Use Google Analytics in accordance with data protection regulations according to GDPR

With Google Analytics you are not allowed to collect all the data that would be technically possible. In Germany and the EU there are laws and rules for the collection of data in electronic media. Especially Google Analytics was in focus due to its widespread use. With the General Data Protection Regulation, GDPR for short, a uniform, binding regulation for the entire EU area was introduced in 2018. In this article you will learn how you can use Google Analytics in compliance with data protection regulations.

Excursus: What is the GDPR?

The GDPR regulates the processing of personal data in the European Union, both for private and public operators. In Germany, when it was introduced in 2018, it took over the tasks of the Federal Data Protection Act (BDSG) and the Telemedia Act (TMG). As a regulation, the GDPR is binding law in all EU member states and does not have to be converted into a national law.

With the GDPR, every EU citizen has guaranteed rights over their data:

  • Right to transparent information about the processing of his data
  • Right to information about what data was collected and how it was processed
  • Right to data portability allows individuals to access and transfer all collected data in a (machine) readable form
  • Right to authorization if data is incorrect
  • Right to deletion (or: to be forgotten ) guarantees the immediate deletion of all data about a person
  • Individuals can exercise the right to restriction of processing at any time
  • Right to object if processing is refused

This results in requirements on the one hand for the features of a tool and on the other hand for the data to be collected. Two components are particularly critical in tracking:

  • the IP address that is automatically available when data is transferred on the Internet
  • the individual ID that a user receives from Analytics and that is stored in a cookie

With these two data, you have to take some precautions before using Google Analytics .

Use Google Analytics in compliance with data protection regulations

If you have recorded usage data in Google Analytics without first implementing all the requirements, this data is deemed to be incorrectly collected under data protection law. In this case, the data must not be used and must be deleted.

Obtain consent

Since the introduction of the GDPR in May 2018, it has become standard to inform new users about the analysis tools used and the cookies associated with them the first time they are accessed . At the beginning, this was often not very prominent and was still an opt-out variant. In other words, the user had to explicitly deactivate the tracking using the appropriate configuration options.

In the meantime, the data protection officer is gaining ground that tracking may only take place after explicit consent. Simply closing a popup or an OK button is not enough. Ulrich Kelber, currently the Federal Commissioner for Data Protection:

Anyone who integrates offers that legally require consent, such as Google Analytics, must ensure that their website users obtain consent in accordance with data protection regulations. Hopefully everyone should now be aware that this does not work with simple information via so-called cookie banners or pre-activated boxes in declarations of consent. Every website operator should therefore deal with exactly which services are integrated with them and, if necessary, deactivate them until they have ensured that they can be used in compliance with data protection regulations.

So when obtaining consent, you should make it clear what you need this consent for, and the consent should be clearly marked. In addition, your users should have the option to reject (or object). Here is an example of the consent management platform Usercentrics.

Consent bar from usercentrics.de

The specific structure of the consent bar is just as non-bindingly regulated as the aforementioned refuse function. This can be done via an explicit button, some operators choose a link to further settings. At www.volkswagen.de a user can agree or select individual functions under Show details and reject them completely.

So you have a certain amount of leeway in designing these banners. It is important that you only start tracking after active consent and not after clicking to the next page or scrolling. You should also continue to offer users who object to tracking access to all functions of your website. However, you can request an explicit selection in the consent bar before a user can continue surfing on your website. This can be done using overlays, for example, in which the consent query is placed over the entire website and blocks it until the user has selected an option. The lufthansa.de website can only be used after the user has decided for or against cookies and tracking.

In the Lufthansa example you can see another difference to the first bar of Usercentrics: The user can select four categories here – necessary , statistics , comfort and personalization (in fact, the user can only choose from three categories because necessary cookies are mandatory).

The different cookies and the associated functions and tools have been subdivided; the user can allow or block individual categories of tools. The idea behind this is that some users are ready to allow statistical tools, for example, but do not want personalization for them and thus the approval of the statistics is somewhat higher.

The distinction between analysis and marketing cookies is more common than the breakdown shown here. Analysis cookies are created to improve and optimize the website. Marketing cookies, on the other hand, are used to evaluate and control advertising. It is not yet possible to say whether such a selection will significantly change approval.

In the long run, many users will probably experience a learning or dulling effect, since they are confronted with a consent decision on virtually every website. Therefore, you should make the use of your query as clear and simple as possible for the user.Don’t forget apps!

If you offer your users apps, you must also obtain consent for tracking in them. This usually happens the first time an app is called through a corresponding popup.

Possibility of objection

You have to give the visitors to your website the opportunity to object to the tracking, that is, the visitors have to be able to use the website without being tracked by you. With a consent management service or a corresponding plugin for your CMS, you can offer your users both the information about the use of cookies and the option to object. Most of these tools also offer the option of changing the settings at a later point in time and thus implementing an objection.

There is always the option to activate or deactivate services (Usercentrics)

However, the use of such a tool initially only offers your users the setting options. The actual implementation, so that the Google Analytics tracking does not occur, you have to do in your programming or the Google Tag Manager . The consent tools usually offer a query option with which one can check which selection a user has made and then either call up a tracking code or not. Depending on which tool or service you choose, you have to inform yourself about these queries. With the widespread use of Google Analytics, there will certainly be an example for this case.

In addition, you should always offer the option in your privacy policy to deactivate the tracking of Google Analytics by clicking on a link or button.

1. You give the tracking code the information that it should not record. To do this, insert the following JavaScript on all pages of your website in front of the Google Analytics tracking code:

<script>   
  var gaProperty = 'UA-XXXXXXX-X';     
  var disableStr = 'ga-disable-' + gaProperty; 
  if (document.cookie.indexOf (disableStr + '= true')> -1) {  
    window [disableStr] = true;  
  } 
  function gaOptout () {  
    document.cookie = disableStr + '= true;     
      expires = Thu, Dec 31, 2099 23:59:59 UTC; path = / ';
      window [disableStr] = true; 
  } 
</script>

In the gaProperty field you enter the UA number of your analytics property. The advantage of this variant is that it works in all browsers that support JavaScript, including smartphones, for example.

2. You refer to the browser plug-in that Google provides for Firefox, Safari, Opera and Chrome for this purpose. You can find it at https://tools.google.com/dlpage/gaoptout?hl=de . Make sure that the link is actually clickable.

3. You use the Google Tag Manager to generally block the execution of Google Analytics codes if, for example, a certain cookie is present.

In your data protection declaration, explicitly indicates the possibility of objection, either via a link or button. The appropriate link for the example above would be:

<a href="javascript:gaOptout()"> Deactivate Google Analytics </a>

Data protection

You have to inform your visitors that you are collecting usage data with Google Analytics. This should be done on a separate data protection page. This page must be as easy to find and reach as possible everywhere on your website.

Google makes this a condition in its Terms of Use for Analytics:

You are also obliged to hold an appropriate data protection declaration in prominent places (and to adhere to it). You are obliged to disclose the use of Google Analytics and to specify how data is collected and processed with it. To do this, you can use a clearly visible link to the page “Use of data by Google when you use our partners’ websites or apps” (accessible at www.google.com/policies/privacy/partners/ or any other URL that Google uses below for this purpose names). You are obliged to take economically reasonable steps to ensure that a user has transparent,

So you have to create a text for it. In the past, Google provided a corresponding text template in its terms of use, but has now discontinued this practice. A declaration should (for Analytics) cover at least the following points:

  • Scope of data collection
  • Anonymization of the IP address
  • Storage period
  • Right of withdrawal
  • Notice of the possibility of objection
  • Legal basis

If you use the advertising functions of Google Analytics, you must also point them out. This includes:

  • Interest-based advertising
  • Remarketing
  • Impressions from the Google Display Network
  • demographics and interests
  • Google Signals

You can find various templates on the Internet on the websites of data protectionists or lawyers, which you can often use free of charge. Examples are the Datenschutz-Generator.de of the law firm Dr. Schwenke and the data protection generator from lawyers Wilde Beuger Solmecke on wbs-law.de .

Both generators use selection questions to lead you to a comprehensive data protection declaration, which not only covers analysis tools, but also many online services such as newsletters, forums, e-commerce or CMS, for which you have to include a note.

Shorten the IP address (anonymize)

In Germany, data protectionists agreed on the assessment of classifying IP addresses as personal data well before the GDPR. This means that all accesses that you can record are relevant under data protection law, because an IP address is always transmitted on the Internet , without it the data transmission does not work. This results in a basic requirement for all web analysis systems, namely to forego the full IP address when collecting data. Literally:

The analysis of usage behavior using complete IP addresses (including geolocation) is therefore only permitted with conscious, unambiguous consent due to the fact that this data can be related to individuals. If there is no such consent, the IP address must be shortened before any evaluation so that it cannot be linked to a person.

Google has introduced its own function for this shortening: anonymizeIp . This function must be transferred each time the tracking code is loaded so that the IP address is shortened. Unfortunately, the function is not automatically added to the tracking code of a new property or to a new tag in the Tag Manager. So when installing a tracking code on a new website, you have to remember to include the function yourself.

With the current gtag.js code, enter an additional parameter in the code:

gtag ('config', 'UA-6859XXXX-6', {'anonymize_ip': true});

Do you still use the code with analytics.js, you have to use the command

ga ('set', 'anonymizeIp', true);

have recorded.

A note in the data protection declaration on IP abbreviation is not mandatory, but should also be included for the sake of completeness.

Define the retention period for the data

In the property management you can set the time period for which Google user and event data are stored, which are linked to cookies, user IDs or advertising IDs. Specifically, this means that after the time has elapsed you lose the opportunity to access individual users, which is necessary, for example, for more complex segmentation. Aggregated data is not affected by this setting, which means that normal reports such as pages or sources remain available as usual.

Configure retention periods for user and event data

The default is 26 months after the last measured event. Some blog posts recommend a duration of 14 months and turning off the reset. However, there is no really definitive statement.

Contract for order data processing

The supervisory authorities in Germany require the conclusion of an order processing contract when using Google Analytics. In this case, the GDPR has made the whole process easier for once: You no longer have to print out this contract, sign it and have it countersigned by Google, you can do everything digitally.

To do this, go to the account settings of the account . At the end of the page you will find the addition on data processing. Then click on Show additional information and agree to this.

Addition to data processing

Name contact person

In the addition to data processing you will also find the link to manage the additions. Click it, and changes to the side contacts the Marketing Platform Management. Now create a new entry with the contact details of your data protection officer.

Contact persons in the administration of the Google Marketing Platform

Deletion of legacy data

User data that was recorded even though the data protection requirements were not implemented have been collected illegally and should be deleted. You have two options for this

  1. In the property management you will find the menu item delete requests for data . There you can send a request to Google to delete data from a property in certain periods of time.
  2. You delete the complete data view and / or property that contains this critical data. To do this, go to the settings of the property (or data view) and click on Move to trash .

Conclusion

The use of Google Analytics is viewed critically by many data protection officers in Germany in particular. In the course of time, a number of specifications and requirements have arisen that you have to consider before and during installation. However, if these are implemented and explained, many of the concerns of a data protection officer can often be dispelled.

Leave a Reply