations.

1. Minimize the number of third-party embeds we use that share data without consent

If you want to be GDPR compliant, it’s important to audit the software on your website. You want to determine if you have plugins that are siphoning off your data without your consent. And if you do, you may want to remove those plugins.

2. Update my privacy policy, as needed, and make this policy more prominent on our site

We may experiment with moving our privacy policy to the main navigation area on our website or linking to it in the cookie consent form.

3. Research cookie consent solutions that allow geo-fencing

I don’t want the 74% of my visitors that aren’t in a GDPR area to get hit with a cookie consent popup when they land on my site. So, I am going to look for a solution that allows me to limit my tracking consent notice to visitors from GDPR areas.

4. Comply the best we can using the available systems and resources

My team is going to learn as much about GDPR as we can. And we are going to attempt to make sure the business systems we rely on are GDPR compliant.

5. Continue to understand the implications of GDPR, and share my knowledge

We are all on time crunch to learn how GDPR compliance affects our business decisions. We can learn much more as a community than we can as individuals.

With that in mind…

Leave a comment about what you’re doing to prepare for GDPR compliance

I am going to do weekly updates on GDPR leading up to the May 25th, deadline. And I hope that with your help we’ll have a good understanding of how GDPR affects our analytics data before the deadline. Share your GDPR compliance plans and questions in the comments below.

About the Author

Jeff Sauer is an independent Digital Marketing Consultant, Speaker and Teacher based out of a suitcase somewhere in the world. Formerly of Minneapolis, MN and San Francisco, CA.