Steps to GDPR Compliance with Google Analytics
Under the GDPR, if you use Google Analytics, then Google is your Data Processor. Your organization is the Data Controller since you control which data is sent to Google Analytics.
With Google as your Data Processor, they have obligations to conform to the EU GDPR. According to Google’s Privacy Compliance website, they are “working hard to prepare for the EU’s General Data Protection Regulation.” You can see more details on this site, and it is almost sure that Google Analytics will be fully compliant by May 25, 2018. As part of being a Data Processor, Google must provide a data processing agreement that you’ll need to accept.
2. Go to Property Setting (as it shown on a screenshot)
3. Make sure that Demographics and Interest Reports, Use enhanced link attribution and Users Metric in Reporting are turned off. Don’t forget to save changes if there were any by clicking save.
4. Click on the Tracking info and then click on Data Collection.
5. Make sure that both Remarketing and Advertising Reporting Features are turned off. Don’t forget to save it.
6. Next, click on the Data Retention and choose the period after which the data will expire. It can be 26 months. Reset on new activity button should be turned on. Click save.
7. Now we need to make sure that User-id tracking is disabled. Click on User-ID and check if everything is turned off. Click save.
If you are familiar with the GDPR at this point, you may be asking yourself how you can reasonably honor a User’s request to be forgotten. Google Analytics will support User ID/Client ID data deletion pretty soon.
Per this eConsultancy article, you should consider the following questions when writing your privacy notice:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
Disclaimer: Please note that this guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might apply to your organization.