GDPR Risk Assessment for Web Analytics + GDPR Analytics Compliance Checklist
GDPR goes into effect this week, (May 25th, 2018), with companies facing serious implications (€20 Million or 4% of annual revenue, whichever is greater), it’s time to make sure that your web analytics complies. We’ve found that most Google Analytics accounts do not comply with the GDPR. If you collect, process or store any user data in your Analytics accounts (whatever service you use) you need to ensure you comply with the GDPR before the May 25th deadline. This applies to anyone storing, collecting or processing data of any individual in the EU. This does NOT just effect EU businesses.
Disclaimer: The information below provides general comments on the obligations under GDPR and some actions which can be taken to move towards compliance. It is not intended to be a comprehensive description of GDPR, and is not a substitute for full legal advice, which should be sought before drawing any conclusions on your particular circumstances.
How at Risk Are You?
So, how at risk is your business? Not all web analytics accounts are the same when it comes to complying with the GDPR. Your level of risk will depend on:
- The size of your company
- Your location
- User base
- Users locations
We’ve created a handy risk assessment that you can do on your own to figure out your level of risk when it comes to your company’s web analytics and complying with the GDPR.
GDPR Web Analytics Risk Assessment
| Risk: | High | Moderate | Low |
| Are you located in the EU? | ✓ | ||
| Do you have users in the EU? | ✓ | ||
| Does your company achieve high volume sales? | ✓ | ||
| Do you collect any personally identifiable information in your web analytics? | ✓ | ||
| Do you track user IDs? | ✓ | ||
| Do you collect data for remarketing purposes? | ✓ | ||
| None of the above | ✓ |
As you can see it’s almost impossible for a successful company that is actively marketing to their users to be low risk when it comes to GDPR. This is yet another reason why it’s so important for your company to get compliant before the deadline.
GDPR Analytics Compliance Checklist
This checklist is not an exhaustive resource on everything that needs to be done in order for you to become GDPR compliant, but it will help you to ensure your Google Analytics, or other web analytics complies with the GDPR.
| Update your privacy policy, make it clear and provide contact details | ✓ |
| Ensure your web analytics does not track any PII (Personally Identifiable Information) | ✓ |
| Review and agree to Google’s updated data processing amendment (if you do not use Google Analytics, your web analytics will likely also have an updated policy to reflect the GDPR) | ✓ |
| Review and agree to Google’s updated data retention settings | ✓ |
| Mask IP addresses | ✓ |
| Obtain user consent for all user ID tracking | ✓ |
| Obtain user consent for advertising and remarketing purposes | ✓ |
| Obtain user consent for Google Analytics (or other) tracking | ✓ |
| Prepare a process for users right to request, rectify, restrict, object or erase their user data | ✓ |
What to Do if Your Web Analytics Doesn’t Comply
Not only do most web analytics accounts not comply with the GDPR, we’ve also found many don’t comply with Google Analytic’s own terms of service. You may be capturing personalised data the minute your web tags start firing. Some of this will be personal data. You may even be capturing high-risk PII data in your web analytics. This does not comply with the GDPR, nor does it comply with Google’s Terms of Use and other web analytics accounts terms. You’re at risk of up to €20 Million or 4% of annual revenue (whichever is greater) under the GDPR and if Google catches you, your account will be terminated without warning and your data destroyed for good.
GDPR for Low Risk Web Analytics
For low risk web analytics accounts (websites that don’t have a presence in the EU, without sales to EU customers, no user ID collection, no PII and no remarketing) don’t have a huge amount to do in order to comply. However, it’s important to note, that even if you scored as low risk, it does not mean that there is no risk, just that you’re at less risk than larger companies engaging in more marketing campaigns. As the GDPR covers any user within the EU, you’re always going to be at some risk. This means that even for low risk profiles it’s important to ensure you comply and have processes in place for users to be able to request, rectify, restrict, object to or erase their data.
Update Data Retention Settings in Web Analytics
If you’re not tracking users, then the main thing those with low risk web analytics accounts need to do is review their Google Analytics (or other) data retention settings. Google enables us to choose the timeframe for user-level data retention. On May 25th, 2018 (as GDPR comes into force) Google Analytic’s timeframe for retention will default to 2 years. Those with low risk profiles may want to do user analysis longer than 2 years, so you might want to review your settings and change to a longer timeframe or even set them to ‘do not expire’. We generally recommend you to enable the ‘Reset on New Activity’ switch so that your records are automatically updated and retain the most recent and comprehensive data. To ensure GDPR compliance, simply select a data retention timeframe that your company can legally justify.
GDPR for Moderate Risk Web Analytics
Any business that is actively selling or marketing to users in the EU will automatically rank as moderate to high risk. Tracking IDs or remarketing to users also mean you’re at least at a moderate risk. As well as simply reviewing your data retention settings in Google Analytics (or other), as above, there are a few more things company’s at moderate risk should do to keep their web analytics properties compliant.
Tag Management and Geolocation
Perhaps the easiest option for those at moderate risk is to limit data collection based on user location. By implementing a tag management solution and some basic geolocation, Google Analytics tracking can fire a different version of Google Analytics settings for users in the EU. This means that you can set IP anonymisation to ‘true’ for EU users and leaving your default settings in check for other users. However, if you’re more high risk, we recommend anonymising all IP addresses.
With Google Tag Manager it’s easy to comply with GDPR with IP anonymisation. You can also fire tags based on opt-in responses, shown conditionally to EU users. Based on user preference it could then serve up the user’s preference for remarketing and user ID tracking mechanisms. Ensure you don’t enable remarketing or advertising reporting features in the admin console or it will enable for all users.
Create Process to Forget Data
All companies, whether low, moderate or high risk, need to accommodate the right for EU citizen’s to request, rectify, obtain, object to, restrict or erase their data. Under the GDPR, EU citizen’s have the ‘right to be forgotten’. Google is currently working on a data deletion API, but in the meantime, all moderate and high risk companies need to create processes for receiving and processing requests for data deletion, restriction, etc.
GDPR for High Risk Web Analytics
If you’re a well-known brand, have high annual sales or have a combination of moderate-tier qualifiers, like remarketing, you’re likely at high risk. It’s important to reduce your risk by complying with the above recommendations, including opting for a shorter data retention timeframe, anonymising ALL IP addresses, and requiring an opt-in for any user ID and remarketing list. You may also want to allow EU users to opt-in for standard Google Analytics tracking.
We Can Help
If you’re struggling to ensure that your web analytics complies with the GDPR, we can help. If you’re working on last-minute implementations or need help assessing your web analytics setup, contact us today.
View our resources below to help with GDPR compliance:
GDPR for Travel Companies + FREE GDPR Framework
