The GDPR is coming! You may have noticed. Tasked with bringing 20+ websites in to line with the new legislation by the 25th May, I have been up to my elbows in GDPR recently and have found it astonishingly difficult to find authoritative answers to anything beyond the very broadest of questions. While the quantity of articles already written on the subject is naturally very high, the vast majority simply regurgitate a very high level overview of what the GDPR (General Data Protection Regulation) is, normally seasoned with some shock headlines about the eye watering fines that may be imposed for non-compliance.
And so this is not one of those posts. For an overview of the GDPR, the ICO would be a good start. It does not, sadly, provide all of the answers, but at least avoids the scaremongering and misinformation that is so abundant elsewhere. In this series of posts, I will document whatever information I have found to my more specific questions about the nuts and bolts of how my clients’ websites (and my own when I get around to it) can comply with the new regulations. At the bottom of each post will be a small section (subject to revision) that will show the solution I have arrived at. In this particular post, on Google Analytics, I’m shocked at the volume of information I have had to sift through to come to a reasonable understanding of why the solution really doesn’t require much change, if any. It should be clearly understood that I am not a lawyer and none of this constitutes legal advice. Or any sort of advice!
But the GDPR isn’t really about cookies
But there is an important piece of information that is missing from almost every GDPR overview I have read. Cookies are mentioned just once in the 99 articles that make up the GDPR, and then, only those that store personal data are implicated. Which Google Analytics cookies don’t** (sort of – see caveat below). To comply with the GDPR you probably don’t have to do anything different where Analytics are concerned, because the UK law that governs the placement of cookies on a user’s computer is, and continues to be, the Privacy and Electronic Communications Regulations (PECR –no sniggering), which is derived from the EU e-Privacy Directive.
Things might even get easier
Now the e-Privacy Directive is certainly getting a good shake up, but the revised laws will not be implemented until 2019 and until then, apart from some leaked details, we don’t yet know what to expect, and will just have to continue to comply with the existing laws. However, those leaked details sound very encouraging in that it looks likely that the browser vendors (Chrome, Firefox, Edge, et al) may be expected to be the vehicles to give the user control over their cookies, sparing website visitors countless annoying popups, and website owners and managers the need to implement the banners, and the degradation of the customer experience that results. I certainly hope that will be the case.
But until then
So how do we get consent?
Should consent be obtained before Google Analytics cookies are placed (prior consent)?
What I have found trickier to navigate is the concept of prior consent, particularly in the context of inoffensive little cookies such as those used in Analytics. In other words are we permitted to place cookies on the user’s device in anticipation of their consent being given? The logical answer of course would be no! If consent is required in order to place cookies, the cookies must not be placed until consent has been obtained. In fact this is only partly a GDPR problem, in that GDPR will apply equally to all EU member states (and the UK). In some countries in the EU, prior consent is already required, though rarely implemented, because it is so difficult and obstructive! There are two problems with this approach:
- Prior consent requires a solution that is more technically advanced than most cookie consent banners I have encountered to date. In most cases, it requires that whatever script is responsible for the cookie consent banner, is also responsible for placing the scripts that place the cookies (e.g. your Google Analytics tracking code), only once consent has been obtained. In other words, you can’t just paste your Analytics script and your cookie script in to your web pages separately. They need to work together in some way.
- If we do this with Analytics code, our Analytics data will be substantially altered because we will not be able to register first time users who only visit a single page. We will only be able to start collecting data about their visit once they navigate to another page. This will mean we can no longer monitor and address our bounce rate, and could prevent any sort of useful tracking of responses to links in social media for example.
Personally, I feel a little pragmatism is called for. Here are the reasons that I don’t think I will be recommending that people who use Analytics tracking should be forced to obtain prior consent. Of course, once again, I am not a lawyer and this is certainly not legal advice, we all have to find our own solutions:
- Analytics cookies are un-intrusive, collect no personal data and pose no risk at all to the user. In short, they are not what the GDPR, PECR, or ePrivacy are there for. In spite of the scaremongering about fines, the ICO themselves have made it very clear that fines will be a last resort, in cases where people’s personal data has been misused or put at risk.
- It will be difficult and costly for many small businesses to implement a new solution that does gain prior consent.
- If they do so it will degrade the usefulness of their Analytics data.
- In 2019, the new ePrivacy directive should hopefully solve this problem once and for all by taking it off your hands and giving it to the browsers to deal with.
**That little caveat about personal data
Standard analytics code and cookies do not process any personal data, with one very marginal, borderline exception. The user’s IP address, although not available to you in your Analytics data, is sent to Google and could, maybe, theoretically be seen by Google employees. IP addresses are used to provide geographical data about your users, so you can see what country people come from, but not their actual IP address. There is a way around this though, if it bothers you, which is to adjust your Analytics tracking code to anonymise the IP address before it is sent to Google. This may have a minor impact on the accuracy of your geographical data, but that’s all. Here is some more information from Google.
Just one last point on personal data – while Google Analytics is not itself set up in a way that processes personal data; in a few rare instances, it is possible to inadvertently send them personal data, and if you are doing so, you need to stop it right now! But you’re almost certainly not. An example scenario may be a custom developed membership website that uses email addresses in the URL strings of publicly accessible pages. It’s bad practice anyway, contravenes Google’s own rules, and would also be in contravention of GDPR.
Finally – my solution where only Google Analytics cookies are used
- Because I will be providing this as a service and want to be thorough; because it won’t take me too long and won’t have a detrimental impact, I will be adjusting Analytics code to anonymise IP addresses before sending to Google. Here’s how.
- Don’t panic. As stated, Analytics tracking is really not what any of this is about. So long as you demonstrate at least some effort to comply, it will almost certainly be adequate where you are not in fact handling personal data, as is the case with Google Analytics.