What Does the ePrivacy Regulation Mean for Your Google Analytics?
May 14, 2020 –
Google Analytics is a staple for most optimizers and marketers.
The ubiquity of this solution makes it innocuous to the point where we tend to overlook the settings of our Google Analytics account when privacy regulations roll out.
But the GDPR was a substantial nudge for testers to scrutinize their Google Analytics data storage and processing.
And now with the ePrivacy Regulation, another layer of consideration – around how to gain visitor consent for the use of the analytics suite – will be added to the plate of optimizers.
Well, the answer is subjective.
And it depends largely on how a Google Analytics account is set up and configured.
Let’s take a closer look.
Non-Intrusive and Privacy-Friendly Use of Google Analytics
If you only use Google Analytics as a simple first-party data analytics tool to learn about your website audience in a non-invasive way, you might not need to seek explicit cookie consent. In fact, the European Commission’s ePrivacy Regulation proposal suggests that cookie consent can be exempted when the data tracked is purely for analytical purposes:
“The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent.”
Dubbed as the “cookie provision,” this consent exemption allows webmasters who have configured their Google Analytics in a privacy-friendly way to install their cookies without seeking explicit consent.
Also, in its Cookie Consent Exemption paper, the Working Party — an independent European advisory body on data protection and privacy constituted by the European Parliament — made a special case for such first party analytics cookies to be exempted under the revised ePrivacy Regulation proposal:
Following from this, you might not necessarily need to add explicit cookie consent banners to your website if your use of Google Analytics is non-intrusive. To qualify for this, among all the other things, your Google Analytics account must be configured in such a way that it:
- Has the right anonymization in place ensuring that the data collected isn’t personally identifiable
- Ensures that no data information about any users is ever passed on to any Google Analytics servers
- Doesn’t share the Google Analytics data with any third-party solution providers
Also, your users should get the option to easily opt out of your Google Analytics cookie tracking.
Using Google Analytics in More Ways Than as a First-party Analytics Tool
Quite a few marketers use more advanced implementations of Google Analytics. Such a configuration often slices and dices the analytics data in a way that tiptoes the privacy lines that laws like the GDPR draw. For example, if you use your Google Analytics cookies to map the user id that Google Analytics uses for a visitor to your other marketing solutions, then you’d need explicit consent of your visitors before using your cookies. If you’re using the user id feature for cross-device tracking, again, you might have to seek explicit consent.
Using Google Analytics Advertising Features, too, will need you to ask for consent from your users before installing your Google Analytics cookies as Google installs additional cookies in this case.
Likewise, if you use third party tracking pixels with your Google Analytics, you’ll have to seek explicit consent in most implementations.
As you can tell, such configurations of Google Analytics could use and process some personal user data and also end up sharing it with other service providers.
And so these cases fall under the GDPR and need explicit consent. And because the ePrivacy Regulation is meant to “particularise and complement” how the GDPR approaches personal data processing by “translating its principles into specific rules,” the cookie consent rules it proposes applies to websites using Google Analytics cookies in such non-standard implementations.
The ePrivacy Regulation and Browsers (and the Impact on Your Google Analytics Cookies and Data)
As you can get, post the ePrivacy Regulation, using Google Analytics in more advanced ways will need you to seek explicit consent from your users before installing cookies into their browsers.
But that’s not all. The ePrivacy Regulation also wants to encourage privacy by design and default in the web browsers and wants companies that power browsers to help users make better and more informed cookie consent choices via the browser settings itself:
Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner.
So if your users choose to go with options like “never accept cookies” or opt for accepting just “strictly necessary cookies,” your Google Analytics data will get impacted.
Developments like Apple’s updates to the ITP and others — in line with the growing demands for more private browsing experiences — are also cutting short the cookie duration, including the duration of the first-party cookies that Google Analytics sets.
Based on the type of browser we are talking about, repeat visitor counts may be significantly impacted.
Wrapping it Up…
In case you happen to need cookie consent for your Google Analytics cookie usage, make sure to seek it the right way.
And if you think you could cover even your non-standard Google Analytics cookies without consent under the GDPR’s Legitimate Interests provision, check out our detailed take on consent versus legitimate interests.
At Convert, we take a privacy-first approach to everything we do. We consider the GDPR and the upcoming ePrivacy Regulation that builds on it to be solid initiatives to stop the internet from becoming an “always on” surveillance system — guzzling tons of user data every second, mostly without the users’ (specific, informed, active, and freely given) consent.
We don’t just comply with such laws but also help our customers offer memorable digital experiences while still staying compliant with them. In fact, our A/B testing and experiments solution doesn’t use any personal data in the default setting, operates with first party set cookies and is the only enterprise-level experimentation solution to be designed this way. We’re forever committed to empowering our customers run winning experiments while fully respecting their users’ privacy.